From a8f2c0276bb415258e686cff9377641aff6806ff Mon Sep 17 00:00:00 2001 From: Eric McGinnis Date: Thu, 26 Oct 2023 00:15:18 +0000 Subject: [PATCH 1/2] temporary fix to contentctl.yml to support testing --- contentctl.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/contentctl.yml b/contentctl.yml index 51534802d4..6df1a786ee 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -1,4 +1,7 @@ build: + #Temporary fix to support testing. The following + #line will be reverted soon + title: DA-ESS-ContentUpdate name: DA-ESS-ContentUpdate path_root: dist prefix: ESCU From 196d618f2fdd20a8208378f52b893cbc120bb9c1 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 1 Nov 2023 19:24:56 +0000 Subject: [PATCH 2/2] Release v4.15.0 --- .gitlab-ci.yml | 11 +- contentctl | 2 +- contentctl.yml | 6 +- contentctl_test.yml | 2 +- ...ound_traffic_by_firewall_rule_registry.yml | 1 + ...cmd_carry_out_string_command_parameter.yml | 1 + ..._or_script_creation_in_suspicious_path.yml | 1 + .../firewall_allowed_program_enable.yml | 1 + ...work_connection_discovery_with_netstat.yml | 1 + .../office_application_drop_executable.yml | 1 + .../office_document_executing_macro_code.yml | 1 + ...ment_spawned_child_process_to_download.yml | 1 + .../office_product_spawn_cmd_process.yml | 1 + .../endpoint/suspicious_process_file_path.yml | 1 + ...spicious_writes_to_windows_recycle_bin.yml | 1 + ...ss_token_manipulation_sedebugprivilege.yml | 1 + ...eprincipalname_added_to_domain_account.yml | 2 +- .../windows_admin_permission_discovery.yml | 7 +- ...ws_replication_through_removable_media.yml | 1 + ...e_created_with_suspicious_service_path.yml | 1 + ..._service_creation_using_registry_entry.yml | 1 + .../windows_service_deletion_in_registry.yml | 1 + ...d_gateway_unauthorized_data_disclosure.yml | 66 + ...e_cve_2023_22515_trigger_vulnerability.yml | 8 +- ...center_and_server_privilege_escalation.yml | 18 +- ...applications_spawning_cmd_exe_browsers.yml | 57 + ...d_applications_spawning_cmd_exe_office.yml | 55 + ...plications_spawning_cmd_exe_powershell.yml | 51 + dist/DA-ESS-ContentUpdate/app.manifest | 2 +- .../default/analyticstories.conf | 2 +- dist/DA-ESS-ContentUpdate/default/app.conf | 4 +- .../default/collections.conf | 2 +- .../default/content-version.conf | 2 +- .../default/es_investigations.conf | 2 +- dist/DA-ESS-ContentUpdate/default/macros.conf | 2 +- .../default/savedsearches.conf | 2 +- .../default/transforms.conf | 2 +- .../default/workflow_actions.conf | 2 +- lookups/mitre_enrichment.csv | 1137 +++++++++-------- pipeline/.app_inspect.yml | 23 + pipeline/.generate.yml | 7 +- pipeline/.release.yml | 42 +- pipeline/.run_app_inspect.yml | 0 ...applications_spawning_cmd_exe_browsers.yml | 99 ++ ...d_applications_spawning_cmd_exe_office.yml | 100 ++ ...plications_spawning_cmd_exe_powershell.yml | 97 ++ ...dc_and_netscaler_gateway_cve_2023_4966.yml | 22 + stories/plugx.yml | 35 + 48 files changed, 1278 insertions(+), 607 deletions(-) create mode 100644 detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml create mode 100644 dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml create mode 100644 dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml create mode 100644 dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_powershell.yml create mode 100644 pipeline/.app_inspect.yml delete mode 100644 pipeline/.run_app_inspect.yml create mode 100644 ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml create mode 100644 ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml create mode 100644 ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_powershell.yml create mode 100644 stories/citrix_netscaler_adc_and_netscaler_gateway_cve_2023_4966.yml create mode 100644 stories/plugx.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 4b89e7b9c5..186e8eae97 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,17 +1,20 @@ default: image: docker-hub.repo.splunkdev.net/python:3.9 - stages: - validate - generate + - app_inspect - release - - publish_build_to_pre_qa include: - local: "pipeline/.validate.yml" - local: "pipeline/.generate.yml" + - local: "pipeline/.app_inspect.yml" - local: "pipeline/.release.yml" - - local: "pipeline/.publish_build_to_pre_qa.yml" - +workflow: + rules: + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + - if: $CI_COMMIT_TAG + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH \ No newline at end of file diff --git a/contentctl b/contentctl index e63ed1f073..19c117e278 160000 --- a/contentctl +++ b/contentctl @@ -1 +1 @@ -Subproject commit e63ed1f073c7c453451ebd99f19c566389a4ebfd +Subproject commit 19c117e278477df06daf5fcf2eec22404231cc57 diff --git a/contentctl.yml b/contentctl.yml index 6df1a786ee..abcf6ae395 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -5,8 +5,8 @@ build: name: DA-ESS-ContentUpdate path_root: dist prefix: ESCU - build: 16959 - version: 4.14.0 + build: 004150 + version: 4.15.0 label: ES Content Updates author_name: Splunk Threat Research Team author_email: research@splunk.com @@ -22,4 +22,4 @@ build_api: enrichments: attack_enrichment: true cve_enrichment: true - splunk_app_enrichment: false + splunk_app_enrichment: false \ No newline at end of file diff --git a/contentctl_test.yml b/contentctl_test.yml index ad6103df33..46b843fadc 100644 --- a/contentctl_test.yml +++ b/contentctl_test.yml @@ -1,4 +1,4 @@ -version_control_config: null +version_control_config: {} infrastructure_config: infrastructure_type: container full_image_path: registry.hub.docker.com/splunk/splunk:latest diff --git a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml index 978cd0ff78..24368ffca5 100644 --- a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml +++ b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml @@ -30,6 +30,7 @@ tags: - Windows Registry Abuse - Azorult - NjRAT + - PlugX asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index 9630cb7627..fdc915b0db 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -51,6 +51,7 @@ tags: - Data Destruction - Warzone RAT - NjRAT + - PlugX asset_type: Endpoint automated_detection_testing: passed confidence: 50 diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 5f81c219c1..da5aa83f53 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -63,6 +63,7 @@ tags: - BlackByte Ransomware - Warzone RAT - NjRAT + - PlugX asset_type: Endpoint confidence: 50 impact: 40 diff --git a/detections/endpoint/firewall_allowed_program_enable.yml b/detections/endpoint/firewall_allowed_program_enable.yml index e8113eec50..93ab2bca51 100644 --- a/detections/endpoint/firewall_allowed_program_enable.yml +++ b/detections/endpoint/firewall_allowed_program_enable.yml @@ -39,6 +39,7 @@ tags: - Azorult - BlackByte Ransomware - NjRAT + - PlugX asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/network_connection_discovery_with_netstat.yml b/detections/endpoint/network_connection_discovery_with_netstat.yml index 953f9d241a..dc6bb6292b 100644 --- a/detections/endpoint/network_connection_discovery_with_netstat.yml +++ b/detections/endpoint/network_connection_discovery_with_netstat.yml @@ -38,6 +38,7 @@ tags: - Windows Post-Exploitation - Prestige Ransomware - Volt Typhoon + - PlugX asset_type: Endpoint confidence: 50 impact: 30 diff --git a/detections/endpoint/office_application_drop_executable.yml b/detections/endpoint/office_application_drop_executable.yml index 25a7435abd..a01bb5a5cc 100644 --- a/detections/endpoint/office_application_drop_executable.yml +++ b/detections/endpoint/office_application_drop_executable.yml @@ -40,6 +40,7 @@ tags: - AgentTesla - CVE-2023-21716 Word RTF Heap Corruption - Warzone RAT + - PlugX asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/office_document_executing_macro_code.yml b/detections/endpoint/office_document_executing_macro_code.yml index f5ec5dec14..242cc9161e 100644 --- a/detections/endpoint/office_document_executing_macro_code.yml +++ b/detections/endpoint/office_document_executing_macro_code.yml @@ -41,6 +41,7 @@ tags: - Qakbot - Azorult - Remcos + - PlugX asset_type: Endpoint confidence: 50 impact: 70 diff --git a/detections/endpoint/office_document_spawned_child_process_to_download.yml b/detections/endpoint/office_document_spawned_child_process_to_download.yml index b013a5aa71..d56f3a5a2b 100644 --- a/detections/endpoint/office_document_spawned_child_process_to_download.yml +++ b/detections/endpoint/office_document_spawned_child_process_to_download.yml @@ -37,6 +37,7 @@ tags: analytic_story: - Spearphishing Attachments - CVE-2023-36884 Office and Windows HTML RCE Vulnerability + - PlugX asset_type: Endpoint confidence: 50 impact: 70 diff --git a/detections/endpoint/office_product_spawn_cmd_process.yml b/detections/endpoint/office_product_spawn_cmd_process.yml index 9e80c568bb..1c71a989a1 100644 --- a/detections/endpoint/office_product_spawn_cmd_process.yml +++ b/detections/endpoint/office_product_spawn_cmd_process.yml @@ -49,6 +49,7 @@ tags: - CVE-2023-21716 Word RTF Heap Corruption - CVE-2023-36884 Office and Windows HTML RCE Vulnerability - Warzone RAT + - PlugX asset_type: Endpoint confidence: 80 impact: 70 diff --git a/detections/endpoint/suspicious_process_file_path.yml b/detections/endpoint/suspicious_process_file_path.yml index d3748b72d3..1dadb429d4 100644 --- a/detections/endpoint/suspicious_process_file_path.yml +++ b/detections/endpoint/suspicious_process_file_path.yml @@ -71,6 +71,7 @@ tags: - Amadey - BlackByte Ransomware - Warzone RAT + - PlugX asset_type: Endpoint confidence: 50 impact: 70 diff --git a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml index ad493f126c..deee52274e 100644 --- a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml +++ b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml @@ -28,6 +28,7 @@ references: [] tags: analytic_story: - Collection and Staging + - PlugX asset_type: Windows confidence: 70 impact: 40 diff --git a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml index 0b6335b6eb..a83a9a9621 100644 --- a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml +++ b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml @@ -36,6 +36,7 @@ tags: analytic_story: - Brute Ratel C4 - AsyncRAT + - PlugX asset_type: Endpoint confidence: 60 impact: 60 diff --git a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml index 2403723a8e..4847749dbd 100644 --- a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml +++ b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml @@ -26,7 +26,7 @@ references: - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting tags: analytic_story: - - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/service_principal_name_added/windows-security.log + - Sneaky Active Directory Persistence Tricks asset_type: endpoint confidence: 50 impact: 60 diff --git a/detections/endpoint/windows_admin_permission_discovery.yml b/detections/endpoint/windows_admin_permission_discovery.yml index c333138174..9b003cfa4e 100644 --- a/detections/endpoint/windows_admin_permission_discovery.yml +++ b/detections/endpoint/windows_admin_permission_discovery.yml @@ -16,7 +16,7 @@ description: This analytic is developed to identify suspicious file creation in similar techniques to assess the privileges of their running malware instances, without using token privilege API calls or PowerShell commandlets. search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.bat", "*.cmd", "*.pif", "*.lnk", "*.dat") - by Filesystem.dest Filesystem.file_create_time Filesystem.process_id Filesystem.process_guiid Filesystem.file_name Filesystem.file_path Filesystem.user + by Filesystem.dest Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.user | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, "\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) @@ -26,7 +26,7 @@ search: '|tstats `security_content_summariesonly` count min(_time) as firstTime | `windows_admin_permission_discovery_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -known_false_positives: administrator is capable of dropping files in root C drive. +known_false_positives: False positives may occur if there are legitimate accounts with the privilege to drop files in the root of the C drive. It's recommended to verify the legitimacy of such actions and the accounts involved. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat tags: @@ -64,6 +64,9 @@ tags: - Filesystem.process_id - Filesystem.file_name - Filesystem.user + - Filesystem.dest + - Filesystem.process_guid + - Filesystem.file_path security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_replication_through_removable_media.yml b/detections/endpoint/windows_replication_through_removable_media.yml index e26f7bd54f..d3d9632a15 100644 --- a/detections/endpoint/windows_replication_through_removable_media.yml +++ b/detections/endpoint/windows_replication_through_removable_media.yml @@ -42,6 +42,7 @@ tags: analytic_story: - Chaos Ransomware - NjRAT + - PlugX asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml index 7831cd17b8..126b278491 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml @@ -34,6 +34,7 @@ tags: - Qakbot - Snake Malware - Flax Typhoon + - PlugX asset_type: Endpoint confidence: 80 impact: 70 diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index b760357b94..b787f8d8ad 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -30,6 +30,7 @@ tags: - Windows Persistence Techniques - Windows Registry Abuse - Brute Ratel C4 + - PlugX asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/windows_service_deletion_in_registry.yml b/detections/endpoint/windows_service_deletion_in_registry.yml index a43d35cf9d..3701013fe3 100644 --- a/detections/endpoint/windows_service_deletion_in_registry.yml +++ b/detections/endpoint/windows_service_deletion_in_registry.yml @@ -29,6 +29,7 @@ references: tags: analytic_story: - Brute Ratel C4 + - PlugX asset_type: Endpoint confidence: 30 impact: 60 diff --git a/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml b/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml new file mode 100644 index 0000000000..c46aecafab --- /dev/null +++ b/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml @@ -0,0 +1,66 @@ +name: Citrix ADC and Gateway Unauthorized Data Disclosure +id: b593cac5-dd20-4358-972a-d945fefdaf17 +version: 1 +date: '2023-10-24' +author: Michael Haag, Splunk +status: production +type: TTP +data_source: [] +description: The following analytic detects attempts to exploit the Citrix Bleed vulnerability, which can lead to the leaking of session tokens. The vulnerability, identified as CVE-2023-4966, pertains to sensitive information disclosure in NetScaler ADC and NetScaler Gateway when set up as various server configurations. The analytic specifically searches for HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on the aforementioned criteria along with specific user agent details, HTTP method, source and destination IPs, and the sourcetype, the analytic aims to identify potentially malicious requests that fit the profile of this exploit. \ + + This behavior is essential for a Security Operations Center (SOC) to identify because if successfully exploited, attackers can gain unauthorized access, leading to a potential breach or further malicious activities within the organization's network. As the Citrix Bleed vulnerability can disclose session tokens, a successful exploit can allow attackers to impersonate legitimate users, bypassing authentication mechanisms and accessing sensitive data or systems. \ + + If a true positive is confirmed, it implies that an attacker is actively exploiting the vulnerability within the organization's environment. This could lead to severe consequences, including unauthorized data access, further propagation within the network, and potential disruptions or exfiltration of critical information. \ + + Upon flagging such activity, it's crucial for analysts to swiftly validate the alert, assess the nature and extent of the exposure, and implement necessary measures to mitigate the threat. Reviewing the details such as user agent, source, and destination IP can help in understanding the context and intent of the attack. While it's imperative to patch vulnerable systems to prevent this exploitation, early detection through this analytic provides a valuable layer of defense, enabling timely response to thwart potential breaches. +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/oauth/idp/.well-known/openid-configuration*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype + | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `citrix_adc_and_gateway_unauthorized_data_disclosure_filter`' +how_to_implement: This detection requires the Web datamodel to be populated from a + supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk + for Palo Alto. We recommend hunting in the environment first to understand the scope of the issue and then deploying this detection to monitor for future exploitation attempts. Limit or restrict to Citrix devices only if possible. +known_false_positives: False positives may be present based on organization use of Citrix ADC and Gateway. Filter, or restrict the analytic to Citrix devices only. +references: + - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 + - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966 +tags: + analytic_story: + - Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966 + asset_type: Web server + atomic_guid: [] + confidence: 90 + impact: 100 + message: Possible exploitation of Citrix Bleed vulnerability against $dest$ fron $src$. + mitre_attack_id: + - T1190 + observable: + - name: dest + type: IP Address + role: + - Victim + - name: src + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 90 + required_fields: + - Web.http_user_agent + - Web.status + - Web.http_method + - Web.url + - Web.url_length + - Web.src + - Web.dest + - sourcetype + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/cve-2023-4966-citrix.log + source: suricata + sourcetype: suricata diff --git a/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml b/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml index ad34e60dd7..05e6c85bd8 100644 --- a/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml +++ b/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml @@ -1,18 +1,18 @@ name: Confluence CVE-2023-22515 Trigger Vulnerability id: 630ea8b2-2800-4f5d-9cbc-d65c567349b0 -version: 1 -date: '2023-10-12' +version: 2 +date: '2023-10-23' author: Michael Haag, Splunk status: production type: TTP data_source: [] description: The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false* and /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0& URLs. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. -search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false*","/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&*") Web.http_method=GET Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false*","*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&*") Web.http_method=GET Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_cve_2023_22515_trigger_vulnerability_filter`' how_to_implement: To successfully implement this search you need to be ingesting information - on Web traffic that include fields relavent for traffic into the `Web` datamodel. + on Web traffic that include fields relavent for traffic into the `Web` datamodel. Tested with Suricata and nginx:plus:kv. known_false_positives: False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to Confluence servers. references: diff --git a/detections/web/confluence_data_center_and_server_privilege_escalation.yml b/detections/web/confluence_data_center_and_server_privilege_escalation.yml index 0f871b5917..f702d94a68 100644 --- a/detections/web/confluence_data_center_and_server_privilege_escalation.yml +++ b/detections/web/confluence_data_center_and_server_privilege_escalation.yml @@ -1,16 +1,14 @@ name: Confluence Data Center and Server Privilege Escalation id: 115bebac-0976-4f7d-a3ec-d1fb45a39a11 -version: 1 -date: '2023-10-04' +version: 2 +date: '2023-10-18' author: Michael Haag, Splunk status: production type: TTP data_source: [] description: The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /setup/*.action* URL pattern. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. -search: '| tstats count min(_time) as firstTime max(_time) - as lastTime from datamodel=Web where Web.url IN ("/setup/*.action*") Web.status=200 - by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype - | `drop_dm_object_name("Web")` +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/setup/setupadministrator.action*", "*/setup/finishsetup.action*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype + | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_data_center_and_server_privilege_escalation_filter`' how_to_implement: To successfully implement this search you need to be ingesting information @@ -55,8 +53,8 @@ tags: - Web.http_user_agent security_domain: network tests: -- name: True Positive Test +- name: Nginx Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/confluence_cve-2023-22515.log - source: suricata - sourcetype: suricata + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/nginx_plus_kv_confluence.log + source: nginx:plus:kv + sourcetype: nginx:plus:kv diff --git a/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml b/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml new file mode 100644 index 0000000000..af771a4597 --- /dev/null +++ b/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml @@ -0,0 +1,57 @@ +name: Detect Prohibited Applications Spawning cmd exe browsers +id: c10a18cb-fd70-4ffa-a844-25026e0a0c94 +version: 1 +date: '2023-10-26' +author: Lou Stella, Splunk +status: validation +type: Anomaly +description: The following analytic identifies parent processes that are browsers, spawning cmd.exe. By its very nature, + many applications spawn cmd.exe natively or built into macros. Much of this will + need to be tuned to further enhance the risk. +data_source: +- Windows Security 4688 +search: + selection1: + actor.process.file.name: + - iexplore.exe + - opera.exe + - firefox.exe + selection2: + actor.process.file.name: chrome.exe + selection3: + process.cmd_line: chrome-extension + selection4: + process.file.name: cmd.exe + condition: ((selection1) or (selection2 and not selection3)) and selection4 +how_to_implement: In order to successfully implement this analytic, you will need + endpoint process data from a EDR product or Sysmon. This search has been modified + to process raw sysmon data from attack_range's nxlogs on DSP. +known_false_positives: There are circumstances where an application may legitimately + execute and interact with the Windows command-line interface. +references: +- https://attack.mitre.org/techniques/T1059/ +tags: + analytic_story: + - Suspicious Command-Line Executions + - Insider Threat + asset_type: Endpoint + confidence: 50 + impact: 70 + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest_device_id$ by user $dest_user_id$, producing a suspicious event + that warrants investigating. + mitre_attack_id: + - T1059 + observable: [] + product: + - Splunk Behavioral Analytics + required_fields: [] + kill_chain_phases: + - Exploitation + risk_score: 35 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/ssa_validation/browsers/windows-security.log + source: WinEventLog:Security diff --git a/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml b/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml new file mode 100644 index 0000000000..c0128218a6 --- /dev/null +++ b/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml @@ -0,0 +1,55 @@ +name: Detect Prohibited Applications Spawning cmd exe office +id: c10a18cb-fd70-4ffa-a844-25026e0b0c94 +version: 1 +date: '2023-10-26' +author: Lou Stella, Splunk +status: validation +type: Anomaly +description: The following analytic identifies parent processes that are office/productivity applications, spawning cmd.exe. By its very nature, + many applications spawn cmd.exe natively or built into macros. Much of this will + need to be tuned to further enhance the risk. +data_source: +- Windows Security 4688 +search: + selection1: + actor.process.file.name: + - winword.exe + - excel.exe + - outlook.exe + - acrobat.exe + - acrord32.exe + selection2: + process.file.name: cmd.exe + condition: selection1 and selection2 +how_to_implement: In order to successfully implement this analytic, you will need + endpoint process data from a EDR product or Sysmon. This search has been modified + to process raw sysmon data from attack_range's nxlogs on DSP. +known_false_positives: There are circumstances where an application may legitimately + execute and interact with the Windows command-line interface. +references: +- https://attack.mitre.org/techniques/T1059/ +tags: + analytic_story: + - Suspicious Command-Line Executions + - Insider Threat + asset_type: Endpoint + confidence: 50 + impact: 70 + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest_device_id$ by user $dest_user_id$, producing a suspicious event + that warrants investigating. + mitre_attack_id: + - T1059 + observable: [] + product: + - Splunk Behavioral Analytics + required_fields: [] + kill_chain_phases: + - Exploitation + risk_score: 35 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/ssa_validation/office/windows-security.log + source: WinEventLog:Security diff --git a/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_powershell.yml b/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_powershell.yml new file mode 100644 index 0000000000..5761348467 --- /dev/null +++ b/dev_ssa/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_powershell.yml @@ -0,0 +1,51 @@ +name: Detect Prohibited Applications Spawning cmd exe powershell +id: c10a18cb-fd70-4ffa-a844-25126e0b0d94 +version: 1 +date: '2023-10-26' +author: Lou Stella, Splunk +status: validation +type: Anomaly +description: The following analytic identifies parent processes that are powershell, spawning cmd.exe. By its very nature, + many applications spawn cmd.exe natively or built into macros. Much of this will + need to be tuned to further enhance the risk. +data_source: +- Windows Security 4688 +search: + selection1: + actor.process.file.name: + - powershell.exe + selection2: + process.file.name: cmd.exe + condition: selection1 and selection2 +how_to_implement: In order to successfully implement this analytic, you will need + endpoint process data from a EDR product or Sysmon. This search has been modified + to process raw sysmon data from attack_range's nxlogs on DSP. +known_false_positives: There are circumstances where an application may legitimately + execute and interact with the Windows command-line interface. +references: +- https://attack.mitre.org/techniques/T1059/ +tags: + analytic_story: + - Suspicious Command-Line Executions + - Insider Threat + asset_type: Endpoint + confidence: 50 + impact: 70 + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest_device_id$ by user $dest_user_id$, producing a suspicious event + that warrants investigating. + mitre_attack_id: + - T1059 + observable: [] + product: + - Splunk Behavioral Analytics + required_fields: [] + kill_chain_phases: + - Exploitation + risk_score: 35 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-security.log + source: WinEventLog:Security \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/app.manifest b/dist/DA-ESS-ContentUpdate/app.manifest index 16d0cba294..6dbe693441 100644 --- a/dist/DA-ESS-ContentUpdate/app.manifest +++ b/dist/DA-ESS-ContentUpdate/app.manifest @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-10-23T21:34:37 UTC +# On Date: 2023-10-24T00:38:29 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/analyticstories.conf b/dist/DA-ESS-ContentUpdate/default/analyticstories.conf index 95381748a9..d0edde48c4 100644 --- a/dist/DA-ESS-ContentUpdate/default/analyticstories.conf +++ b/dist/DA-ESS-ContentUpdate/default/analyticstories.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-10-23T21:34:37 UTC +# On Date: 2023-10-24T00:38:29 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/app.conf b/dist/DA-ESS-ContentUpdate/default/app.conf index 3d29f339ff..703ea4abd0 100644 --- a/dist/DA-ESS-ContentUpdate/default/app.conf +++ b/dist/DA-ESS-ContentUpdate/default/app.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-10-23T21:34:37 UTC +# On Date: 2023-10-24T00:38:29 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# @@ -10,7 +10,7 @@ is_configured = false state = enabled state_change_requires_restart = false -build = 20231023213108 +build = 20231024003559 [triggers] reload.analytic_stories = simple diff --git a/dist/DA-ESS-ContentUpdate/default/collections.conf b/dist/DA-ESS-ContentUpdate/default/collections.conf index 0efcb6977b..28d65be1bd 100644 --- a/dist/DA-ESS-ContentUpdate/default/collections.conf +++ b/dist/DA-ESS-ContentUpdate/default/collections.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-10-23T21:34:37 UTC +# On Date: 2023-10-24T00:38:29 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/content-version.conf b/dist/DA-ESS-ContentUpdate/default/content-version.conf index 2cbc14255d..abfc6f1e32 100644 --- a/dist/DA-ESS-ContentUpdate/default/content-version.conf +++ b/dist/DA-ESS-ContentUpdate/default/content-version.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-10-23T21:34:37 UTC +# On Date: 2023-10-24T00:38:29 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/es_investigations.conf b/dist/DA-ESS-ContentUpdate/default/es_investigations.conf index 3b7aa3152a..6b17b6ff5d 100644 --- a/dist/DA-ESS-ContentUpdate/default/es_investigations.conf +++ b/dist/DA-ESS-ContentUpdate/default/es_investigations.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-10-23T21:34:37 UTC +# On Date: 2023-10-24T00:38:29 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/macros.conf b/dist/DA-ESS-ContentUpdate/default/macros.conf index 4b3ee4976d..333cd176a7 100644 --- a/dist/DA-ESS-ContentUpdate/default/macros.conf +++ b/dist/DA-ESS-ContentUpdate/default/macros.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-10-23T21:34:37 UTC +# On Date: 2023-10-24T00:38:29 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/savedsearches.conf b/dist/DA-ESS-ContentUpdate/default/savedsearches.conf index b2546782a8..a102ab1c6c 100644 --- a/dist/DA-ESS-ContentUpdate/default/savedsearches.conf +++ b/dist/DA-ESS-ContentUpdate/default/savedsearches.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-10-23T21:34:37 UTC +# On Date: 2023-10-24T00:38:29 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/transforms.conf b/dist/DA-ESS-ContentUpdate/default/transforms.conf index 081f5ab953..76a766f7e4 100644 --- a/dist/DA-ESS-ContentUpdate/default/transforms.conf +++ b/dist/DA-ESS-ContentUpdate/default/transforms.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-10-23T21:34:37 UTC +# On Date: 2023-10-24T00:38:29 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/workflow_actions.conf b/dist/DA-ESS-ContentUpdate/default/workflow_actions.conf index 19ab4ce421..b3e84fff46 100644 --- a/dist/DA-ESS-ContentUpdate/default/workflow_actions.conf +++ b/dist/DA-ESS-ContentUpdate/default/workflow_actions.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-10-23T21:34:37 UTC +# On Date: 2023-10-24T00:38:29 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/lookups/mitre_enrichment.csv b/lookups/mitre_enrichment.csv index 98e157fb74..ba76164483 100644 --- a/lookups/mitre_enrichment.csv +++ b/lookups/mitre_enrichment.csv @@ -1,579 +1,626 @@ mitre_id,technique,tactics,groups -T1647,Plist File Modification,Defense Evasion,no -T1622,Debugger Evasion,Defense Evasion|Discovery,no -T1621,Multi-Factor Authentication Request Generation,Credential Access,APT29 -T1505.005,Terminal Services DLL,Persistence,no -T1557.003,DHCP Spoofing,Credential Access|Collection,no +T1568.001,Fast Flux DNS,Command And Control,menuPass|TA505 +T1218.010,Regsvr32,Defense Evasion,Deep Panda|APT32|Inception|Kimsuky|Cobalt Group|WIRTE|Leviathan|TA551|APT19|Blue Mockingbird +T1608.001,Upload Malware,Resource Development,Threat Group-3390|Mustang Panda|APT32|Earth Lusca|LuminousMoth|BITTER|EXOTIC LILY|FIN7|LazyScripter|SideCopy|Kimsuky|TA2541|TeamTNT|TA505|Gamaredon Group|HEXANE +T1213,Data from Information Repositories,Collection,FIN6|Fox Kitten|Turla|APT28|LAPSUS$ +T1021.002,SMB/Windows Admin Shares,Lateral Movement,Orangeworm|FIN8|Chimera|Moses Staff|APT3|Wizard Spider|APT39|Ke3chang|Fox Kitten|FIN13|APT32|Blue Mockingbird|APT28|Sandworm Team|Deep Panda|Lazarus Group|APT41|Threat Group-1314|Turla +T1027.002,Software Packing,Defense Evasion,TA505|The White Company|APT38|Dark Caracal|MoustachedBouncer|APT39|APT29|Ember Bear|Aoqin Dragon|Kimsuky|Rocke|TA2541|Threat Group-3390|Elderwood|TeamTNT|Patchwork|APT3|ZIRCONIUM|GALLIUM T1595.003,Wordlist Scanning,Reconnaissance,Volatile Cedar -T1098.005,Device Registration,Persistence,APT29 -T1574.013,KernelCallbackTable,Persistence|Privilege Escalation|Defense Evasion,Lazarus Group -T1556.005,Reversible Encryption,Credential Access|Defense Evasion|Persistence,no -T1055.015,ListPlanting,Defense Evasion|Privilege Escalation,no -T1564.010,Process Argument Spoofing,Defense Evasion,no -T1564.009,Resource Forking,Defense Evasion,no T1559.003,XPC Services,Execution,no -T1562.010,Downgrade Attack,Defense Evasion,no -T1547.015,Login Items,Persistence|Privilege Escalation,no +T1020,Automated Exfiltration,Exfiltration,Gamaredon Group|Ke3chang|Sidewinder|Tropic Trooper +T1003.003,NTDS,Credential Access,Sandworm Team|HAFNIUM|Volt Typhoon|Mustang Panda|Dragonfly|menuPass|Fox Kitten|FIN13|Ke3chang|APT28|Chimera|Wizard Spider|FIN6|LAPSUS$ +T1201,Password Policy Discovery,Discovery,Chimera|Turla|OilRig +T1578.003,Delete Cloud Instance,Defense Evasion,LAPSUS$ +T1049,System Network Connections Discovery,Discovery,Andariel|APT1|FIN13|Poseidon Group|Chimera|Sandworm Team|Earth Lusca|APT41|Ke3chang|Magic Hound|Tropic Trooper|BackdoorDiplomacy|APT3|HEXANE|admin@338|Volt Typhoon|TeamTNT|APT38|Turla|MuddyWater|APT32|OilRig|Mustang Panda|Lazarus Group|menuPass|Threat Group-3390|GALLIUM +T1185,Browser Session Hijacking,Collection,no +T1564.005,Hidden File System,Defense Evasion,Equation|Strider +T1647,Plist File Modification,Defense Evasion,no +T1119,Automated Collection,Collection,menuPass|Mustang Panda|Chimera|Patchwork|Threat Group-3390|FIN5|APT1|Sidewinder|Ke3chang|Tropic Trooper|FIN6|APT28|Confucius|OilRig|Gamaredon Group +T1037,Boot or Logon Initialization Scripts,Persistence|Privilege Escalation,Rocke|APT29 +T1055.005,Thread Local Storage,Defense Evasion|Privilege Escalation,no +T1199,Trusted Relationship,Initial Access,APT28|Sandworm Team|APT29|GOLD SOUTHFIELD|menuPass|POLONIUM|LAPSUS$|Threat Group-3390 +T1547.003,Time Providers,Persistence|Privilege Escalation,no +T1069.003,Cloud Groups,Discovery,no +T1537,Transfer Data to Cloud Account,Exfiltration,no +T1599.001,Network Address Translation Traversal,Defense Evasion,no +T1136.001,Local Account,Persistence,Leafminer|Kimsuky|FIN13|Dragonfly|APT3|APT39|Magic Hound|Fox Kitten|Wizard Spider|TeamTNT|APT41 +T1098.005,Device Registration,Persistence|Privilege Escalation,APT29 +T1069,Permission Groups Discovery,Discovery,APT3|FIN13|TA505 +T1552.008,Chat Messages,Credential Access,LAPSUS$ +T1589.003,Employee Names,Reconnaissance,Kimsuky|Silent Librarian|Sandworm Team +T1505,Server Software Component,Persistence,no +T1505.005,Terminal Services DLL,Persistence,no +T1114.002,Remote Email Collection,Collection,Chimera|FIN4|Kimsuky|HAFNIUM|APT28|Magic Hound|Dragonfly|APT1|Ke3chang|APT29|Leafminer +T1542.001,System Firmware,Persistence|Defense Evasion,no +T1586.003,Cloud Accounts,Resource Development,APT29 +T1552,Unsecured Credentials,Credential Access,no +T1052,Exfiltration Over Physical Medium,Exfiltration,no +T1583.004,Server,Resource Development,GALLIUM|Earth Lusca|Kimsuky|Sandworm Team +T1556.003,Pluggable Authentication Modules,Credential Access|Defense Evasion|Persistence,no +T1563.001,SSH Hijacking,Lateral Movement,no +T1499.002,Service Exhaustion Flood,Impact,no +T1574,Hijack Execution Flow,Persistence|Privilege Escalation|Defense Evasion,no +T1563,Remote Service Session Hijacking,Lateral Movement,no +T1055.014,VDSO Hijacking,Defense Evasion|Privilege Escalation,no +T1134.005,SID-History Injection,Defense Evasion|Privilege Escalation,no +T1593.003,Code Repositories,Reconnaissance,LAPSUS$ +T1558,Steal or Forge Kerberos Tickets,Credential Access,no +T1587.004,Exploits,Resource Development,no +T1542.002,Component Firmware,Persistence|Defense Evasion,Equation +T1059.006,Python,Execution,ZIRCONIUM|Turla|Kimsuky|MuddyWater|Machete|Tonto Team|APT37|APT39|BRONZE BUTLER|Rocke|Dragonfly|Earth Lusca|APT29 +T1597,Search Closed Sources,Reconnaissance,EXOTIC LILY +T1048.003,Exfiltration Over Unencrypted Non-C2 Protocol,Exfiltration,APT32|OilRig|Wizard Spider|APT33|FIN6|FIN8|Lazarus Group|Thrip T1620,Reflective Code Loading,Defense Evasion,Lazarus Group -T1619,Cloud Storage Object Discovery,Discovery,no -T1218.014,MMC,Defense Evasion,no -T1218.013,Mavinject,Defense Evasion,no -T1614.001,System Language Discovery,Discovery,Ke3chang|Lazarus Group -T1615,Group Policy Discovery,Discovery,Turla -T1036.007,Double File Extension,Defense Evasion,Mustang Panda -T1562.009,Safe Mode Boot,Defense Evasion,no -T1564.008,Email Hiding Rules,Defense Evasion,FIN4 -T1505.004,IIS Components,Persistence,no -T1027.006,HTML Smuggling,Defense Evasion,APT29 -T1213.003,Code Repositories,Collection,APT29 -T1553.006,Code Signing Policy Modification,Defense Evasion,Turla|APT39 -T1614,System Location Discovery,Discovery,no -T1613,Container and Resource Discovery,Discovery,TeamTNT -T1552.007,Container API,Credential Access,no -T1612,Build Image on Host,Defense Evasion,no -T1611,Escape to Host,Privilege Escalation,TeamTNT -T1204.003,Malicious Image,Execution,TeamTNT +T1547.015,Login Items,Persistence|Privilege Escalation,no +T1574.002,DLL Side-Loading,Persistence|Privilege Escalation|Defense Evasion,BlackTech|Lazarus Group|Earth Lusca|menuPass|APT3|Chimera|APT41|GALLIUM|Naikon|SideCopy|BRONZE BUTLER|Threat Group-3390|Patchwork|Mustang Panda|APT32|LuminousMoth|APT19|MuddyWater|Higaisa|Tropic Trooper|FIN13|Sidewinder T1053.007,Container Orchestration Job,Execution|Persistence|Privilege Escalation,no -T1610,Deploy Container,Defense Evasion|Execution,TeamTNT -T1609,Container Administration Command,Execution,TeamTNT -T1608.005,Link Target,Resource Development,Silent Librarian -T1608.004,Drive-by Target,Resource Development,Dragonfly|Transparent Tribe|APT32|Threat Group-3390 -T1608.003,Install Digital Certificate,Resource Development,no -T1608.002,Upload Tool,Resource Development,Lazarus Group|Threat Group-3390 -T1608.001,Upload Malware,Resource Development,Threat Group-3390|LazyScripter|Mustang Panda|Gamaredon Group|Kimsuky|Lazarus Group|TeamTNT|APT32 -T1608,Stage Capabilities,Resource Development,Mustang Panda -T1016.001,Internet Connection Discovery,Discovery,Gamaredon Group|APT29|Turla -T1553.005,Mark-of-the-Web Bypass,Defense Evasion,APT29|TA505 -T1555.005,Password Managers,Credential Access,Threat Group-3390|Fox Kitten|Operation Wocao -T1484.002,Domain Trust Modification,Defense Evasion|Privilege Escalation,APT29 -T1484.001,Group Policy Modification,Defense Evasion|Privilege Escalation,Indrik Spider -T1547.014,Active Setup,Persistence|Privilege Escalation,no -T1606.002,SAML Tokens,Credential Access,APT29 -T1606.001,Web Cookies,Credential Access,APT29 -T1606,Forge Web Credentials,Credential Access,no -T1555.004,Windows Credential Manager,Credential Access,Stealth Falcon|OilRig|Turla -T1059.008,Network Device CLI,Execution,no -T1602.002,Network Device Configuration Dump,Collection,no -T1542.005,TFTP Boot,Defense Evasion|Persistence,no -T1542.004,ROMMONkit,Defense Evasion|Persistence,no -T1602.001,SNMP (MIB Dump),Collection,no -T1602,Data from Configuration Repository,Collection,no -T1601.002,Downgrade System Image,Defense Evasion,no -T1601.001,Patch System Image,Defense Evasion,no +T1587.003,Digital Certificates,Resource Development,APT29|PROMETHIUM T1601,Modify System Image,Defense Evasion,no -T1600.002,Disable Crypto Hardware,Defense Evasion,no -T1600.001,Reduce Key Space,Defense Evasion,no -T1600,Weaken Encryption,Defense Evasion,no -T1556.004,Network Device Authentication,Credential Access|Defense Evasion|Persistence,no -T1599.001,Network Address Translation Traversal,Defense Evasion,no -T1599,Network Boundary Bridging,Defense Evasion,no -T1020.001,Traffic Duplication,Exfiltration,no -T1557.002,ARP Cache Poisoning,Credential Access|Collection,Cleaver -T1588.006,Vulnerabilities,Resource Development,Sandworm Team -T1053.006,Systemd Timers,Execution|Persistence|Privilege Escalation,no -T1562.008,Disable Cloud Logs,Defense Evasion,no -T1547.012,Print Processors,Persistence|Privilege Escalation,no -T1598.003,Spearphishing Link,Reconnaissance,APT28|Dragonfly|Magic Hound|Silent Librarian|Sidewinder|Sandworm Team|APT32|Kimsuky -T1598.002,Spearphishing Attachment,Reconnaissance,Dragonfly|Sidewinder -T1598.001,Spearphishing Service,Reconnaissance,no -T1598,Phishing for Information,Reconnaissance,ZIRCONIUM|APT28 -T1597.002,Purchase Technical Data,Reconnaissance,no -T1597.001,Threat Intel Vendors,Reconnaissance,no -T1597,Search Closed Sources,Reconnaissance,no -T1596.005,Scan Databases,Reconnaissance,no -T1596.004,CDNs,Reconnaissance,no -T1596.003,Digital Certificates,Reconnaissance,no +T1213.001,Confluence,Collection,LAPSUS$ +T1090.001,Internal Proxy,Command And Control,Volt Typhoon|FIN13|APT39|Higaisa|Strider|Turla|Lazarus Group +T1083,File and Directory Discovery,Discovery,Ke3chang|Dragonfly|Winnti Group|Sandworm Team|Aoqin Dragon|Leafminer|Darkhotel|Tropic Trooper|Magic Hound|Fox Kitten|Windigo|TeamTNT|admin@338|BRONZE BUTLER|Kimsuky|Chimera|APT41|MuddyWater|Gamaredon Group|APT18|Inception|menuPass|Lazarus Group|HAFNIUM|FIN13|Sowbug|APT38|Patchwork|Dark Caracal|LuminousMoth|Mustang Panda|Turla|Sidewinder|Confucius|APT28|APT32|APT39|APT3 +T1611,Escape to Host,Privilege Escalation,TeamTNT +T1583.008,Malvertising,Resource Development,no +T1552.001,Credentials In Files,Credential Access,APT3|Kimsuky|MuddyWater|Leafminer|FIN13|APT33|Fox Kitten|TA505|TeamTNT|OilRig +T1134,Access Token Manipulation,Defense Evasion|Privilege Escalation,Blue Mockingbird|FIN6 +T1078.003,Local Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Kimsuky|PROMETHIUM|Tropic Trooper|Turla|APT32|FIN10|HAFNIUM +T1530,Data from Cloud Storage,Collection,Fox Kitten +T1657,Financial Theft,Impact,SilverTerrier|FIN13 +T1546.016,Installer Packages,Privilege Escalation|Persistence,no +T1120,Peripheral Device Discovery,Discovery,Gamaredon Group|Turla|BackdoorDiplomacy|TeamTNT|APT28|Equation|OilRig|APT37 +T1112,Modify Registry,Defense Evasion,Wizard Spider|Magic Hound|Kimsuky|Dragonfly|APT32|Earth Lusca|Patchwork|TA505|Turla|APT19|FIN8|Gamaredon Group|Gorgon Group|Blue Mockingbird|Silence|LuminousMoth|Ember Bear|APT41|Threat Group-3390|APT38 +T1546.011,Application Shimming,Privilege Escalation|Persistence,FIN7 +T1590.002,DNS,Reconnaissance,no +T1550,Use Alternate Authentication Material,Defense Evasion|Lateral Movement,no +T1547.004,Winlogon Helper DLL,Persistence|Privilege Escalation,Tropic Trooper|Wizard Spider|Turla T1596.001,DNS/Passive DNS,Reconnaissance,no -T1596.002,WHOIS,Reconnaissance,no -T1596,Search Open Technical Databases,Reconnaissance,no -T1595.002,Vulnerability Scanning,Reconnaissance,Magic Hound|Aquatic Panda|Dragonfly|TeamTNT|APT29|Volatile Cedar|APT28|Sandworm Team -T1595.001,Scanning IP Blocks,Reconnaissance,TeamTNT -T1595,Active Scanning,Reconnaissance,no -T1594,Search Victim-Owned Websites,Reconnaissance,Kimsuky|Silent Librarian|Sandworm Team -T1593.002,Search Engines,Reconnaissance,Kimsuky -T1593.001,Social Media,Reconnaissance,Lazarus Group|Kimsuky -T1593,Search Open Websites/Domains,Reconnaissance,Sandworm Team -T1592.004,Client Configurations,Reconnaissance,HAFNIUM -T1592.003,Firmware,Reconnaissance,no -T1592.002,Software,Reconnaissance,Andariel|Sandworm Team -T1592.001,Hardware,Reconnaissance,no -T1592,Gather Victim Host Information,Reconnaissance,no -T1591.004,Identify Roles,Reconnaissance,Lazarus Group -T1591.003,Identify Business Tempo,Reconnaissance,no -T1591.001,Determine Physical Locations,Reconnaissance,no -T1591.002,Business Relationships,Reconnaissance,Dragonfly|Sandworm Team -T1591,Gather Victim Org Information,Reconnaissance,Kimsuky|Lazarus Group -T1590.006,Network Security Appliances,Reconnaissance,no -T1590.005,IP Addresses,Reconnaissance,Andariel|HAFNIUM -T1590.004,Network Topology,Reconnaissance,no +T1218.003,CMSTP,Defense Evasion,Cobalt Group|MuddyWater +T1068,Exploitation for Privilege Escalation,Privilege Escalation,APT28|Scattered Spider|Turla|APT32|Cobalt Group|APT33|ZIRCONIUM|LAPSUS$|FIN6|Tonto Team|BITTER|MoustachedBouncer|FIN8|PLATINUM|Threat Group-3390|Whitefly|APT29 +T1059.004,Unix Shell,Execution,APT41|TeamTNT|Rocke T1590.003,Network Trust Dependencies,Reconnaissance,no -T1590.002,DNS,Reconnaissance,no -T1590.001,Domain Properties,Reconnaissance,Sandworm Team -T1590,Gather Victim Network Information,Reconnaissance,HAFNIUM -T1589.003,Employee Names,Reconnaissance,Kimsuky|Silent Librarian|Sandworm Team -T1589.002,Email Addresses,Reconnaissance,Lazarus Group|Kimsuky|Magic Hound|TA551|MuddyWater|HAFNIUM|APT32|Silent Librarian|Sandworm Team -T1589.001,Credentials,Reconnaissance,APT29|Leviathan|APT28|Magic Hound|Chimera -T1589,Gather Victim Identity Information,Reconnaissance,Magic Hound|APT32 -T1588.005,Exploits,Resource Development,Kimsuky -T1588.004,Digital Certificates,Resource Development,BlackTech|Lazarus Group|Silent Librarian -T1588.003,Code Signing Certificates,Resource Development,BlackTech|Lazarus Group|Wizard Spider -T1588.002,Tool,Resource Development,Aquatic Panda|BlackTech|Lazarus Group|CostaRicto|Night Dragon|DarkVishnya|FIN5|Gorgon Group|Patchwork|Chimera|Dragonfly|Blue Mockingbird|Whitefly|APT41|FIN6|TEMP.Veles|Kimsuky|PittyTiger|Cobalt Group|APT29|Thrip|Ke3chang|DarkHydrus|APT32|APT38|BRONZE BUTLER|Carbanak|Cleaver|Inception|Leafminer|Threat Group-3390|Ferocious Kitten|IndigoZebra|BackdoorDiplomacy|menuPass|APT-C-36|Magic Hound|APT28|Wizard Spider|Frankenstein|Silence|WIRTE|Turla|APT33|APT19|FIN10|CopyKittens|APT39|APT1|MuddyWater|Silent Librarian|GALLIUM|Sandworm Team -T1588.001,Malware,Resource Development,Aquatic Panda|LazyScripter|Andariel|BackdoorDiplomacy|Turla|APT1 -T1588,Obtain Capabilities,Resource Development,no -T1587.004,Exploits,Resource Development,no -T1587.003,Digital Certificates,Resource Development,APT29|PROMETHIUM -T1587.002,Code Signing Certificates,Resource Development,PROMETHIUM|Patchwork -T1587.001,Malware,Resource Development,Ke3chang|Kimsuky|TeamTNT|APT29|Lazarus Group|Sandworm Team|Turla|FIN7|Night Dragon|Cleaver -T1587,Develop Capabilities,Resource Development,Kimsuky -T1586.002,Email Accounts,Resource Development,APT29|APT28|IndigoZebra|Leviathan|Magic Hound|Kimsuky -T1586.001,Social Media Accounts,Resource Development,Leviathan -T1586,Compromise Accounts,Resource Development,no -T1585.002,Email Accounts,Resource Development,Mustang Panda|Kimsuky|Lazarus Group|Leviathan|Magic Hound|Silent Librarian|Sandworm Team|APT1 -T1585.001,Social Media Accounts,Resource Development,Kimsuky|Lazarus Group|Leviathan|Magic Hound|Fox Kitten|Sandworm Team|APT32|Cleaver -T1585,Establish Accounts,Resource Development,Fox Kitten|APT17 -T1584.006,Web Services,Resource Development,Turla -T1584.005,Botnet,Resource Development,Sandworm Team|Axiom -T1584.004,Server,Resource Development,Lazarus Group|Dragonfly|Indrik Spider|Turla|APT16 -T1584.003,Virtual Private Server,Resource Development,Turla -T1584.002,DNS Server,Resource Development,no -T1584.001,Domains,Resource Development,Kimsuky|Lazarus Group|Transparent Tribe|Magic Hound|APT29|APT1 -T1583.006,Web Services,Resource Development,APT28|Confucius|LazyScripter|Kimsuky|Magic Hound|IndigoZebra|ZIRCONIUM|MuddyWater|HAFNIUM|Lazarus Group|Turla|APT32|APT17|APT29 -T1583.005,Botnet,Resource Development,no -T1583.004,Server,Resource Development,Kimsuky|Lazarus Group|Gelsemium|GALLIUM|Sandworm Team -T1583.003,Virtual Private Server,Resource Development,Axiom|Dragonfly|HAFNIUM|TEMP.Veles -T1583.002,DNS Server,Resource Development,Axiom -T1584,Compromise Infrastructure,Resource Development,no -T1583.001,Domains,Resource Development,LazyScripter|Gamaredon Group|Winnti Group|Dragonfly|IndigoZebra|TeamTNT|Ferocious Kitten|FIN7|Transparent Tribe|Leviathan|Magic Hound|APT29|Mustang Panda|ZIRCONIUM|Lazarus Group|Silent Librarian|menuPass|Sandworm Team|APT32|Kimsuky|APT1|APT28 -T1583,Acquire Infrastructure,Resource Development,no -T1564.007,VBA Stomping,Defense Evasion,no -T1558.004,AS-REP Roasting,Credential Access,no -T1580,Cloud Infrastructure Discovery,Discovery,no -T1218.012,Verclsid,Defense Evasion,no -T1205.001,Port Knocking,Defense Evasion|Persistence|Command And Control,PROMETHIUM -T1564.006,Run Virtual Instance,Defense Evasion,no -T1564.005,Hidden File System,Defense Evasion,Strider|Equation -T1556.003,Pluggable Authentication Modules,Credential Access|Defense Evasion|Persistence,no -T1574.012,COR_PROFILER,Persistence|Privilege Escalation|Defense Evasion,Blue Mockingbird -T1562.007,Disable or Modify Cloud Firewall,Defense Evasion,no -T1098.004,SSH Authorized Keys,Persistence,TeamTNT -T1480.001,Environmental Keying,Defense Evasion,APT41|Equation -T1059.007,JavaScript,Execution,LazyScripter|Indrik Spider|MuddyWater|Turla|Higaisa|Sidewinder|Evilnum|Kimsuky|FIN6|APT32|FIN7|Cobalt Group|Molerats|TA505|Silence|Leafminer +T1011.001,Exfiltration Over Bluetooth,Exfiltration,no +T1204.003,Malicious Image,Execution,TeamTNT +T1021,Remote Services,Lateral Movement,Wizard Spider +T1564,Hide Artifacts,Defense Evasion,no +T1547.009,Shortcut Modification,Persistence|Privilege Escalation,APT39|Leviathan|Lazarus Group|Gorgon Group +T1584.007,Serverless,Resource Development,no +T1102.001,Dead Drop Resolver,Command And Control,APT41|Rocke|BRONZE BUTLER|Patchwork|RTM +T1105,Ingress Tool Transfer,Command And Control,APT29|Magic Hound|Threat Group-3390|APT41|Moses Staff|Fox Kitten|LazyScripter|Leviathan|FIN13|Winnti Group|FIN8|Volatile Cedar|Nomadic Octopus|LuminousMoth|Turla|APT3|APT-C-36|Mustang Panda|Metador|APT38|APT37|TA551|TA2541|MuddyWater|WIRTE|Aquatic Panda|Windshift|SideCopy|TA505|Cobalt Group|Tropic Trooper|Andariel|Chimera|HAFNIUM|Dragonfly|Darkhotel|Ajax Security Team|Rocke|Evilnum|Molerats|IndigoZebra|APT28|menuPass|Whitefly|Wizard Spider|Lazarus Group|Ke3chang|ZIRCONIUM|Rancor|BITTER|TeamTNT|APT33|Confucius|APT39|Ember Bear|OilRig|Elderwood|HEXANE|Sandworm Team|Sidewinder|Indrik Spider|BackdoorDiplomacy|Kimsuky|Tonto Team|Gamaredon Group|Gorgon Group|PLATINUM|APT32|GALLIUM|BRONZE BUTLER|APT18|FIN7|Silence|Patchwork +T1585.002,Email Accounts,Resource Development,Kimsuky|Indrik Spider|Wizard Spider|Magic Hound|Leviathan|APT1|Sandworm Team|HEXANE|EXOTIC LILY|Silent Librarian|Lazarus Group|Mustang Panda +T1559.001,Component Object Model,Execution,MuddyWater|Gamaredon Group +T1036.001,Invalid Code Signature,Defense Evasion,APT37|Windshift +T1070.004,File Deletion,Defense Evasion,Rocke|Tropic Trooper|APT38|FIN5|Sandworm Team|APT39|Magic Hound|Patchwork|Mustang Panda|Chimera|Group5|APT32|menuPass|APT29|Evilnum|FIN8|Aquatic Panda|APT28|APT18|APT3|Silence|Volt Typhoon|Kimsuky|TEMP.Veles|Threat Group-3390|TeamTNT|The White Company|FIN6|Gamaredon Group|Lazarus Group|Wizard Spider|Cobalt Group|APT41|Metador|Dragonfly|BRONZE BUTLER|FIN10|OilRig T1578.004,Revert Cloud Instance,Defense Evasion,no -T1578.003,Delete Cloud Instance,Defense Evasion,no +T1572,Protocol Tunneling,Command And Control,OilRig|FIN13|Leviathan|Fox Kitten|Chimera|FIN6|Cobalt Group|Magic Hound +T1562.008,Disable or Modify Cloud Logs,Defense Evasion,no +T1546.009,AppCert DLLs,Privilege Escalation|Persistence,no +T1518,Software Discovery,Discovery,Mustang Panda|MuddyWater|Wizard Spider|Sidewinder|Volt Typhoon|SideCopy|HEXANE|Windigo|Inception|Windshift|BRONZE BUTLER|Tropic Trooper +T1598,Phishing for Information,Reconnaissance,ZIRCONIUM|Scattered Spider|APT28 +T1053.002,At,Execution|Persistence|Privilege Escalation,Threat Group-3390|BRONZE BUTLER|APT18 +T1548.002,Bypass User Account Control,Privilege Escalation|Defense Evasion,Evilnum|Threat Group-3390|APT37|BRONZE BUTLER|APT29|Patchwork|MuddyWater|Earth Lusca|Cobalt Group +T1585.001,Social Media Accounts,Resource Development,EXOTIC LILY|Magic Hound|Fox Kitten|APT32|Lazarus Group|Leviathan|Kimsuky|Cleaver|Sandworm Team|HEXANE|CURIUM +T1212,Exploitation for Credential Access,Credential Access,no +T1218.013,Mavinject,Defense Evasion,no +T1546.003,Windows Management Instrumentation Event Subscription,Privilege Escalation|Persistence,Mustang Panda|APT29|Leviathan|Metador|APT33|Blue Mockingbird|FIN8|Turla +T1552.004,Private Keys,Credential Access,TeamTNT|Rocke +T1574.008,Path Interception by Search Order Hijacking,Persistence|Privilege Escalation|Defense Evasion,no +T1027.007,Dynamic API Resolution,Defense Evasion,Lazarus Group +T1654,Log Enumeration,Discovery,Volt Typhoon +T1016.001,Internet Connection Discovery,Discovery,Magic Hound|HAFNIUM|HEXANE|APT29|Turla|Gamaredon Group|TA2541|FIN13|FIN8 +T1567.002,Exfiltration to Cloud Storage,Exfiltration,Kimsuky|HEXANE|Earth Lusca|Leviathan|ZIRCONIUM|HAFNIUM|Turla|LuminousMoth|Chimera|Threat Group-3390|Confucius|Wizard Spider|POLONIUM|FIN7 +T1218.002,Control Panel,Defense Evasion,Ember Bear +T1583.007,Serverless,Resource Development,no +T1608,Stage Capabilities,Resource Development,Mustang Panda +T1484.001,Group Policy Modification,Defense Evasion|Privilege Escalation,Indrik Spider +T1125,Video Capture,Collection,Silence|FIN7 +T1615,Group Policy Discovery,Discovery,Turla +T1200,Hardware Additions,Initial Access,DarkVishnya +T1564.009,Resource Forking,Defense Evasion,no +T1589.002,Email Addresses,Reconnaissance,Magic Hound|Sandworm Team|TA551|Lazarus Group|HAFNIUM|Silent Librarian|Kimsuky|MuddyWater|HEXANE|APT32|EXOTIC LILY|LAPSUS$ +T1608.003,Install Digital Certificate,Resource Development,no T1578.001,Create Snapshot,Defense Evasion,no -T1578.002,Create Cloud Instance,Defense Evasion,no -T1127.001,MSBuild,Defense Evasion,Frankenstein -T1027.005,Indicator Removal from Tools,Defense Evasion,Operation Wocao|GALLIUM|TEMP.Veles|Patchwork|APT3|Turla|OilRig|Deep Panda -T1562.006,Indicator Blocking,Defense Evasion,no -T1573.002,Asymmetric Cryptography,Command And Control,Operation Wocao|Tropic Trooper|Cobalt Group|OilRig|FIN8|FIN6 -T1573.001,Symmetric Cryptography,Command And Control,Mustang Panda|Darkhotel|ZIRCONIUM|Higaisa|Frankenstein|Inception|APT28|APT33|BRONZE BUTLER|Stealth Falcon|Lazarus Group -T1573,Encrypted Channel,Command And Control,APT29|Tropic Trooper -T1027.004,Compile After Delivery,Defense Evasion,Gamaredon Group|Rocke|MuddyWater -T1574.004,Dylib Hijacking,Persistence|Privilege Escalation|Defense Evasion,no -T1546.015,Component Object Model Hijacking,Privilege Escalation|Persistence,APT28 -T1071.004,DNS,Command And Control,LazyScripter|Chimera|APT39|Tropic Trooper|OilRig|Ke3chang|Cobalt Group|APT18|APT41|FIN7 -T1071.003,Mail Protocols,Command And Control,Turla|Kimsuky|APT32|SilverTerrier|APT28 -T1071.002,File Transfer Protocols,Command And Control,Kimsuky|APT41|SilverTerrier|Honeybee -T1071.001,Web Protocols,Command And Control,Kimsuky|Confucius|TeamTNT|FIN8|APT29|Mustang Panda|Windshift|TA551|Higaisa|HAFNIUM|Sidewinder|Chimera|Sandworm Team|TA505|Rocke|APT39|Tropic Trooper|MuddyWater|Wizard Spider|Inception|APT41|SilverTerrier|APT28|WIRTE|APT33|FIN4|Night Dragon|APT18|APT38|Rancor|Ke3chang|Orangeworm|APT37|APT19|Cobalt Group|Threat Group-3390|Dark Caracal|Turla|Lazarus Group|BRONZE BUTLER|Magic Hound|APT32|OilRig|Gamaredon Group|Stealth Falcon -T1572,Protocol Tunneling,Command And Control,Leviathan|CostaRicto|Chimera|Fox Kitten|OilRig|Cobalt Group|FIN6 -T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,Exfiltration,Wizard Spider|FIN6|APT32|APT33|Thrip|FIN8|OilRig|Lazarus Group -T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,Exfiltration,APT28|APT29 -T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,Exfiltration,no +T1614.001,System Language Discovery,Discovery,Ke3chang +T1136,Create Account,Persistence,Indrik Spider +T1573.002,Asymmetric Cryptography,Command And Control,TA2541|Cobalt Group|FIN6|Tropic Trooper|OilRig|FIN8 +T1059.003,Windows Command Shell,Execution,Gorgon Group|menuPass|APT18|Mustang Panda|TA551|Rancor|TA505|Wizard Spider|APT1|Aquatic Panda|HAFNIUM|Fox Kitten|FIN13|APT37|TeamTNT|Blue Mockingbird|GALLIUM|Gamaredon Group|FIN8|FIN6|Patchwork|Threat Group-3390|Suckfly|Chimera|Dark Caracal|LazyScripter|Metador|APT32|Sowbug|Lazarus Group|Tropic Trooper|Machete|Cobalt Group|ZIRCONIUM|Nomadic Octopus|Higaisa|Turla|BRONZE BUTLER|FIN7|FIN10|Dragonfly|APT28|Magic Hound|Volt Typhoon|Kimsuky|Darkhotel|Ember Bear|APT3|Indrik Spider|APT38|admin@338|Silence|Threat Group-1314|MuddyWater|Ke3chang|APT41|OilRig +T1552.007,Container API,Credential Access,no +T1205,Traffic Signaling,Defense Evasion|Persistence|Command And Control,no +T1552.006,Group Policy Preferences,Credential Access,APT33|Wizard Spider +T1104,Multi-Stage Channels,Command And Control,APT41|Lazarus Group|MuddyWater|APT3 +T1562.001,Disable or Modify Tools,Defense Evasion,Indrik Spider|Rocke|Gorgon Group|TeamTNT|Wizard Spider|Ember Bear|Aquatic Panda|Turla|Magic Hound|BRONZE BUTLER|TA505|Kimsuky|Putter Panda|TA2541|FIN6|MuddyWater|Gamaredon Group|Lazarus Group|APT29 +T1056,Input Capture,Collection|Credential Access,APT39 +T1585.003,Cloud Accounts,Resource Development,no +T1219,Remote Access Software,Command And Control,DarkVishnya|Cobalt Group|FIN7|RTM|Mustang Panda|Carbanak|Kimsuky|MuddyWater|GOLD SOUTHFIELD|Thrip|Sandworm Team|Evilnum|TeamTNT +T1567.001,Exfiltration to Code Repository,Exfiltration,no +T1566.002,Spearphishing Link,Initial Access,Mofang|Lazarus Group|TA505|Sidewinder|Evilnum|ZIRCONIUM|EXOTIC LILY|APT28|Confucius|Magic Hound|APT3|Mustang Panda|APT1|OilRig|Cobalt Group|MuddyWater|Turla|LazyScripter|Elderwood|Wizard Spider|Kimsuky|FIN7|Ember Bear|Transparent Tribe|Sandworm Team|Molerats|FIN8|APT29|APT39|Machete|Leviathan|APT33|LuminousMoth|FIN4|Windshift|APT32|Earth Lusca|BlackTech|Patchwork|TA2541 +T1036.002,Right-to-Left Override,Defense Evasion,Scarlet Mimic|Ke3chang|BRONZE BUTLER|BlackTech|Ferocious Kitten +T1598.004,Spearphishing Voice,Reconnaissance,LAPSUS$ +T1046,Network Service Discovery,Discovery,FIN13|Suckfly|Leafminer|menuPass|FIN6|APT32|Chimera|Naikon|OilRig|Cobalt Group|BlackTech|Threat Group-3390|Magic Hound|DarkVishnya|Rocke|TeamTNT|Fox Kitten|APT41|Lazarus Group|Tropic Trooper|APT39|BackdoorDiplomacy +T1564.011,Ignore Process Interrupts,Defense Evasion,no +T1098.006,Additional Container Cluster Roles,Persistence|Privilege Escalation,no +T1115,Clipboard Data,Collection,APT38|APT39 +T1554,Compromise Client Software Binary,Persistence,no +T1542.005,TFTP Boot,Defense Evasion|Persistence,no +T1546.002,Screensaver,Privilege Escalation|Persistence,no +T1565.001,Stored Data Manipulation,Impact,APT38 +T1592.002,Software,Reconnaissance,Andariel|Sandworm Team|Magic Hound +T1580,Cloud Infrastructure Discovery,Discovery,no +T1211,Exploitation for Defense Evasion,Defense Evasion,APT28 +T1072,Software Deployment Tools,Execution|Lateral Movement,APT32|Sandworm Team|Silence|Threat Group-1314 +T1080,Taint Shared Content,Lateral Movement,BRONZE BUTLER|Darkhotel|Gamaredon Group +T1560.003,Archive via Custom Method,Collection,CopyKittens|Mustang Panda|FIN6|Kimsuky|Lazarus Group +T1070.005,Network Share Connection Removal,Defense Evasion,Threat Group-3390 +T1600.002,Disable Crypto Hardware,Defense Evasion,no +T1542.003,Bootkit,Persistence|Defense Evasion,Lazarus Group|APT41|APT28 +T1555.001,Keychain,Credential Access,no +T1052.001,Exfiltration over USB,Exfiltration,Tropic Trooper|Mustang Panda +T1564.008,Email Hiding Rules,Defense Evasion,FIN4 +T1056.004,Credential API Hooking,Collection|Credential Access,PLATINUM T1001.003,Protocol Impersonation,Command And Control,Higaisa|Lazarus Group -T1001.002,Steganography,Command And Control,APT29|Axiom +T1218.007,Msiexec,Defense Evasion,Machete|ZIRCONIUM|Rancor|Molerats|TA505 +T1036.007,Double File Extension,Defense Evasion,Mustang Panda +T1140,Deobfuscate/Decode Files or Information,Defense Evasion,Darkhotel|Sandworm Team|APT39|BRONZE BUTLER|Gorgon Group|APT28|WIRTE|OilRig|FIN13|Kimsuky|menuPass|APT19|Leviathan|TeamTNT|Rocke|Turla|Threat Group-3390|Molerats|TA505|Ke3chang|Higaisa|Lazarus Group|Earth Lusca|ZIRCONIUM|Tropic Trooper|Gamaredon Group|MuddyWater +T1025,Data from Removable Media,Collection,APT28|Gamaredon Group|Turla +T1136.003,Cloud Account,Persistence,APT29|LAPSUS$ +T1547.007,Re-opened Applications,Persistence|Privilege Escalation,no +T1566.004,Spearphishing Voice,Initial Access,no +T1070.007,Clear Network Connection History and Configurations,Defense Evasion,Volt Typhoon +T1552.003,Bash History,Credential Access,no +T1602,Data from Configuration Repository,Collection,no +T1213.002,Sharepoint,Collection,LAPSUS$|Chimera|Ke3chang|APT28 T1001.001,Junk Data,Command And Control,APT28 -T1132.002,Non-Standard Encoding,Command And Control,no -T1132.001,Standard Encoding,Command And Control,HAFNIUM|TA551|Sandworm Team|Tropic Trooper|MuddyWater|APT33|APT19|Lazarus Group|BRONZE BUTLER|Patchwork -T1090.004,Domain Fronting,Command And Control,APT29 -T1090.003,Multi-hop Proxy,Command And Control,Leviathan|CostaRicto|APT28|Operation Wocao|Inception|FIN4|APT29 -T1090.002,External Proxy,Command And Control,Tonto Team|APT39|Silence|GALLIUM|MuddyWater|APT3|FIN5|Lazarus Group|menuPass|APT28 -T1090.001,Internal Proxy,Command And Control,Lazarus Group|Turla|APT29|Higaisa|Operation Wocao|APT39|Strider -T1102.003,One-Way Communication,Command And Control,Leviathan -T1102.002,Bidirectional Communication,Command And Control,Kimsuky|Lazarus Group|ZIRCONIUM|MuddyWater|APT28|APT29|Sandworm Team|APT39|APT12|Turla|FIN7|APT37|Magic Hound|Carbanak -T1102.001,Dead Drop Resolver,Command And Control,Rocke|APT41|BRONZE BUTLER|RTM|Patchwork -T1571,Non-Standard Port,Command And Control,WIRTE|Sandworm Team|Rocke|DarkVishnya|Silence|APT-C-36|Magic Hound|APT33|APT32|TEMP.Veles|Lazarus Group|FIN7 -T1074.002,Remote Data Staging,Collection,Leviathan|APT28|APT29|Chimera|Threat Group-3390|menuPass|FIN6|Night Dragon|FIN8 -T1074.001,Local Data Staging,Collection,Dragonfly|Indrik Spider|BackdoorDiplomacy|Mustang Panda|Sidewinder|Chimera|Kimsuky|APT39|Operation Wocao|GALLIUM|TEMP.Veles|Patchwork|Honeybee|Dragonfly 2.0|Leviathan|APT3|FIN5|menuPass|Lazarus Group|Threat Group-3390|APT28 -T1078.004,Cloud Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Ke3chang|APT29|APT28|APT33 -T1564.004,NTFS File Attributes,Defense Evasion,APT32 -T1564.003,Hidden Window,Defense Evasion,Gamaredon Group|Kimsuky|Nomadic Octopus|Higaisa|Gorgon Group|Deep Panda|DarkHydrus|CopyKittens|APT19|APT32|APT28|APT3|Magic Hound -T1078.003,Local Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,APT29|Kimsuky|HAFNIUM|Turla|Operation Wocao|PROMETHIUM|Tropic Trooper|FIN10|APT32 -T1078.002,Domain Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Naikon|Indrik Spider|Chimera|Operation Wocao|Sandworm Team|Wizard Spider|APT29|TA505|APT3|Threat Group-1314 -T1078.001,Default Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,no -T1564.002,Hidden Users,Defense Evasion,Kimsuky|Dragonfly|Dragonfly 2.0 -T1574.006,Dynamic Linker Hijacking,Persistence|Privilege Escalation|Defense Evasion,APT41|Rocke -T1574.002,DLL Side-Loading,Persistence|Privilege Escalation|Defense Evasion,Lazarus Group|Mustang Panda|Higaisa|BlackTech|Sidewinder|Chimera|BRONZE BUTLER|Naikon|APT41|GALLIUM|Tropic Trooper|APT19|Patchwork|APT32|APT3|menuPass|Threat Group-3390 -T1574.001,DLL Search Order Hijacking,Persistence|Privilege Escalation|Defense Evasion,Aquatic Panda|BackdoorDiplomacy|Tonto Team|Evilnum|APT41|Whitefly|RTM|Threat Group-3390|menuPass -T1574.008,Path Interception by Search Order Hijacking,Persistence|Privilege Escalation|Defense Evasion,no -T1574.007,Path Interception by PATH Environment Variable,Persistence|Privilege Escalation|Defense Evasion,no -T1574.009,Path Interception by Unquoted Path,Persistence|Privilege Escalation|Defense Evasion,no -T1574.011,Services Registry Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no -T1574.005,Executable Installer File Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no -T1574.010,Services File Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no -T1574,Hijack Execution Flow,Persistence|Privilege Escalation|Defense Evasion,no -T1069.001,Local Groups,Discovery,Tonto Team|Chimera|Operation Wocao|Turla|OilRig|admin@338 -T1570,Lateral Tool Transfer,Lateral Movement,Sandworm Team|Chimera|GALLIUM|Operation Wocao|APT32|Wizard Spider|Turla|FIN10 -T1568.003,DNS Calculation,Command And Control,APT12 -T1204.002,Malicious File,Execution,LazyScripter|WIRTE|Confucius|Dragonfly|Threat Group-3390|Nomadic Octopus|Indrik Spider|APT38|Andariel|Ferocious Kitten|IndigoZebra|Transparent Tribe|Tonto Team|Magic Hound|Ajax Security Team|Mustang Panda|TA551|Higaisa|Sidewinder|Kimsuky|FIN6|PROMETHIUM|APT30|Windshift|APT33|Sandworm Team|Naikon|Whitefly|Tropic Trooper|Gamaredon Group|Sharpshooter|Molerats|Wizard Spider|Mofang|Frankenstein|RTM|Inception|BlackTech|APT-C-36|Machete|admin@338|APT12|TA505|Silence|The White Company|APT39|FIN4|Darkhotel|Gallmaker|Dragonfly 2.0|FIN7|BRONZE BUTLER|Gorgon Group|OilRig|Dark Caracal|Cobalt Group|DarkHydrus|Rancor|Patchwork|APT32|APT19|MuddyWater|Lazarus Group|menuPass|APT37|Leviathan|TA459|APT29|APT28|FIN8|PLATINUM|Elderwood -T1204.001,Malicious Link,Execution,LazyScripter|Kimsuky|Lazarus Group|Confucius|FIN7|Transparent Tribe|APT3|Magic Hound|APT28|APT29|Mustang Panda|Sidewinder|ZIRCONIUM|MuddyWater|Evilnum|Sandworm Team|Wizard Spider|Patchwork|Windshift|APT32|Molerats|Mofang|BlackTech|TA505|OilRig|Machete|Leviathan|FIN8|FIN4|Elderwood|Dragonfly 2.0|Cobalt Group|APT39|Night Dragon|Turla|APT33 -T1195.003,Compromise Hardware Supply Chain,Initial Access,no -T1195.002,Compromise Software Supply Chain,Initial Access,Gelsemium|Threat Group-3390|APT29|Cobalt Group|GOLD SOUTHFIELD|Dragonfly|Sandworm Team|APT41 -T1195.001,Compromise Software Dependencies and Development Tools,Initial Access,no -T1568.001,Fast Flux DNS,Command And Control,menuPass|TA505 -T1052.001,Exfiltration over USB,Exfiltration,Mustang Panda|Tropic Trooper -T1569.002,Service Execution,Execution,APT38|Chimera|Operation Wocao|Wizard Spider|Blue Mockingbird|APT39|APT41|Silence|FIN6|APT32|Honeybee|Ke3chang -T1569.001,Launchctl,Execution,no -T1569,System Services,Execution,no -T1568.002,Domain Generation Algorithms,Command And Control,TA551|APT41 -T1568,Dynamic Resolution,Command And Control,Gamaredon Group|Gelsemium|Transparent Tribe|APT29 -T1011.001,Exfiltration Over Bluetooth,Exfiltration,no -T1567.002,Exfiltration to Cloud Storage,Exfiltration,Kimsuky|Threat Group-3390|Confucius|Lazarus Group|FIN7|ZIRCONIUM|HAFNIUM|Chimera|Leviathan|Turla -T1567.001,Exfiltration to Code Repository,Exfiltration,no -T1059.006,Python,Execution,Dragonfly|Tonto Team|APT37|ZIRCONIUM|MuddyWater|Turla|Operation Wocao|Kimsuky|APT29|Rocke|BRONZE BUTLER|APT39|Dragonfly 2.0|Machete -T1059.005,Visual Basic,Execution,Confucius|Lazarus Group|LazyScripter|OilRig|APT38|Transparent Tribe|APT29|Mustang Panda|Windshift|Higaisa|Sidewinder|APT39|Machete|Operation Wocao|Kimsuky|APT33|Sandworm Team|Gamaredon Group|Sharpshooter|Molerats|Frankenstein|Inception|APT-C-36|Rancor|Patchwork|MuddyWater|Honeybee|FIN7|APT37|BRONZE BUTLER|APT32|Turla|TA505|Silence|WIRTE|FIN4|Cobalt Group|Gorgon Group|Leviathan|TA459|Magic Hound -T1059.004,Unix Shell,Execution,TeamTNT|Rocke|APT41 -T1059.003,Windows Command Shell,Execution,Kimsuky|Aquatic Panda|Dragonfly|LazyScripter|Sandworm Team|Nomadic Octopus|TeamTNT|APT29|Mustang Panda|ZIRCONIUM|TA551|Higaisa|Indrik Spider|Chimera|Fox Kitten|Machete|Operation Wocao|Wizard Spider|FIN6|TA505|Blue Mockingbird|Tropic Trooper|Frankenstein|OilRig|Lazarus Group|Honeybee|Cobalt Group|FIN7|APT41|GALLIUM|Turla|Silence|APT32|Darkhotel|MuddyWater|APT18|APT38|Gorgon Group|Dark Caracal|Ke3chang|Dragonfly 2.0|Rancor|FIN8|APT28|APT37|Magic Hound|BRONZE BUTLER|Sowbug|menuPass|FIN10|Threat Group-3390|Gamaredon Group|Patchwork|Suckfly|Threat Group-1314|APT3|admin@338|APT1 +T1594,Search Victim-Owned Websites,Reconnaissance,Sandworm Team|Kimsuky|EXOTIC LILY|Silent Librarian +T1195.002,Compromise Software Supply Chain,Initial Access,Dragonfly|FIN7|Sandworm Team|Cobalt Group|GOLD SOUTHFIELD|Threat Group-3390|APT41 +T1053,Scheduled Task/Job,Execution|Persistence|Privilege Escalation,Earth Lusca +T1588.005,Exploits,Resource Development,Kimsuky +T1069.001,Local Groups,Discovery,HEXANE|admin@338|Chimera|Turla|Tonto Team|Volt Typhoon|OilRig +T1612,Build Image on Host,Defense Evasion,no +T1556.005,Reversible Encryption,Credential Access|Defense Evasion|Persistence,no +T1591.003,Identify Business Tempo,Reconnaissance,no +T1586.001,Social Media Accounts,Resource Development,Leviathan +T1098.003,Additional Cloud Roles,Persistence|Privilege Escalation,LAPSUS$ +T1505.002,Transport Agent,Persistence,no T1059.002,AppleScript,Execution,no -T1059.001,PowerShell,Execution,Gamaredon Group|Lazarus Group|Aquatic Panda|Confucius|Dragonfly|LazyScripter|Nomadic Octopus|TeamTNT|APT38|Tonto Team|Mustang Panda|Indrik Spider|HAFNIUM|Sidewinder|Fox Kitten|GOLD SOUTHFIELD|Sandworm Team|Operation Wocao|Chimera|Blue Mockingbird|APT39|DarkVishnya|Molerats|Wizard Spider|Frankenstein|Inception|Silence|APT41|Kimsuky|GALLIUM|TA505|WIRTE|TEMP.Veles|APT33|Gallmaker|Turla|Thrip|Cobalt Group|APT28|DarkHydrus|Dragonfly 2.0|APT19|Gorgon Group|TA459|Leviathan|MuddyWater|FIN8|CopyKittens|OilRig|Magic Hound|BRONZE BUTLER|FIN7|APT32|menuPass|FIN10|Threat Group-3390|Patchwork|Stealth Falcon|FIN6|Poseidon Group|APT3|APT29|Deep Panda -T1567,Exfiltration Over Web Service,Exfiltration,APT28 -T1497.003,Time Based Evasion,Defense Evasion|Discovery,no -T1497.002,User Activity Based Checks,Defense Evasion|Discovery,Darkhotel|FIN7 -T1497.001,System Checks,Defense Evasion|Discovery,Lazarus Group|OilRig|Darkhotel|Evilnum|Frankenstein -T1498.002,Reflection Amplification,Impact,no -T1498.001,Direct Network Flood,Impact,no -T1566.003,Spearphishing via Service,Initial Access,Lazarus Group|APT29|Ajax Security Team|Magic Hound|Windshift|FIN6|OilRig|Dark Caracal -T1566.002,Spearphishing Link,Initial Access,Lazarus Group|Confucius|LazyScripter|Transparent Tribe|FIN7|APT3|Mustang Panda|ZIRCONIUM|MuddyWater|Sidewinder|Evilnum|Sandworm Team|Wizard Spider|APT1|Windshift|Molerats|Mofang|BlackTech|Machete|Kimsuky|TA505|APT39|FIN4|APT32|Night Dragon|APT28|Cobalt Group|Turla|Dragonfly 2.0|OilRig|Elderwood|APT33|APT29|Leviathan|FIN8|Patchwork|Magic Hound -T1566.001,Spearphishing Attachment,Initial Access,WIRTE|Confucius|Dragonfly|LazyScripter|Threat Group-3390|APT38|Andariel|Ferocious Kitten|IndigoZebra|Transparent Tribe|Nomadic Octopus|Tonto Team|Ajax Security Team|Mustang Panda|TA551|Higaisa|Sidewinder|APT1|FIN6|APT30|Windshift|APT33|Sandworm Team|Naikon|Gamaredon Group|Sharpshooter|Molerats|Mofang|Wizard Spider|RTM|Frankenstein|Inception|BlackTech|APT-C-36|APT41|Machete|admin@338|Kimsuky|APT12|TA505|Silence|The White Company|APT39|FIN4|Darkhotel|Gallmaker|Tropic Trooper|DarkHydrus|Lazarus Group|Gorgon Group|OilRig|BRONZE BUTLER|APT19|APT32|Cobalt Group|Rancor|FIN7|Dragonfly 2.0|MuddyWater|APT28|TA459|APT29|APT37|Leviathan|FIN8|Patchwork|menuPass|Elderwood|PLATINUM -T1566,Phishing,Initial Access,Axiom|GOLD SOUTHFIELD|Dragonfly -T1565.003,Runtime Data Manipulation,Impact,APT38 -T1565.002,Transmitted Data Manipulation,Impact,APT38 -T1565.001,Stored Data Manipulation,Impact,APT38 -T1565,Data Manipulation,Impact,no -T1564.001,Hidden Files and Directories,Defense Evasion,Transparent Tribe|Mustang Panda|Rocke|APT32|Tropic Trooper|APT28|Lazarus Group -T1564,Hide Artifacts,Defense Evasion,no +T1078.001,Default Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Magic Hound|FIN13 +T1562.004,Disable or Modify System Firewall,Defense Evasion,Rocke|Kimsuky|Magic Hound|TeamTNT|Carbanak|Dragonfly|Lazarus Group|APT38|Moses Staff T1563.002,RDP Hijacking,Lateral Movement,Axiom -T1563.001,SSH Hijacking,Lateral Movement,no -T1563,Remote Service Session Hijacking,Lateral Movement,no -T1518.001,Security Software Discovery,Discovery,Kimsuky|Aquatic Panda|TeamTNT|APT38|Windshift|Sidewinder|Operation Wocao|Wizard Spider|Turla|Rocke|Frankenstein|The White Company|Cobalt Group|Darkhotel|MuddyWater|Tropic Trooper|FIN8|Patchwork|Naikon -T1069.003,Cloud Groups,Discovery,no -T1069.002,Domain Groups,Discovery,APT29|Dragonfly|Turla|Inception|OilRig|Dragonfly 2.0|Ke3chang -T1087.004,Cloud Account,Discovery,APT29 -T1087.003,Email Account,Discovery,Sandworm Team|TA505 -T1087.002,Domain Account,Discovery,APT29|Lazarus Group|Dragonfly|MuddyWater|Fox Kitten|Operation Wocao|Wizard Spider|Chimera|Turla|Sandworm Team|Dragonfly 2.0|OilRig|BRONZE BUTLER|menuPass|FIN6|Poseidon Group|Ke3chang -T1087.001,Local Account,Discovery,Chimera|Fox Kitten|Turla|Poseidon Group|OilRig|Ke3chang|APT32|APT1|Threat Group-3390|APT3|admin@338 -T1553.004,Install Root Certificate,Defense Evasion,no -T1562.004,Disable or Modify System Firewall,Defense Evasion,Dragonfly|TeamTNT|APT38|APT29|Operation Wocao|Rocke|Lazarus Group|Kimsuky|Dragonfly 2.0|Carbanak -T1562.003,Impair Command History Logging,Defense Evasion,APT38 -T1562.002,Disable Windows Event Logging,Defense Evasion,Sandworm Team|APT29|Threat Group-3390 -T1562.001,Disable or Modify Tools,Defense Evasion,Aquatic Panda|TeamTNT|Indrik Spider|APT29|MuddyWater|Wizard Spider|FIN6|Gamaredon Group|BRONZE BUTLER|Rocke|Kimsuky|Turla|Night Dragon|Gorgon Group|Lazarus Group|Putter Panda -T1562,Impair Defenses,Defense Evasion,no -T1003.004,LSA Secrets,Credential Access,Dragonfly|OilRig|MuddyWater|menuPass|Leafminer|Ke3chang|Dragonfly 2.0|APT33|Threat Group-3390 -T1003.005,Cached Domain Credentials,Credential Access,OilRig|MuddyWater|Leafminer|APT33 -T1561.002,Disk Structure Wipe,Impact,Sandworm Team|Lazarus Group|APT38|APT37 -T1561.001,Disk Content Wipe,Impact,Lazarus Group -T1561,Disk Wipe,Impact,no -T1560.003,Archive via Custom Method,Collection,Mustang Panda|Lazarus Group|Kimsuky|CopyKittens|FIN6 -T1560.002,Archive via Library,Collection,Lazarus Group|Threat Group-3390 -T1560.001,Archive via Utility,Collection,Kimsuky|Aquatic Panda|APT28|APT29|Mustang Panda|HAFNIUM|Fox Kitten|Operation Wocao|Chimera|APT41|GALLIUM|Turla|Gallmaker|APT33|APT39|MuddyWater|Magic Hound|FIN8|BRONZE BUTLER|CopyKittens|Sowbug|APT3|menuPass|APT1|Ke3chang -T1560,Archive Collected Data,Collection,Axiom|Dragonfly|Leviathan|menuPass|APT32|Honeybee|Patchwork|APT28|Dragonfly 2.0|FIN6|Lazarus Group|Ke3chang -T1499.004,Application or System Exploitation,Impact,no -T1499.003,Application Exhaustion Flood,Impact,no -T1499.002,Service Exhaustion Flood,Impact,no -T1499.001,OS Exhaustion Flood,Impact,no -T1491.002,External Defacement,Impact,Sandworm Team -T1491.001,Internal Defacement,Impact,Gamaredon Group|Lazarus Group -T1114.003,Email Forwarding Rule,Collection,Silent Librarian|Kimsuky -T1114.002,Remote Email Collection,Collection,Kimsuky|Dragonfly|APT29|HAFNIUM|Chimera|APT1|FIN4|Ke3chang|Leafminer|Dragonfly 2.0|APT28 -T1114.001,Local Email Collection,Collection,Chimera|Magic Hound|APT1 -T1134.005,SID-History Injection,Defense Evasion|Privilege Escalation,no +T1558.003,Kerberoasting,Credential Access,FIN7|Wizard Spider +T1059.001,PowerShell,Execution,Gorgon Group|APT33|TA505|Volt Typhoon|Chimera|LazyScripter|BRONZE BUTLER|APT19|Lazarus Group|Threat Group-3390|Confucius|TeamTNT|HEXANE|OilRig|Silence|FIN6|GALLIUM|Cobalt Group|Leviathan|HAFNIUM|APT41|Patchwork|APT29|Aquatic Panda|FIN13|Poseidon Group|Sandworm Team|GOLD SOUTHFIELD|APT32|CopyKittens|Tonto Team|APT39|MoustachedBouncer|MuddyWater|FIN8|Sidewinder|menuPass|Kimsuky|Dragonfly|Indrik Spider|Magic Hound|WIRTE|Thrip|TA459|DarkHydrus|Ember Bear|DarkVishnya|Mustang Panda|Fox Kitten|Deep Panda|Gamaredon Group|TA2541|Earth Lusca|Gallmaker|APT3|Nomadic Octopus|Molerats|Blue Mockingbird|Wizard Spider|Turla|APT28|FIN10|Stealth Falcon|Inception|FIN7|APT38|TEMP.Veles +T1195.001,Compromise Software Dependencies and Development Tools,Initial Access,no +T1497.001,System Checks,Defense Evasion|Discovery,Evilnum|OilRig|Volt Typhoon|Darkhotel +T1005,Data from Local System,Collection,FIN13|Threat Group-3390|LAPSUS$|Sandworm Team|Dragonfly|LuminousMoth|menuPass|APT3|Axiom|APT38|APT39|BRONZE BUTLER|Gamaredon Group|Wizard Spider|Windigo|GALLIUM|APT41|CURIUM|Kimsuky|Volt Typhoon|FIN6|APT1|Ke3chang|Patchwork|Stealth Falcon|Inception|APT28|FIN7|Dark Caracal|APT37|APT29|Fox Kitten|HAFNIUM|Lazarus Group|Turla|Magic Hound|Andariel +T1552.002,Credentials in Registry,Credential Access,APT32 +T1218.005,Mshta,Defense Evasion,APT32|Confucius|APT29|Gamaredon Group|Inception|Lazarus Group|TA2541|TA551|Sidewinder|Mustang Panda|FIN7|Kimsuky|MuddyWater|Earth Lusca|LazyScripter|SideCopy +T1547.014,Active Setup,Persistence|Privilege Escalation,no +T1486,Data Encrypted for Impact,Impact,Indrik Spider|TA505|APT41|Magic Hound|Sandworm Team|APT38|FIN7|FIN8 +T1003.008,/etc/passwd and /etc/shadow,Credential Access,no +T1078,Valid Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Silent Librarian|FIN6|APT39|Silence|Fox Kitten|GALLIUM|APT41|APT18|FIN10|POLONIUM|menuPass|Axiom|TEMP.Veles|FIN8|Wizard Spider|Leviathan|Sandworm Team|Dragonfly|OilRig|PittyTiger|Chimera|FIN4|LAPSUS$|Suckfly|Carbanak|Lazarus Group|Ke3chang|Threat Group-3390|APT28|APT29|FIN7|FIN5|APT33 +T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,Credential Access|Collection,Wizard Spider|Lazarus Group +T1606.002,SAML Tokens,Credential Access,no +T1498.001,Direct Network Flood,Impact,no +T1210,Exploitation of Remote Services,Lateral Movement,Threat Group-3390|APT28|menuPass|Earth Lusca|FIN7|Tonto Team|MuddyWater|Dragonfly|Wizard Spider|Fox Kitten +T1074.002,Remote Data Staging,Collection,MoustachedBouncer|menuPass|Leviathan|FIN8|APT28|Chimera|Threat Group-3390|FIN6 +T1202,Indirect Command Execution,Defense Evasion,Lazarus Group +T1495,Firmware Corruption,Impact,no +T1555.004,Windows Credential Manager,Credential Access,Turla|Stealth Falcon|Wizard Spider|OilRig +T1561.002,Disk Structure Wipe,Impact,Lazarus Group|APT37|Sandworm Team|APT38 +T1102.003,One-Way Communication,Command And Control,Leviathan +T1574.009,Path Interception by Unquoted Path,Persistence|Privilege Escalation|Defense Evasion,no +T1190,Exploit Public-Facing Application,Initial Access,GOLD SOUTHFIELD|Volatile Cedar|BackdoorDiplomacy|Dragonfly|APT41|Rocke|Axiom|Magic Hound|MuddyWater|Kimsuky|Volt Typhoon|FIN13|GALLIUM|APT28|menuPass|HAFNIUM|Ke3chang|Moses Staff|Blue Mockingbird|Earth Lusca|Threat Group-3390|Fox Kitten|APT39|APT29|BlackTech +T1648,Serverless Execution,Execution,no +T1595.002,Vulnerability Scanning,Reconnaissance,Magic Hound|Aquatic Panda|Volatile Cedar|TeamTNT|Earth Lusca|Sandworm Team|Dragonfly|APT28|APT29 +T1095,Non-Application Layer Protocol,Command And Control,Metador|PLATINUM|BackdoorDiplomacy|APT3|BITTER|FIN6|HAFNIUM +T1087.001,Local Account,Discovery,Moses Staff|APT3|APT1|OilRig|Fox Kitten|APT32|Chimera|Threat Group-3390|Turla|Poseidon Group|Ke3chang|admin@338 +T1218.008,Odbcconf,Defense Evasion,Cobalt Group +T1547.005,Security Support Provider,Persistence|Privilege Escalation,no +T1598.003,Spearphishing Link,Reconnaissance,Sandworm Team|Mustang Panda|Sidewinder|Dragonfly|Patchwork|APT32|ZIRCONIUM|Silent Librarian|Kimsuky|Magic Hound|APT28 +T1040,Network Sniffing,Credential Access|Discovery,DarkVishnya|Kimsuky|Sandworm Team|APT28|APT33 +T1087.003,Email Account,Discovery,Magic Hound|TA505|Sandworm Team +T1071,Application Layer Protocol,Command And Control,Rocke|Magic Hound|TeamTNT +T1129,Shared Modules,Execution,no +T1204.002,Malicious File,Execution,FIN6|Darkhotel|TA551|Indrik Spider|Transparent Tribe|Naikon|Inception|Mofang|Higaisa|Wizard Spider|SideCopy|Leviathan|APT29|Tonto Team|APT38|PLATINUM|Tropic Trooper|Cobalt Group|APT33|BRONZE BUTLER|APT30|Sandworm Team|Windshift|Ember Bear|Ferocious Kitten|APT32|APT37|OilRig|FIN4|APT-C-36|Threat Group-3390|CURIUM|Whitefly|BlackTech|Earth Lusca|Andariel|APT39|Aoqin Dragon|The White Company|WIRTE|RTM|HEXANE|Gallmaker|Kimsuky|Gorgon Group|APT28|PROMETHIUM|Mustang Panda|Elderwood|Gamaredon Group|admin@338|LazyScripter|Sidewinder|Patchwork|Silence|BITTER|TA2541|DarkHydrus|Machete|Dark Caracal|Rancor|FIN7|FIN8|MuddyWater|IndigoZebra|TA459|menuPass|Nomadic Octopus|APT19|Magic Hound|Molerats|Confucius|Dragonfly|TA505|APT12|EXOTIC LILY|Lazarus Group|Ajax Security Team +T1070.009,Clear Persistence,Defense Evasion,no +T1021.004,SSH,Lateral Movement,BlackTech|Fox Kitten|TEMP.Veles|OilRig|Rocke|Lazarus Group|FIN7|GCMAN|FIN13|Leviathan|menuPass|TeamTNT|APT39 +T1583.002,DNS Server,Resource Development,Axiom|HEXANE +T1090.003,Multi-hop Proxy,Command And Control,Inception|Leviathan|APT29|FIN4|APT28 T1134.004,Parent PID Spoofing,Defense Evasion|Privilege Escalation,no -T1134.003,Make and Impersonate Token,Defense Evasion|Privilege Escalation,no -T1134.002,Create Process with Token,Defense Evasion|Privilege Escalation,Turla|Lazarus Group -T1134.001,Token Impersonation/Theft,Defense Evasion|Privilege Escalation,FIN8|APT28 -T1213.002,Sharepoint,Collection,Chimera|Ke3chang|APT28 -T1213.001,Confluence,Collection,no -T1555.003,Credentials from Web Browsers,Credential Access,APT29|Ajax Security Team|ZIRCONIUM|FIN6|Sandworm Team|Inception|Stealth Falcon|OilRig|Leafminer|APT33|APT3|Kimsuky|TA505|MuddyWater|APT37|Patchwork|Molerats -T1555.002,Securityd Memory,Credential Access,no -T1555.001,Keychain,Credential Access,no -T1559.002,Dynamic Data Exchange,Execution,Leviathan|Sidewinder|Sharpshooter|TA505|MuddyWater|Gallmaker|Patchwork|Cobalt Group|APT37|FIN7|APT28 -T1559.001,Component Object Model,Execution,Gamaredon Group|MuddyWater -T1559,Inter-Process Communication,Execution,no -T1558.002,Silver Ticket,Credential Access,no -T1558.001,Golden Ticket,Credential Access,Ke3chang -T1558,Steal or Forge Kerberos Tickets,Credential Access,no -T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,Credential Access|Collection,Lazarus Group|Wizard Spider +T1221,Template Injection,Defense Evasion,Gamaredon Group|Dragonfly|Tropic Trooper|APT28|DarkHydrus|Inception|Confucius +T1584.005,Botnet,Resource Development,Axiom|Volt Typhoon|Sandworm Team T1557,Adversary-in-the-Middle,Credential Access|Collection,Kimsuky -T1556.002,Password Filter DLL,Credential Access|Defense Evasion|Persistence,Strider -T1556.001,Domain Controller Authentication,Credential Access|Defense Evasion|Persistence,Chimera -T1556,Modify Authentication Process,Credential Access|Defense Evasion|Persistence,no -T1056.004,Credential API Hooking,Collection|Credential Access,PLATINUM -T1056.003,Web Portal Capture,Collection|Credential Access,no -T1056.002,GUI Input Capture,Collection|Credential Access,FIN4 -T1056.001,Keylogging,Collection|Credential Access,Tonto Team|Ajax Security Team|Operation Wocao|APT32|Sandworm Team|APT39|APT41|Kimsuky|menuPass|FIN4|APT38|OilRig|Ke3chang|PLATINUM|Sowbug|Magic Hound|Group5|Lazarus Group|Threat Group-3390|APT3|Darkhotel|APT28 -T1555,Credentials from Password Stores,Credential Access,APT29|Evilnum|FIN6|APT39|OilRig|MuddyWater|Leafminer|APT33|Stealth Falcon -T1552.005,Cloud Instance Metadata API,Credential Access,TeamTNT -T1003.008,/etc/passwd and /etc/shadow,Credential Access,no +T1602.001,SNMP (MIB Dump),Collection,no +T1553.006,Code Signing Policy Modification,Defense Evasion,Turla|APT39 +T1055.015,ListPlanting,Defense Evasion|Privilege Escalation,no T1003.007,Proc Filesystem,Credential Access,no -T1003.006,DCSync,Credential Access,APT29|Operation Wocao -T1558.003,Kerberoasting,Credential Access,FIN7|APT29|Operation Wocao|Wizard Spider -T1552.006,Group Policy Preferences,Credential Access,APT33 -T1003.003,NTDS,Credential Access,Ke3chang|Dragonfly|APT28|Mustang Panda|HAFNIUM|Fox Kitten|menuPass|Wizard Spider|Chimera|FIN6|Dragonfly 2.0 -T1003.002,Security Account Manager,Credential Access,Dragonfly|Wizard Spider|Threat Group-3390|Ke3chang|GALLIUM|Night Dragon|Dragonfly 2.0|menuPass -T1003.001,LSASS Memory,Credential Access,Aquatic Panda|Indrik Spider|HAFNIUM|Fox Kitten|Operation Wocao|Kimsuky|Sandworm Team|Whitefly|Blue Mockingbird|Silence|Threat Group-3390|Leviathan|APT41|GALLIUM|TEMP.Veles|APT33|APT39|APT32|Leafminer|Magic Hound|FIN8|PLATINUM|MuddyWater|OilRig|BRONZE BUTLER|FIN6|APT3|APT28|APT1|Ke3chang|Cleaver -T1110.004,Credential Stuffing,Credential Access,Chimera -T1110.003,Password Spraying,Credential Access,Sandworm Team|APT29|Silent Librarian|Chimera|APT28|APT33|Leafminer|Lazarus Group -T1110.002,Password Cracking,Credential Access,Dragonfly|FIN6|APT41|Dragonfly 2.0|APT3 -T1110.001,Password Guessing,Credential Access,APT28 -T1021.006,Windows Remote Management,Lateral Movement,APT29|Chimera|Wizard Spider|Threat Group-3390 -T1021.005,VNC,Lateral Movement,Gamaredon Group|FIN7|Fox Kitten|GCMAN -T1021.004,SSH,Lateral Movement,BlackTech|Lazarus Group|TeamTNT|FIN7|Fox Kitten|Rocke|TEMP.Veles|Leviathan|APT39|OilRig|menuPass|GCMAN -T1021.003,Distributed Component Object Model,Lateral Movement,no -T1021.002,SMB/Windows Admin Shares,Lateral Movement,APT29|Sandworm Team|APT28|Fox Kitten|APT41|Operation Wocao|Wizard Spider|Chimera|Blue Mockingbird|APT39|APT32|Orangeworm|FIN8|APT3|Lazarus Group|Threat Group-1314|Turla|Deep Panda|Ke3chang -T1021.001,Remote Desktop Protocol,Lateral Movement,APT29|Dragonfly|Kimsuky|FIN7|Fox Kitten|Chimera|Blue Mockingbird|Wizard Spider|Silence|APT41|TEMP.Veles|Leviathan|APT39|Cobalt Group|Dragonfly 2.0|FIN8|APT3|OilRig|FIN10|menuPass|Patchwork|FIN6|Lazarus Group|APT1|Axiom -T1554,Compromise Client Software Binary,Persistence,no -T1036.006,Space after Filename,Defense Evasion,no -T1036.005,Match Legitimate Name or Location,Defense Evasion,Ke3chang|Kimsuky|Gamaredon Group|WIRTE|APT28|Ferocious Kitten|FIN7|BackdoorDiplomacy|Transparent Tribe|Naikon|APT29|Mustang Panda|Sidewinder|Darkhotel|Lazarus Group|Indrik Spider|Fox Kitten|Machete|Chimera|PROMETHIUM|Rocke|Sandworm Team|APT39|Blue Mockingbird|Whitefly|Tropic Trooper|Silence|APT41|menuPass|TEMP.Veles|MuddyWater|Sowbug|BRONZE BUTLER|APT32|Patchwork|Poseidon Group|admin@338|Carbanak|APT1 -T1036.004,Masquerade Task or Service,Defense Evasion,Lazarus Group|BackdoorDiplomacy|APT41|Naikon|ZIRCONIUM|APT29|Higaisa|Fox Kitten|Kimsuky|PROMETHIUM|Wizard Spider|APT-C-36|Carbanak|APT32|FIN6|FIN7 -T1036.003,Rename System Utilities,Defense Evasion,Lazarus Group|menuPass|APT32|GALLIUM -T1036.002,Right-to-Left Override,Defense Evasion,Ferocious Kitten|BRONZE BUTLER|BlackTech|Ke3chang|Scarlet Mimic -T1036.001,Invalid Code Signature,Defense Evasion,Windshift|APT37 -T1553.003,SIP and Trust Provider Hijacking,Defense Evasion,no -T1553.002,Code Signing,Defense Evasion,Lazarus Group|menuPass|APT29|GALLIUM|Wizard Spider|Kimsuky|PROMETHIUM|Patchwork|Silence|APT41|FIN6|TA505|FIN7|Honeybee|Leviathan|CopyKittens|Winnti Group|Suckfly|Molerats|Darkhotel -T1553.001,Gatekeeper Bypass,Defense Evasion,no -T1553,Subvert Trust Controls,Defense Evasion,Axiom -T1027.003,Steganography,Defense Evasion,Andariel|Leviathan|TA551|BRONZE BUTLER|Tropic Trooper|MuddyWater|APT37 -T1027.002,Software Packing,Defense Evasion,Threat Group-3390|Lazarus Group|Sandworm Team|Kimsuky|TeamTNT|ZIRCONIUM|TA505|Rocke|GALLIUM|The White Company|APT39|APT38|Dark Caracal|Elderwood|APT3|Patchwork|APT29|Night Dragon -T1027.001,Binary Padding,Defense Evasion,APT29|Mustang Panda|Higaisa|Gamaredon Group|Patchwork|APT32|Leviathan|BRONZE BUTLER|Moafee -T1222.002,Linux and Mac File and Directory Permissions Modification,Defense Evasion,TeamTNT|Rocke|APT32 -T1222.001,Windows File and Directory Permissions Modification,Defense Evasion,Wizard Spider -T1552.004,Private Keys,Credential Access,TeamTNT|APT29|Operation Wocao|Rocke -T1552.003,Bash History,Credential Access,no -T1552.002,Credentials in Registry,Credential Access,APT32 -T1552.001,Credentials In Files,Credential Access,TeamTNT|Kimsuky|Fox Kitten|Leafminer|APT33|OilRig|TA505|MuddyWater|APT3 -T1552,Unsecured Credentials,Credential Access,no +T1584.001,Domains,Resource Development,APT1|Kimsuky|SideCopy|Magic Hound|Transparent Tribe +T1070.001,Clear Windows Event Logs,Defense Evasion,FIN8|APT28|Indrik Spider|Dragonfly|FIN5|Chimera|APT41|APT38|APT32 +T1205.002,Socket Filters,Defense Evasion|Persistence|Command And Control,no +T1555.003,Credentials from Web Browsers,Credential Access,OilRig|APT37|Inception|TA505|Patchwork|FIN6|APT33|LAPSUS$|Molerats|APT3|ZIRCONIUM|MuddyWater|HEXANE|Sandworm Team|Ajax Security Team|Leafminer|Stealth Falcon|Kimsuky +T1132.002,Non-Standard Encoding,Command And Control,no +T1070.008,Clear Mailbox Data,Defense Evasion,no +T1583,Acquire Infrastructure,Resource Development,no +T1113,Screen Capture,Collection,Dragonfly|Gamaredon Group|FIN7|Magic Hound|MoustachedBouncer|BRONZE BUTLER|Dark Caracal|Silence|APT39|MuddyWater|OilRig|Group5|APT28|GOLD SOUTHFIELD +T1082,System Information Discovery,Discovery,APT3|Sidewinder|APT32|Inception|Windigo|Confucius|Chimera|APT18|Turla|Ke3chang|Higaisa|ZIRCONIUM|APT19|TA2541|Patchwork|Lazarus Group|Mustang Panda|admin@338|SideCopy|Kimsuky|OilRig|Blue Mockingbird|Darkhotel|FIN13|Rocke|Stealth Falcon|MuddyWater|APT37|Magic Hound|APT38|Volt Typhoon|TeamTNT|Aquatic Panda|Tropic Trooper|Sowbug|FIN8|Windshift|Wizard Spider|Moses Staff|HEXANE|Sandworm Team|Gamaredon Group +T1546.008,Accessibility Features,Privilege Escalation|Persistence,APT29|Fox Kitten|APT41|Deep Panda|Axiom|APT3 +T1499,Endpoint Denial of Service,Impact,Sandworm Team +T1561,Disk Wipe,Impact,no +T1590.005,IP Addresses,Reconnaissance,Andariel|HAFNIUM|Magic Hound +T1614,System Location Discovery,Discovery,SideCopy +T1497.003,Time Based Evasion,Defense Evasion|Discovery,no +T1496,Resource Hijacking,Impact,Rocke|TeamTNT|Blue Mockingbird|APT41 T1216.001,PubPrn,Defense Evasion,APT32 -T1070.006,Timestomp,Defense Evasion,APT38|APT29|Chimera|Kimsuky|Rocke|TEMP.Veles|APT32|Lazarus Group|APT28 -T1070.005,Network Share Connection Removal,Defense Evasion,Threat Group-3390 -T1070.004,File Deletion,Defense Evasion,Aquatic Panda|Dragonfly|TeamTNT|APT39|Mustang Panda|Chimera|Evilnum|Operation Wocao|FIN6|Sandworm Team|Rocke|Tropic Trooper|Gamaredon Group|Wizard Spider|APT41|Kimsuky|Silence|The White Company|TEMP.Veles|APT32|APT38|Cobalt Group|Dragonfly 2.0|Honeybee|Patchwork|menuPass|FIN8|OilRig|FIN5|BRONZE BUTLER|APT3|Magic Hound|Threat Group-3390|APT28|FIN10|Group5|Lazarus Group|APT18|APT29 -T1070.003,Clear Command History,Defense Evasion,Lazarus Group|TeamTNT|menuPass|APT41 -T1550.004,Web Session Cookie,Defense Evasion|Lateral Movement,APT29 -T1550.001,Application Access Token,Defense Evasion|Lateral Movement,APT29|APT28 -T1550.003,Pass the Ticket,Defense Evasion|Lateral Movement,APT32|BRONZE BUTLER|APT29 -T1550.002,Pass the Hash,Defense Evasion|Lateral Movement,Chimera|Kimsuky|GALLIUM|APT32|Night Dragon|APT28|APT1 -T1550,Use Alternate Authentication Material,Defense Evasion|Lateral Movement,APT29 +T1588.002,Tool,Resource Development,Ember Bear|Whitefly|CopyKittens|Metador|Aquatic Panda|BlackTech|APT28|LuminousMoth|APT38|Threat Group-3390|Lazarus Group|Dragonfly|BackdoorDiplomacy|Sandworm Team|APT41|POLONIUM|Blue Mockingbird|BITTER|DarkVishnya|Leafminer|FIN13|GALLIUM|FIN7|Ferocious Kitten|Silent Librarian|Ke3chang|APT-C-36|Cobalt Group|MuddyWater|TA2541|APT32|Earth Lusca|FIN6|Cleaver|Volt Typhoon|Silence|Kimsuky|Thrip|FIN8|PittyTiger|APT1|TA505|APT19|Turla|LAPSUS$|Wizard Spider|IndigoZebra|TEMP.Veles|Patchwork|WIRTE|FIN5|Moses Staff|BRONZE BUTLER|Gorgon Group|Carbanak|menuPass|HEXANE|Chimera|Inception|APT39|APT33|Aoqin Dragon|Magic Hound|FIN10|DarkHydrus|APT29 +T1591.001,Determine Physical Locations,Reconnaissance,Magic Hound +T1011,Exfiltration Over Other Network Medium,Exfiltration,no +T1613,Container and Resource Discovery,Discovery,TeamTNT T1548.004,Elevated Execution with Prompt,Privilege Escalation|Defense Evasion,no +T1127,Trusted Developer Utilities Proxy Execution,Defense Evasion,no +T1562.006,Indicator Blocking,Defense Evasion,no +T1124,System Time Discovery,Discovery,Sidewinder|Lazarus Group|Darkhotel|BRONZE BUTLER|Turla|The White Company|Chimera|ZIRCONIUM|Higaisa +T1055.004,Asynchronous Procedure Call,Defense Evasion|Privilege Escalation,FIN8 +T1651,Cloud Administration Command,Execution,APT29 +T1098.002,Additional Email Delegate Permissions,Persistence|Privilege Escalation,APT28|APT29|Magic Hound +T1591.002,Business Relationships,Reconnaissance,LAPSUS$|Dragonfly|Sandworm Team +T1505.003,Web Shell,Persistence,Tonto Team|Sandworm Team|APT29|Volatile Cedar|GALLIUM|Tropic Trooper|Leviathan|Threat Group-3390|Volt Typhoon|Deep Panda|BackdoorDiplomacy|APT38|APT39|TEMP.Veles|APT32|Magic Hound|OilRig|Dragonfly|APT28|Moses Staff|Kimsuky|HAFNIUM|Fox Kitten|FIN13 +T1574.007,Path Interception by PATH Environment Variable,Persistence|Privilege Escalation|Defense Evasion,no +T1137.002,Office Test,Persistence,APT28 +T1491.002,External Defacement,Impact,Sandworm Team +T1555.006,Cloud Secrets Management Stores,Credential Access,no T1548.003,Sudo and Sudo Caching,Privilege Escalation|Defense Evasion,no -T1548.002,Bypass User Account Control,Privilege Escalation|Defense Evasion,Evilnum|APT37|MuddyWater|Threat Group-3390|Honeybee|Cobalt Group|BRONZE BUTLER|Patchwork|APT29 +T1071.004,DNS,Command And Control,Chimera|FIN7|APT39|LazyScripter|Tropic Trooper|APT41|APT18|Cobalt Group|Ke3chang|OilRig +T1021.003,Distributed Component Object Model,Lateral Movement,no +T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,Exfiltration,APT28 +T1071.001,Web Protocols,Command And Control,Inception|Rancor|Lazarus Group|Threat Group-3390|FIN13|BRONZE BUTLER|TA505|Windshift|Dark Caracal|Gamaredon Group|Magic Hound|APT33|Chimera|Tropic Trooper|APT37|TA551|FIN8|Orangeworm|OilRig|FIN4|APT39|Wizard Spider|APT41|APT19|Sidewinder|Cobalt Group|Mustang Panda|TeamTNT|APT18|LuminousMoth|Ke3chang|WIRTE|SilverTerrier|Higaisa|Confucius|Metador|Stealth Falcon|Kimsuky|Sandworm Team|APT28|APT32|APT38|Rocke|BITTER|HAFNIUM|Turla|MuddyWater +T1587.002,Code Signing Certificates,Resource Development,PROMETHIUM|Patchwork T1548.001,Setuid and Setgid,Privilege Escalation|Defense Evasion,no -T1548,Abuse Elevation Control Mechanism,Privilege Escalation|Defense Evasion,no -T1136.003,Cloud Account,Persistence,APT29 -T1070.002,Clear Linux or Mac System Logs,Defense Evasion,TeamTNT|Rocke -T1070.001,Clear Windows Event Logs,Defense Evasion,Dragonfly|Indrik Spider|Chimera|Operation Wocao|APT41|APT38|Dragonfly 2.0|APT32|FIN8|FIN5|APT28 -T1136.002,Domain Account,Persistence,Sandworm Team|HAFNIUM|GALLIUM -T1136.001,Local Account,Persistence,Kimsuky|Dragonfly|TeamTNT|Fox Kitten|APT39|APT41|Leafminer|Dragonfly 2.0|APT3 -T1547.011,Plist Modification,Persistence|Privilege Escalation,no -T1547.010,Port Monitors,Persistence|Privilege Escalation,no -T1547.009,Shortcut Modification,Persistence|Privilege Escalation,Dragonfly|APT39|Darkhotel|APT29|Gorgon Group|Dragonfly 2.0|Lazarus Group|Leviathan -T1547.008,LSASS Driver,Persistence|Privilege Escalation,no -T1547.007,Re-opened Applications,Persistence|Privilege Escalation,no -T1547.006,Kernel Modules and Extensions,Persistence|Privilege Escalation,no -T1547.005,Security Support Provider,Persistence|Privilege Escalation,no -T1547.004,Winlogon Helper DLL,Persistence|Privilege Escalation,Wizard Spider|Tropic Trooper|Turla -T1547.003,Time Providers,Persistence|Privilege Escalation,no -T1546.014,Emond,Privilege Escalation|Persistence,no -T1546.013,PowerShell Profile,Privilege Escalation|Persistence,Turla -T1546.012,Image File Execution Options Injection,Privilege Escalation|Persistence,TEMP.Veles -T1218.008,Odbcconf,Defense Evasion,Cobalt Group -T1546.011,Application Shimming,Privilege Escalation|Persistence,FIN7 -T1547.002,Authentication Package,Persistence|Privilege Escalation,no -T1546.010,AppInit DLLs,Privilege Escalation|Persistence,APT39 -T1546.009,AppCert DLLs,Privilege Escalation|Persistence,Honeybee -T1218.007,Msiexec,Defense Evasion,ZIRCONIUM|Molerats|Machete|TA505|Rancor -T1546.008,Accessibility Features,Privilege Escalation|Persistence,Fox Kitten|APT41|APT3|APT29|Deep Panda|Axiom -T1546.007,Netsh Helper DLL,Privilege Escalation|Persistence,no -T1546.006,LC_LOAD_DYLIB Addition,Privilege Escalation|Persistence,no +T1543,Create or Modify System Process,Persistence|Privilege Escalation,no +T1498.002,Reflection Amplification,Impact,no +T1547,Boot or Logon Autostart Execution,Persistence|Privilege Escalation,no +T1059,Command and Scripting Interpreter,Execution,Dragonfly|Fox Kitten|APT37|APT39|Ke3chang|Whitefly|FIN6|FIN5|APT19|OilRig|FIN7|APT32|Windigo|Stealth Falcon +T1574.013,KernelCallbackTable,Persistence|Privilege Escalation|Defense Evasion,Lazarus Group +T1553.004,Install Root Certificate,Defense Evasion,no +T1653,Power Settings,Persistence,no +T1037.002,Login Hook,Persistence|Privilege Escalation,no +T1098,Account Manipulation,Persistence|Privilege Escalation,APT3|HAFNIUM|Kimsuky|Dragonfly|APT41|FIN13|Lazarus Group|Magic Hound +T1598.002,Spearphishing Attachment,Reconnaissance,Dragonfly|Sidewinder|SideCopy +T1220,XSL Script Processing,Defense Evasion,Cobalt Group|Higaisa +T1557.003,DHCP Spoofing,Credential Access|Collection,no +T1562.011,Spoof Security Alerting,Defense Evasion,no +T1003.005,Cached Domain Credentials,Credential Access,MuddyWater|OilRig|Leafminer|APT33 +T1041,Exfiltration Over C2 Channel,Exfiltration,Chimera|Lazarus Group|LuminousMoth|Confucius|Gamaredon Group|MuddyWater|Stealth Falcon|Sandworm Team|Ke3chang|APT32|Leviathan|Wizard Spider|APT39|Higaisa|APT3|ZIRCONIUM|GALLIUM|Kimsuky +T1055.002,Portable Executable Injection,Defense Evasion|Privilege Escalation,Gorgon Group|Rocke +T1027.006,HTML Smuggling,Defense Evasion,APT29 +T1656,Impersonation,Defense Evasion,LAPSUS$ +T1074.001,Local Data Staging,Collection,menuPass|Lazarus Group|APT39|Threat Group-3390|BackdoorDiplomacy|Sidewinder|FIN13|Volt Typhoon|FIN5|Wizard Spider|Mustang Panda|Kimsuky|Dragonfly|Patchwork|Leviathan|MuddyWater|GALLIUM|APT3|Chimera|TeamTNT|Indrik Spider|APT28|TEMP.Veles +T1608.002,Upload Tool,Resource Development,Threat Group-3390 +T1567.004,Exfiltration Over Webhook,Exfiltration,no +T1071.002,File Transfer Protocols,Command And Control,SilverTerrier|Dragonfly|Kimsuky|APT41 +T1111,Multi-Factor Authentication Interception,Credential Access,Chimera|LAPSUS$|Kimsuky T1546.005,Trap,Privilege Escalation|Persistence,no +T1593.002,Search Engines,Reconnaissance,Kimsuky +T1574.001,DLL Search Order Hijacking,Persistence|Privilege Escalation|Defense Evasion,menuPass|Whitefly|Evilnum|RTM|BackdoorDiplomacy|Threat Group-3390|Aquatic Panda|Tonto Team|APT41 +T1598.001,Spearphishing Service,Reconnaissance,no +T1055.011,Extra Window Memory Injection,Defense Evasion|Privilege Escalation,no +T1074,Data Staged,Collection,Wizard Spider|Volt Typhoon +T1542,Pre-OS Boot,Defense Evasion|Persistence,no +T1092,Communication Through Removable Media,Command And Control,APT28 +T1014,Rootkit,Defense Evasion,Rocke|Winnti Group|TeamTNT|APT41|APT28 +T1189,Drive-by Compromise,Initial Access,Leviathan|Windshift|Windigo|Lazarus Group|Threat Group-3390|Andariel|Earth Lusca|RTM|Axiom|Patchwork|APT32|BRONZE BUTLER|Dark Caracal|Leafminer|APT19|PROMETHIUM|APT28|APT38|Elderwood|Transparent Tribe|Dragonfly|Magic Hound|APT37|Turla|PLATINUM|Darkhotel|Machete +T1137.006,Add-ins,Persistence,Naikon +T1087.002,Domain Account,Discovery,Turla|FIN13|Volt Typhoon|MuddyWater|Chimera|Dragonfly|Wizard Spider|Poseidon Group|BRONZE BUTLER|OilRig|FIN6|Sandworm Team|LAPSUS$|Fox Kitten|Ke3chang|menuPass +T1134.003,Make and Impersonate Token,Defense Evasion|Privilege Escalation,FIN13 +T1222.002,Linux and Mac File and Directory Permissions Modification,Defense Evasion,APT32|Rocke|TeamTNT +T1562.002,Disable Windows Event Logging,Defense Evasion,Threat Group-3390|Magic Hound +T1548,Abuse Elevation Control Mechanism,Privilege Escalation|Defense Evasion,no +T1555,Credentials from Password Stores,Credential Access,Leafminer|APT33|MuddyWater|Evilnum|OilRig|Stealth Falcon|APT39|FIN6|Volt Typhoon|HEXANE +T1561.001,Disk Content Wipe,Impact,Lazarus Group +T1098.004,SSH Authorized Keys,Persistence|Privilege Escalation,TeamTNT|Earth Lusca +T1021.001,Remote Desktop Protocol,Lateral Movement,Wizard Spider|Magic Hound|FIN13|Axiom|APT41|Patchwork|APT1|Cobalt Group|HEXANE|Dragonfly|Leviathan|FIN7|APT3|Kimsuky|OilRig|Chimera|FIN8|FIN10|TEMP.Veles|Lazarus Group|Fox Kitten|Blue Mockingbird|FIN6|APT39|Silence|menuPass +T1213.003,Code Repositories,Collection,LAPSUS$ +T1205.001,Port Knocking,Defense Evasion|Persistence|Command And Control,PROMETHIUM +T1505.004,IIS Components,Persistence,no +T1569.002,Service Execution,Execution,APT32|Blue Mockingbird|APT38|Chimera|FIN6|APT41|Wizard Spider|APT39|Ke3chang|Silence +T1565.002,Transmitted Data Manipulation,Impact,APT38 +T1569,System Services,Execution,TeamTNT +T1499.004,Application or System Exploitation,Impact,no +T1037.005,Startup Items,Persistence|Privilege Escalation,no +T1553.003,SIP and Trust Provider Hijacking,Defense Evasion,no +T1595.001,Scanning IP Blocks,Reconnaissance,TeamTNT T1546.004,Unix Shell Configuration Modification,Privilege Escalation|Persistence,no -T1546.003,Windows Management Instrumentation Event Subscription,Privilege Escalation|Persistence,FIN8|Mustang Panda|APT33|Blue Mockingbird|Turla|Leviathan|APT29 -T1546.002,Screensaver,Privilege Escalation|Persistence,no -T1546.001,Change Default File Association,Privilege Escalation|Persistence,Kimsuky -T1547.001,Registry Run Keys / Startup Folder,Persistence|Privilege Escalation,Confucius|Dragonfly|LazyScripter|TeamTNT|Naikon|Windshift|Mustang Panda|ZIRCONIUM|Higaisa|Sidewinder|APT28|Wizard Spider|PROMETHIUM|Rocke|Tropic Trooper|Gamaredon Group|Sharpshooter|Molerats|Silence|RTM|Inception|APT41|Kimsuky|APT33|APT39|APT32|APT18|Dark Caracal|Threat Group-3390|Honeybee|Turla|Cobalt Group|Ke3chang|Dragonfly 2.0|APT19|Gorgon Group|MuddyWater|APT37|Leviathan|BRONZE BUTLER|APT3|Magic Hound|FIN10|FIN7|Patchwork|FIN6|Lazarus Group|Putter Panda|APT29|Darkhotel -T1218.002,Control Panel,Defense Evasion,no -T1218.010,Regsvr32,Defense Evasion,Kimsuky|Lazarus Group|TA551|Blue Mockingbird|Inception|WIRTE|Cobalt Group|APT19|Leviathan|APT32|Deep Panda +T1053.003,Cron,Execution|Persistence|Privilege Escalation,APT38|Rocke +T1560,Archive Collected Data,Collection,Axiom|Dragonfly|APT28|APT32|menuPass|Ke3chang|FIN6|Patchwork|Leviathan|Lazarus Group|LuminousMoth +T1565,Data Manipulation,Impact,FIN13 +T1610,Deploy Container,Defense Evasion|Execution,TeamTNT +T1587.001,Malware,Resource Development,Ke3chang|TeamTNT|Indrik Spider|Moses Staff|APT29|Lazarus Group|Kimsuky|Aoqin Dragon|Cleaver|LuminousMoth|FIN13|FIN7|Sandworm Team|Turla +T1558.002,Silver Ticket,Credential Access,no T1218.009,Regsvcs/Regasm,Defense Evasion,no -T1218.005,Mshta,Defense Evasion,Gamaredon Group|Confucius|Lazarus Group|APT29|LazyScripter|Mustang Panda|TA551|Sidewinder|Inception|Kimsuky|APT32|MuddyWater|FIN7 -T1218.004,InstallUtil,Defense Evasion,Mustang Panda|menuPass -T1218.001,Compiled HTML File,Defense Evasion,APT38|APT41|Silence|Dark Caracal|OilRig|Lazarus Group -T1218.003,CMSTP,Defense Evasion,Cobalt Group|MuddyWater -T1218.011,Rundll32,Defense Evasion,Kimsuky|Lazarus Group|LazyScripter|APT38|HAFNIUM|TA551|APT41|Gamaredon Group|APT32|Sandworm Team|Blue Mockingbird|TA505|MuddyWater|APT29|APT19|CopyKittens|APT3|Carbanak|APT28 -T1547,Boot or Logon Autostart Execution,Persistence|Privilege Escalation,no -T1546,Event Triggered Execution,Privilege Escalation|Persistence,no -T1098.003,Add Office 365 Global Administrator Role,Persistence,APT29 -T1098.002,Exchange Email Delegate Permissions,Persistence,APT28|APT29|Magic Hound -T1098.001,Additional Cloud Credentials,Persistence,APT29 +T1001.002,Steganography,Command And Control,Axiom +T1078.002,Domain Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,APT3|TA505|Threat Group-1314|Sandworm Team|Naikon|Magic Hound|Wizard Spider|Indrik Spider|Volt Typhoon|Chimera +T1557.002,ARP Cache Poisoning,Credential Access|Collection,Cleaver|LuminousMoth +T1608.005,Link Target,Resource Development,LuminousMoth|Silent Librarian +T1584.002,DNS Server,Resource Development,LAPSUS$ +T1560.001,Archive via Utility,Collection,Fox Kitten|APT33|MuddyWater|Aquatic Panda|APT3|Kimsuky|Gallmaker|Ke3chang|menuPass|Sowbug|FIN13|FIN8|Volt Typhoon|CopyKittens|APT28|BRONZE BUTLER|Magic Hound|HAFNIUM|Chimera|Earth Lusca|APT1|Wizard Spider|Mustang Panda|APT41|Turla|APT39|GALLIUM +T1489,Service Stop,Impact,Indrik Spider|LAPSUS$|Lazarus Group|Wizard Spider +T1207,Rogue Domain Controller,Defense Evasion,no +T1204,User Execution,Execution,LAPSUS$ +T1553.001,Gatekeeper Bypass,Defense Evasion,no +T1553.005,Mark-of-the-Web Bypass,Defense Evasion,TA505|APT29 +T1018,Remote System Discovery,Discovery,Sandworm Team|Threat Group-3390|Ke3chang|Chimera|menuPass|Deep Panda|HEXANE|BRONZE BUTLER|HAFNIUM|Turla|Fox Kitten|Wizard Spider|GALLIUM|APT3|Naikon|FIN5|Magic Hound|Rocke|APT39|Leafminer|FIN8|Indrik Spider|Earth Lusca|Volt Typhoon|Dragonfly|FIN6|Silence|APT32 +T1547.002,Authentication Package,Persistence|Privilege Escalation,no +T1091,Replication Through Removable Media,Lateral Movement|Initial Access,FIN7|Darkhotel|APT28|Aoqin Dragon|Tropic Trooper|Mustang Panda|LuminousMoth +T1600,Weaken Encryption,Defense Evasion,no +T1659,Content Injection,Initial Access|Command And Control,MoustachedBouncer +T1543.001,Launch Agent,Persistence|Privilege Escalation,no +T1555.002,Securityd Memory,Credential Access,no +T1555.005,Password Managers,Credential Access,LAPSUS$|Fox Kitten|Threat Group-3390 +T1048,Exfiltration Over Alternative Protocol,Exfiltration,TeamTNT +T1525,Implant Internal Image,Persistence,no +T1053.006,Systemd Timers,Execution|Persistence|Privilege Escalation,no +T1021.008,Direct Cloud VM Connections,Lateral Movement,no +T1583.006,Web Services,Resource Development,Lazarus Group|APT29|FIN7|Turla|APT32|APT17|APT28|ZIRCONIUM|MuddyWater|POLONIUM|LazyScripter|TA2541|Magic Hound|Confucius|Kimsuky|HAFNIUM|Earth Lusca|IndigoZebra +T1574.004,Dylib Hijacking,Persistence|Privilege Escalation|Defense Evasion,no +T1550.003,Pass the Ticket,Defense Evasion|Lateral Movement,APT32|APT29|BRONZE BUTLER +T1480,Execution Guardrails,Defense Evasion,no +T1558.001,Golden Ticket,Credential Access,Ke3chang +T1600.001,Reduce Key Space,Defense Evasion,no +T1546.006,LC_LOAD_DYLIB Addition,Privilege Escalation|Persistence,no +T1556,Modify Authentication Process,Credential Access|Defense Evasion|Persistence,FIN13 +T1087,Account Discovery,Discovery,FIN13 +T1574.005,Executable Installer File Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no +T1564.001,Hidden Files and Directories,Defense Evasion,HAFNIUM|Rocke|Tropic Trooper|APT28|Mustang Panda|Lazarus Group|FIN13|Transparent Tribe|LuminousMoth|APT32 +T1564.007,VBA Stomping,Defense Evasion,no +T1593,Search Open Websites/Domains,Reconnaissance,Sandworm Team +T1546.007,Netsh Helper DLL,Privilege Escalation|Persistence,no +T1059.009,Cloud API,Execution,APT29|TeamTNT +T1090,Proxy,Command And Control,Sandworm Team|POLONIUM|MoustachedBouncer|APT41|LAPSUS$|Fox Kitten|Magic Hound|CopyKittens|Earth Lusca|Blue Mockingbird|Turla|Windigo|Volt Typhoon +T1498,Network Denial of Service,Impact,APT28 +T1027.005,Indicator Removal from Tools,Defense Evasion,APT3|Patchwork|OilRig|Turla|TEMP.Veles|GALLIUM|Deep Panda T1543.004,Launch Daemon,Persistence|Privilege Escalation,no -T1543.003,Windows Service,Persistence|Privilege Escalation,TeamTNT|APT38|PROMETHIUM|Blue Mockingbird|DarkVishnya|Wizard Spider|APT32|APT41|Kimsuky|Tropic Trooper|Cobalt Group|Ke3chang|FIN7|APT19|Threat Group-3390|Honeybee|APT3|Lazarus Group|Carbanak +T1027,Obfuscated Files or Information,Defense Evasion,Moses Staff|APT18|Dark Caracal|Leviathan|menuPass|APT37|APT33|Higaisa|APT39|APT3|APT-C-36|Tropic Trooper|BlackOasis|Lazarus Group|Magic Hound|Fox Kitten|Molerats|APT28|Kimsuky|BackdoorDiplomacy|TA2541|TeamTNT|Darkhotel|Group5|APT41|Putter Panda|Threat Group-3390|Inception|Metador|Ember Bear|Ke3chang|BITTER|Elderwood|TA505|Gamaredon Group|Windshift|Sandworm Team|APT19|Mustang Panda|Blue Mockingbird|Mofang|Transparent Tribe|Sidewinder|Gallmaker|Rocke|GALLIUM|Earth Lusca|Whitefly|OilRig|APT32 +T1566.003,Spearphishing via Service,Initial Access,CURIUM|Windshift|OilRig|Lazarus Group|Ajax Security Team|APT29|EXOTIC LILY|FIN6|Dark Caracal|Magic Hound +T1588.006,Vulnerabilities,Resource Development,Sandworm Team +T1546,Event Triggered Execution,Privilege Escalation|Persistence,no +T1556.002,Password Filter DLL,Credential Access|Defense Evasion|Persistence,Strider +T1176,Browser Extensions,Persistence,Kimsuky +T1562,Impair Defenses,Defense Evasion,Magic Hound +T1187,Forced Authentication,Credential Access,DarkHydrus|Dragonfly +T1027.008,Stripped Payloads,Defense Evasion,no +T1070.006,Timestomp,Defense Evasion,TEMP.Veles|APT29|Lazarus Group|APT38|APT28|Rocke|Kimsuky|APT32|Chimera +T1057,Process Discovery,Discovery,OilRig|Stealth Falcon|Earth Lusca|Higaisa|APT37|Lazarus Group|Andariel|Ke3chang|Darkhotel|Molerats|Mustang Panda|Magic Hound|Poseidon Group|Rocke|Windshift|APT38|APT28|TeamTNT|Gamaredon Group|HAFNIUM|Tropic Trooper|MuddyWater|Turla|Sidewinder|Kimsuky|Volt Typhoon|APT1|HEXANE|Winnti Group|Chimera|Deep Panda|APT3|Inception T1543.002,Systemd Service,Persistence|Privilege Escalation,TeamTNT|Rocke -T1543.001,Launch Agent,Persistence|Privilege Escalation,no -T1037.005,Startup Items,Persistence|Privilege Escalation,no -T1037.004,RC Scripts,Persistence|Privilege Escalation,no -T1055.012,Process Hollowing,Defense Evasion|Privilege Escalation,Kimsuky|Threat Group-3390|menuPass|Gorgon Group|Patchwork -T1055.013,Process Doppelgänging,Defense Evasion|Privilege Escalation,Leafminer -T1055.011,Extra Window Memory Injection,Defense Evasion|Privilege Escalation,no -T1055.014,VDSO Hijacking,Defense Evasion|Privilege Escalation,no -T1055.009,Proc Memory,Defense Evasion|Privilege Escalation,no -T1055.008,Ptrace System Calls,Defense Evasion|Privilege Escalation,no -T1055.005,Thread Local Storage,Defense Evasion|Privilege Escalation,no -T1055.004,Asynchronous Procedure Call,Defense Evasion|Privilege Escalation,FIN8 -T1055.003,Thread Execution Hijacking,Defense Evasion|Privilege Escalation,no -T1055.002,Portable Executable Injection,Defense Evasion|Privilege Escalation,Rocke|Gorgon Group -T1055.001,Dynamic-link Library Injection,Defense Evasion|Privilege Escalation,BackdoorDiplomacy|Leviathan|Wizard Spider|TA505|Turla|Tropic Trooper|Lazarus Group|Putter Panda +T1585,Establish Accounts,Resource Development,APT17|Fox Kitten +T1591,Gather Victim Org Information,Reconnaissance,Kimsuky|Lazarus Group +T1574.010,Services File Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no +T1010,Application Window Discovery,Discovery,Lazarus Group|HEXANE +T1565.003,Runtime Data Manipulation,Impact,APT38 +T1056.001,Keylogging,Collection|Credential Access,PLATINUM|Kimsuky|Ke3chang|APT41|APT39|APT32|HEXANE|Sowbug|Group5|Threat Group-3390|menuPass|APT38|Magic Hound|FIN4|FIN13|APT28|APT3|Sandworm Team|Tonto Team|Lazarus Group|Darkhotel|OilRig|Ajax Security Team +T1110.003,Password Spraying,Credential Access,APT29|APT28|Leafminer|APT33|Chimera|HEXANE|Lazarus Group|Silent Librarian +T1547.006,Kernel Modules and Extensions,Persistence|Privilege Escalation,no +T1556.006,Multi-Factor Authentication,Credential Access|Defense Evasion|Persistence,no T1037.003,Network Logon Script,Persistence|Privilege Escalation,no -T1543,Create or Modify System Process,Persistence|Privilege Escalation,no -T1037.002,Logon Script (Mac),Persistence|Privilege Escalation,no -T1037.001,Logon Script (Windows),Persistence|Privilege Escalation,Cobalt Group|APT28 -T1542.003,Bootkit,Persistence|Defense Evasion,APT41|Lazarus Group|APT28 -T1542.002,Component Firmware,Persistence|Defense Evasion,Equation -T1542.001,System Firmware,Persistence|Defense Evasion,no -T1505.003,Web Shell,Persistence,Dragonfly|BackdoorDiplomacy|APT38|APT29|APT28|Tonto Team|Sandworm Team|HAFNIUM|Volatile Cedar|Fox Kitten|Operation Wocao|Kimsuky|Tropic Trooper|GALLIUM|Threat Group-3390|TEMP.Veles|Leviathan|APT39|Dragonfly 2.0|APT32|OilRig|Deep Panda -T1505.002,Transport Agent,Persistence,no -T1505.001,SQL Stored Procedures,Persistence,Sandworm Team -T1053.003,Cron,Execution|Persistence|Privilege Escalation,APT38|Rocke -T1053.001,At (Linux),Execution|Persistence|Privilege Escalation,no -T1053.005,Scheduled Task,Execution|Persistence|Privilege Escalation,Kimsuky|Lazarus Group|Confucius|Dragonfly|APT37|APT38|Naikon|CostaRicto|Mustang Panda|Higaisa|Fox Kitten|Molerats|Machete|Operation Wocao|Chimera|Gamaredon Group|Blue Mockingbird|MuddyWater|Wizard Spider|Frankenstein|APT-C-36|BRONZE BUTLER|APT41|GALLIUM|Silence|TEMP.Veles|APT33|APT39|Rancor|OilRig|Patchwork|Dragonfly 2.0|Cobalt Group|FIN8|menuPass|FIN10|FIN7|APT32|Stealth Falcon|FIN6|APT3|APT29 -T1053.002,At (Windows),Execution|Persistence|Privilege Escalation,BRONZE BUTLER|Threat Group-3390|APT18 -T1542,Pre-OS Boot,Defense Evasion|Persistence,no +T1071.003,Mail Protocols,Command And Control,Kimsuky|APT28|SilverTerrier|APT32|Turla +T1027.003,Steganography,Defense Evasion,Leviathan|MuddyWater|Andariel|BRONZE BUTLER|Earth Lusca|TA551|APT37|Tropic Trooper +T1055.012,Process Hollowing,Defense Evasion|Privilege Escalation,Patchwork|Kimsuky|TA2541|Gorgon Group|menuPass|Threat Group-3390 +T1056.003,Web Portal Capture,Collection|Credential Access,no +T1090.004,Domain Fronting,Command And Control,APT29 +T1137,Office Application Startup,Persistence,APT32|Gamaredon Group +T1485,Data Destruction,Impact,APT38|Sandworm Team|Gamaredon Group|Lazarus Group|LAPSUS$ +T1110.001,Password Guessing,Credential Access,APT29|APT28 +T1204.001,Malicious Link,Execution,Earth Lusca|Confucius|Molerats|APT32|Kimsuky|Sidewinder|Magic Hound|Elderwood|Machete|APT29|TA505|APT28|Mustang Panda|BlackTech|Evilnum|Patchwork|TA2541|APT3|Wizard Spider|Turla|LazyScripter|Leviathan|FIN7|Mofang|APT39|Windshift|LuminousMoth|Ember Bear|Transparent Tribe|APT33|ZIRCONIUM|OilRig|MuddyWater|Sandworm Team|FIN4|EXOTIC LILY|FIN8|Cobalt Group +T1609,Container Administration Command,Execution,TeamTNT +T1222.001,Windows File and Directory Permissions Modification,Defense Evasion,Wizard Spider T1137.001,Office Template Macros,Persistence,MuddyWater -T1137.004,Outlook Home Page,Persistence,OilRig -T1137.003,Outlook Forms,Persistence,no +T1027.009,Embedded Payloads,Defense Evasion,no +T1588.004,Digital Certificates,Resource Development,LuminousMoth|Lazarus Group|BlackTech|Silent Librarian +T1027.004,Compile After Delivery,Defense Evasion,Gamaredon Group|Rocke|MuddyWater +T1106,Native API,Execution,Lazarus Group|SideCopy|Gorgon Group|Turla|TA505|Chimera|APT37|menuPass|Tropic Trooper|Silence|Higaisa|APT38|BlackTech|Gamaredon Group +T1036.005,Match Legitimate Name or Location,Defense Evasion,admin@338|APT32|Earth Lusca|APT39|Sidewinder|WIRTE|PROMETHIUM|Tropic Trooper|Machete|Silence|APT41|APT29|APT28|MuddyWater|FIN13|BackdoorDiplomacy|Gamaredon Group|Patchwork|Magic Hound|TEMP.Veles|Chimera|TA2541|Poseidon Group|Lazarus Group|Volt Typhoon|Ferocious Kitten|LuminousMoth|Carbanak|Darkhotel|Naikon|Transparent Tribe|TeamTNT|Rocke|APT1|menuPass|Whitefly|Ke3chang|Mustang Panda|BRONZE BUTLER|Kimsuky|Blue Mockingbird|Indrik Spider|Sandworm Team|SideCopy|Fox Kitten|FIN7|Sowbug|Aoqin Dragon +T1553.002,Code Signing,Defense Evasion,Winnti Group|Wizard Spider|Patchwork|Silence|Scattered Spider|LuminousMoth|menuPass|Moses Staff|Ember Bear|FIN7|Lazarus Group|Kimsuky|APT41|FIN6|CopyKittens|Leviathan|GALLIUM|Darkhotel|Molerats|TA505|PROMETHIUM|Suckfly +T1070.003,Clear Command History,Defense Evasion,menuPass|APT41|TeamTNT|Lazarus Group|Magic Hound +T1218.001,Compiled HTML File,Defense Evasion,OilRig|Silence|APT38|APT41|Dark Caracal +T1562.012,Disable or Modify Linux Audit System,Defense Evasion,no +T1482,Domain Trust Discovery,Discovery,Earth Lusca|FIN8|Magic Hound|Chimera T1137.005,Outlook Rules,Persistence,no -T1137.006,Add-ins,Persistence,Naikon -T1137.002,Office Test,Persistence,APT28 -T1531,Account Access Removal,Impact,no -T1539,Steal Web Session Cookie,Credential Access,APT29|Evilnum -T1529,System Shutdown/Reboot,Impact,Lazarus Group|APT38|APT37 -T1518,Software Discovery,Discovery,Mustang Panda|Windshift|MuddyWater|Windigo|Sidewinder|Operation Wocao|BRONZE BUTLER|Tropic Trooper|Inception -T1547.013,XDG Autostart Entries,Persistence|Privilege Escalation,no -T1534,Internal Spearphishing,Lateral Movement,Kimsuky|Lazarus Group|Leviathan|Gamaredon Group +T1203,Exploitation for Client Execution,Execution,Higaisa|Mustang Panda|APT3|Leviathan|APT29|APT37|Sandworm Team|BlackTech|EXOTIC LILY|Lazarus Group|TA459|APT32|APT28|Inception|BITTER|APT12|Cobalt Group|Patchwork|Elderwood|Threat Group-3390|admin@338|BRONZE BUTLER|Tonto Team|Transparent Tribe|Axiom|Aoqin Dragon|Tropic Trooper|Darkhotel|Confucius|APT33|Dragonfly|MuddyWater|Sidewinder|Andariel|Ember Bear|APT41|The White Company +T1556.008,Network Provider DLL,Credential Access|Defense Evasion|Persistence,no +T1123,Audio Capture,Collection,APT37 +T1021.005,VNC,Lateral Movement,GCMAN|FIN7|Gamaredon Group|Fox Kitten +T1574.006,Dynamic Linker Hijacking,Persistence|Privilege Escalation|Defense Evasion,APT41|Rocke +T1592.001,Hardware,Reconnaissance,no +T1012,Query Registry,Discovery,Turla|Kimsuky|OilRig|Stealth Falcon|Threat Group-3390|Dragonfly|APT32|APT39|Volt Typhoon|ZIRCONIUM|Chimera|Lazarus Group|Fox Kitten +T1597.002,Purchase Technical Data,Reconnaissance,LAPSUS$ +T1590.001,Domain Properties,Reconnaissance,Sandworm Team +T1027.010,Command Obfuscation,Defense Evasion,Chimera|Magic Hound|Sandworm Team|TA505|Sidewinder|Leafminer|Cobalt Group|Aquatic Panda|FIN7|FIN8|Fox Kitten|MuddyWater|TA551|Gamaredon Group|FIN6|Turla|LazyScripter|Wizard Spider|Silence|APT19|GOLD SOUTHFIELD|APT32|Ember Bear|HEXANE|Patchwork +T1059.008,Network Device CLI,Execution,no +T1499.003,Application Exhaustion Flood,Impact,no +T1218.004,InstallUtil,Defense Evasion,Mustang Panda|menuPass +T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,Exfiltration,no +T1222,File and Directory Permissions Modification,Defense Evasion,no +T1543.003,Windows Service,Persistence|Privilege Escalation,Kimsuky|Carbanak|Wizard Spider|APT19|APT38|PROMETHIUM|DarkVishnya|APT41|Ke3chang|APT32|Cobalt Group|Lazarus Group|TeamTNT|Threat Group-3390|Tropic Trooper|FIN7|APT3|Blue Mockingbird|Earth Lusca +T1134.002,Create Process with Token,Defense Evasion|Privilege Escalation,Lazarus Group|Turla +T1055.003,Thread Execution Hijacking,Defense Evasion|Privilege Escalation,no +T1480.001,Environmental Keying,Defense Evasion,APT41|Equation +T1570,Lateral Tool Transfer,Lateral Movement,FIN10|GALLIUM|Sandworm Team|APT32|Aoqin Dragon|Wizard Spider|Chimera|Magic Hound|Turla|Volt Typhoon +T1029,Scheduled Transfer,Exfiltration,Higaisa +T1584.003,Virtual Private Server,Resource Development,Turla +T1534,Internal Spearphishing,Lateral Movement,HEXANE|Kimsuky|Leviathan|Gamaredon Group +T1036.009,Break Process Trees,Defense Evasion,no +T1556.001,Domain Controller Authentication,Credential Access|Defense Evasion|Persistence,Chimera +T1491.001,Internal Defacement,Impact,Gamaredon Group|Lazarus Group +T1564.010,Process Argument Spoofing,Defense Evasion,no +T1056.002,GUI Input Capture,Collection|Credential Access,FIN4 +T1008,Fallback Channels,Command And Control,FIN7|Lazarus Group|OilRig|APT41 +T1036.004,Masquerade Task or Service,Defense Evasion,Kimsuky|BackdoorDiplomacy|Magic Hound|APT41|Wizard Spider|Higaisa|APT-C-36|APT32|ZIRCONIUM|Carbanak|FIN7|Fox Kitten|FIN6|Naikon|BITTER|Lazarus Group|PROMETHIUM|FIN13 +T1590.006,Network Security Appliances,Reconnaissance,no +T1195.003,Compromise Hardware Supply Chain,Initial Access,no +T1055,Process Injection,Defense Evasion|Privilege Escalation,Cobalt Group|Silence|TA2541|APT32|Turla|Wizard Spider|APT37|PLATINUM|Kimsuky|APT41 +T1606.001,Web Cookies,Credential Access,no +T1568.003,DNS Calculation,Command And Control,APT12 +T1583.003,Virtual Private Server,Resource Development,Axiom|LAPSUS$|TEMP.Veles|HAFNIUM|Dragonfly +T1596.003,Digital Certificates,Reconnaissance,no +T1601.002,Downgrade System Image,Defense Evasion,no +T1007,System Service Discovery,Discovery,Ke3chang|TeamTNT|BRONZE BUTLER|APT1|Chimera|Earth Lusca|OilRig|Indrik Spider|admin@338|Kimsuky|Turla|Aquatic Panda|Poseidon Group +T1597.001,Threat Intel Vendors,Reconnaissance,no +T1589.001,Credentials,Reconnaissance,LAPSUS$|APT28|Magic Hound|Chimera|Leviathan +T1574.011,Services Registry Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no +T1619,Cloud Storage Object Discovery,Discovery,no +T1505.001,SQL Stored Procedures,Persistence,no +T1016.002,Wi-Fi Discovery,Discovery,Magic Hound +T1564.003,Hidden Window,Defense Evasion,DarkHydrus|Higaisa|Deep Panda|APT19|CopyKittens|Gamaredon Group|APT32|Nomadic Octopus|APT28|Magic Hound|Gorgon Group|APT3|Kimsuky +T1114.003,Email Forwarding Rule,Collection,LAPSUS$|Silent Librarian|Kimsuky T1528,Steal Application Access Token,Credential Access,APT28 -T1535,Unused/Unsupported Cloud Regions,Defense Evasion,no -T1525,Implant Internal Image,Persistence,no +T1542.004,ROMMONkit,Defense Evasion|Persistence,no +T1020.001,Traffic Duplication,Exfiltration,no +T1592.003,Firmware,Reconnaissance,no +T1583.001,Domains,Resource Development,TeamTNT|Lazarus Group|IndigoZebra|APT28|LazyScripter|TA505|Silent Librarian|menuPass|ZIRCONIUM|Mustang Panda|HEXANE|APT1|Gamaredon Group|TA2541|Earth Lusca|Transparent Tribe|Ferocious Kitten|FIN7|Kimsuky|Dragonfly|Threat Group-3390|APT32|Sandworm Team|BITTER|EXOTIC LILY|Leviathan|Winnti Group|Magic Hound +T1652,Device Driver Discovery,Discovery,no +T1021.007,Cloud Services,Lateral Movement,APT29 +T1037.001,Logon Script (Windows),Persistence|Privilege Escalation,Cobalt Group|APT28 +T1578.005,Modify Cloud Compute Configurations,Defense Evasion,no +T1059.005,Visual Basic,Execution,HEXANE|SideCopy|Windshift|Gamaredon Group|FIN7|TA2541|Lazarus Group|Silence|FIN13|Turla|BRONZE BUTLER|Transparent Tribe|APT38|Machete|Mustang Panda|Leviathan|Patchwork|FIN4|Cobalt Group|Magic Hound|OilRig|Inception|Sidewinder|Earth Lusca|Confucius|Molerats|WIRTE|Kimsuky|APT33|MuddyWater|Sandworm Team|APT32|APT-C-36|TA505|LazyScripter|TA459|Rancor|APT37|Higaisa|Gorgon Group|APT39 +T1608.006,SEO Poisoning,Resource Development,no +T1110.004,Credential Stuffing,Credential Access,Chimera +T1591.004,Identify Roles,Reconnaissance,LAPSUS$|HEXANE +T1593.001,Social Media,Reconnaissance,EXOTIC LILY|Kimsuky +T1562.009,Safe Mode Boot,Defense Evasion,no +T1055.008,Ptrace System Calls,Defense Evasion|Privilege Escalation,no +T1548.005,Temporary Elevated Cloud Access,Privilege Escalation|Defense Evasion,no +T1568,Dynamic Resolution,Command And Control,APT29|TA2541|Gamaredon Group|Transparent Tribe|BITTER +T1055.001,Dynamic-link Library Injection,Defense Evasion|Privilege Escalation,BackdoorDiplomacy|Leviathan|Tropic Trooper|Lazarus Group|Putter Panda|Turla|Wizard Spider|TA505 +T1218.011,Rundll32,Defense Evasion,APT28|Blue Mockingbird|Kimsuky|Sandworm Team|Lazarus Group|TA551|TA505|APT3|APT19|MuddyWater|Wizard Spider|APT41|FIN7|CopyKittens|Carbanak|APT32|Magic Hound|Gamaredon Group|HAFNIUM|LazyScripter|APT38 +T1546.010,AppInit DLLs,Privilege Escalation|Persistence,APT39 +T1039,Data from Network Shared Drive,Collection,menuPass|Gamaredon Group|Sowbug|APT28|BRONZE BUTLER|Chimera|Fox Kitten +T1573.001,Symmetric Cryptography,Command And Control,BRONZE BUTLER|APT33|APT28|Inception|ZIRCONIUM|Stealth Falcon|Darkhotel|MuddyWater|Lazarus Group|Higaisa|Mustang Panda|Volt Typhoon +T1053.005,Scheduled Task,Execution|Persistence|Privilege Escalation,MuddyWater|APT38|APT39|FIN8|APT32|APT29|BITTER|Naikon|FIN7|APT33|Fox Kitten|Mustang Panda|Silence|Confucius|APT41|Cobalt Group|FIN10|menuPass|FIN13|APT3|Rancor|FIN6|Blue Mockingbird|Machete|Higaisa|Stealth Falcon|OilRig|Magic Hound|Kimsuky|TEMP.Veles|APT37|GALLIUM|Patchwork|BRONZE BUTLER|Wizard Spider|TA2541|Molerats|Gamaredon Group|LuminousMoth|Chimera|HEXANE|Dragonfly|Lazarus Group|APT-C-36 +T1547.012,Print Processors,Persistence|Privilege Escalation,Earth Lusca +T1546.001,Change Default File Association,Privilege Escalation|Persistence,Kimsuky +T1550.001,Application Access Token,Defense Evasion|Lateral Movement,APT28 +T1003.001,LSASS Memory,Credential Access,APT1|Kimsuky|Silence|OilRig|Leviathan|Whitefly|FIN13|APT32|GALLIUM|Threat Group-3390|Cleaver|Earth Lusca|MuddyWater|BRONZE BUTLER|Leafminer|HAFNIUM|APT28|PLATINUM|APT41|Magic Hound|FIN8|APT33|Sandworm Team|Wizard Spider|Aquatic Panda|APT39|Volt Typhoon|APT3|Fox Kitten|Blue Mockingbird|Indrik Spider|Ke3chang|TEMP.Veles|FIN6 T1538,Cloud Service Dashboard,Discovery,no -T1530,Data from Cloud Storage Object,Collection,Fox Kitten -T1578,Modify Cloud Compute Infrastructure,Defense Evasion,no -T1537,Transfer Data to Cloud Account,Exfiltration,no -T1526,Cloud Service Discovery,Discovery,no -T1505,Server Software Component,Persistence,no -T1499,Endpoint Denial of Service,Impact,Sandworm Team -T1497,Virtualization/Sandbox Evasion,Defense Evasion|Discovery,Darkhotel -T1498,Network Denial of Service,Impact,APT28 -T1496,Resource Hijacking,Impact,TeamTNT|Blue Mockingbird|Rocke|APT41 -T1495,Firmware Corruption,Impact,no -T1491,Defacement,Impact,no -T1490,Inhibit System Recovery,Impact,no -T1489,Service Stop,Impact,Indrik Spider|Wizard Spider|Lazarus Group -T1486,Data Encrypted for Impact,Impact,FIN7|Indrik Spider|APT41|TA505|APT38 -T1485,Data Destruction,Impact,Gamaredon Group|Sandworm Team|Lazarus Group|APT38 +T1001,Data Obfuscation,Command And Control,no +T1622,Debugger Evasion,Defense Evasion|Discovery,no +T1098.001,Additional Cloud Credentials,Persistence|Privilege Escalation,no +T1568.002,Domain Generation Algorithms,Command And Control,APT41|TA551 +T1547.008,LSASS Driver,Persistence|Privilege Escalation,no +T1133,External Remote Services,Persistence|Initial Access,APT29|LAPSUS$|APT41|GALLIUM|APT18|Wizard Spider|Leviathan|APT28|TeamTNT|Chimera|Dragonfly|Sandworm Team|Threat Group-3390|Kimsuky|Ke3chang|FIN13|Scattered Spider|TEMP.Veles|OilRig|FIN5|GOLD SOUTHFIELD +T1559.002,Dynamic Data Exchange,Execution,FIN7|Patchwork|Gallmaker|APT28|Leviathan|BITTER|MuddyWater|TA505|Sidewinder|APT37|Cobalt Group +T1567,Exfiltration Over Web Service,Exfiltration,Magic Hound|APT28 +T1547.013,XDG Autostart Entries,Persistence|Privilege Escalation,no +T1606,Forge Web Credentials,Credential Access,no +T1584.004,Server,Resource Development,Dragonfly|Turla|Lazarus Group|Indrik Spider|APT16|Earth Lusca|Volt Typhoon +T1588,Obtain Capabilities,Resource Development,no +T1587,Develop Capabilities,Resource Development,Kimsuky +T1114,Email Collection,Collection,Silent Librarian|Magic Hound +T1070.002,Clear Linux or Mac System Logs,Defense Evasion,Rocke|TeamTNT +T1535,Unused/Unsupported Cloud Regions,Defense Evasion,no +T1586,Compromise Accounts,Resource Development,no +T1564.002,Hidden Users,Defense Evasion,Kimsuky|Dragonfly T1484,Domain Policy Modification,Defense Evasion|Privilege Escalation,no -T1482,Domain Trust Discovery,Discovery,FIN8|APT29|Chimera -T1480,Execution Guardrails,Defense Evasion,no -T1221,Template Injection,Defense Evasion,Lazarus Group|Confucius|Dragonfly|Gamaredon Group|Frankenstein|Inception|APT28|Tropic Trooper|DarkHydrus|Dragonfly 2.0 -T1222,File and Directory Permissions Modification,Defense Evasion,no -T1220,XSL Script Processing,Defense Evasion,Lazarus Group|Higaisa|Cobalt Group -T1217,Browser Bookmark Discovery,Discovery,APT38|Chimera|Fox Kitten -T1212,Exploitation for Credential Access,Credential Access,no -T1189,Drive-by Compromise,Initial Access,Magic Hound|APT28|Axiom|Transparent Tribe|Andariel|Leviathan|Machete|Windigo|Dragonfly|PROMETHIUM|Turla|Windshift|RTM|Darkhotel|APT38|APT19|Lazarus Group|Threat Group-3390|BRONZE BUTLER|APT32|Dark Caracal|Dragonfly 2.0|Leafminer|Patchwork|APT37|Elderwood|PLATINUM -T1211,Exploitation for Defense Evasion,Defense Evasion,APT28 -T1197,BITS Jobs,Defense Evasion|Persistence,APT39|Patchwork|APT41|Leviathan -T1203,Exploitation for Client Execution,Execution,Axiom|Confucius|Dragonfly|Andariel|Transparent Tribe|APT3|Tonto Team|Mustang Panda|Darkhotel|Higaisa|HAFNIUM|Sidewinder|Sandworm Team|MuddyWater|Frankenstein|Inception|BlackTech|APT41|admin@338|Threat Group-3390|APT12|The White Company|APT33|APT32|APT28|Tropic Trooper|BRONZE BUTLER|Cobalt Group|Lazarus Group|Patchwork|Elderwood|APT29|TA459|APT37|Leviathan -T1201,Password Policy Discovery,Discovery,Chimera|Turla|OilRig +T1055.009,Proc Memory,Defense Evasion|Privilege Escalation,no +T1135,Network Share Discovery,Discovery,Dragonfly|Chimera|FIN13|APT39|Tonto Team|Wizard Spider|APT41|Tropic Trooper|Sowbug|APT32|DarkVishnya|APT1|APT38 +T1574.012,COR_PROFILER,Persistence|Privilege Escalation|Defense Evasion,Blue Mockingbird +T1564.004,NTFS File Attributes,Defense Evasion,APT32 +T1562.007,Disable or Modify Cloud Firewall,Defense Evasion,no +T1003.002,Security Account Manager,Credential Access,Dragonfly|Ke3chang|GALLIUM|APT29|menuPass|FIN13|Threat Group-3390|Wizard Spider +T1650,Acquire Access,Resource Development,no +T1090.002,External Proxy,Command And Control,Tonto Team|APT39|MuddyWater|FIN5|Lazarus Group|APT28|Silence|GALLIUM|menuPass|APT3 +T1564.006,Run Virtual Instance,Defense Evasion,no +T1595,Active Scanning,Reconnaissance,no +T1055.013,Process Doppelgänging,Defense Evasion|Privilege Escalation,Leafminer +T1491,Defacement,Impact,no +T1592,Gather Victim Host Information,Reconnaissance,no +T1546.012,Image File Execution Options Injection,Privilege Escalation|Persistence,TEMP.Veles +T1602.002,Network Device Configuration Dump,Collection,no +T1596.005,Scan Databases,Reconnaissance,no +T1197,BITS Jobs,Defense Evasion|Persistence,Wizard Spider|APT39|APT41|Leviathan|Patchwork +T1547.010,Port Monitors,Persistence|Privilege Escalation,no +T1016,System Network Configuration Discovery,Discovery,Kimsuky|Threat Group-3390|Sidewinder|Chimera|Magic Hound|Moses Staff|Lazarus Group|FIN13|TeamTNT|Stealth Falcon|Higaisa|SideCopy|ZIRCONIUM|APT19|APT1|APT32|Naikon|Darkhotel|Earth Lusca|Dragonfly|APT3|menuPass|MuddyWater|Volt Typhoon|HEXANE|OilRig|Wizard Spider|GALLIUM|Ke3chang|Mustang Panda|HAFNIUM|Turla|Tropic Trooper|APT41|admin@338 +T1484.002,Domain Trust Modification,Defense Evasion|Privilege Escalation,no +T1584,Compromise Infrastructure,Resource Development,no +T1596,Search Open Technical Databases,Reconnaissance,no +T1499.001,OS Exhaustion Flood,Impact,no +T1573,Encrypted Channel,Command And Control,APT29|Tropic Trooper|BITTER|Magic Hound +T1127.001,MSBuild,Defense Evasion,no +T1588.003,Code Signing Certificates,Resource Development,Ember Bear|Threat Group-3390|Wizard Spider|FIN8|BlackTech +T1027.001,Binary Padding,Defense Evasion,APT32|Moafee|FIN7|Higaisa|Leviathan|Patchwork|Gamaredon Group|Ember Bear|Mustang Panda|APT29|BRONZE BUTLER +T1546.014,Emond,Privilege Escalation|Persistence,no +T1596.002,WHOIS,Reconnaissance,no +T1590.004,Network Topology,Reconnaissance,FIN13 +T1559,Inter-Process Communication,Execution,no T1195,Supply Chain Compromise,Initial Access,no -T1199,Trusted Relationship,Initial Access,Threat Group-3390|APT29|Sandworm Team|GOLD SOUTHFIELD|APT28|menuPass -T1218,Signed Binary Proxy Execution,Defense Evasion,Lazarus Group -T1204,User Execution,Execution,no -T1213,Data from Information Repositories,Collection,APT29|APT28|Fox Kitten|FIN6|Turla -T1190,Exploit Public-Facing Application,Initial Access,Threat Group-3390|Ke3chang|Kimsuky|Magic Hound|Dragonfly|BackdoorDiplomacy|menuPass|Volatile Cedar|Fox Kitten|Operation Wocao|APT28|APT29|GOLD SOUTHFIELD|Blue Mockingbird|Rocke|APT39|BlackTech|APT41|GALLIUM|Night Dragon|Axiom -T1210,Exploitation of Remote Services,Lateral Movement,Dragonfly|Tonto Team|FIN7|Fox Kitten|menuPass|Wizard Spider|Threat Group-3390|APT28 -T1200,Hardware Additions,Initial Access,DarkVishnya -T1202,Indirect Command Execution,Defense Evasion,Lazarus Group -T1219,Remote Access Software,Command And Control,TeamTNT|Mustang Panda|MuddyWater|Evilnum|GOLD SOUTHFIELD|Sandworm Team|DarkVishnya|RTM|Kimsuky|Night Dragon|Cobalt Group|Thrip|Carbanak -T1207,Rogue Domain Controller,Defense Evasion,no -T1216,Signed Script Proxy Execution,Defense Evasion,no -T1205,Traffic Signaling,Defense Evasion|Persistence|Command And Control,no -T1176,Browser Extensions,Persistence,Kimsuky -T1187,Forced Authentication,Credential Access,Dragonfly|DarkHydrus|Dragonfly 2.0 -T1185,Browser Session Hijacking,Collection,no -T1140,Deobfuscate/Decode Files or Information,Defense Evasion,Lazarus Group|Ke3chang|Kimsuky|APT39|APT29|ZIRCONIUM|Higaisa|Rocke|Sandworm Team|Gamaredon Group|Molerats|Frankenstein|Turla|WIRTE|Darkhotel|Tropic Trooper|Honeybee|Gorgon Group|Threat Group-3390|menuPass|APT19|Leviathan|MuddyWater|APT28|OilRig|BRONZE BUTLER -T1134,Access Token Manipulation,Defense Evasion|Privilege Escalation,FIN6|Blue Mockingbird -T1136,Create Account,Persistence,Sandworm Team|Indrik Spider -T1135,Network Share Discovery,Discovery,Dragonfly|Tonto Team|APT38|Chimera|Operation Wocao|Wizard Spider|APT32|APT39|DarkVishnya|APT41|Tropic Trooper|APT1|Dragonfly 2.0|Sowbug -T1137,Office Application Startup,Persistence,Gamaredon Group|APT32 -T1133,External Remote Services,Persistence|Initial Access,Dragonfly|TeamTNT|Leviathan|APT28|APT29|Operation Wocao|Wizard Spider|Kimsuky|GOLD SOUTHFIELD|Chimera|Sandworm Team|APT41|GALLIUM|TEMP.Veles|Night Dragon|Ke3chang|OilRig|Dragonfly 2.0|FIN5|Threat Group-3390|APT18 -T1132,Data Encoding,Command And Control,no -T1129,Shared Modules,Execution,no -T1127,Trusted Developer Utilities Proxy Execution,Defense Evasion,no -T1125,Video Capture,Collection,Silence|FIN7 -T1124,System Time Discovery,Discovery,Darkhotel|ZIRCONIUM|Higaisa|Sidewinder|Chimera|Operation Wocao|The White Company|Lazarus Group|BRONZE BUTLER|Turla -T1123,Audio Capture,Collection,APT37 -T1120,Peripheral Device Discovery,Discovery,OilRig|BackdoorDiplomacy|Operation Wocao|Turla|APT37|Gamaredon Group|Equation|APT28 -T1119,Automated Collection,Collection,Ke3chang|Confucius|Mustang Panda|Sidewinder|Chimera|menuPass|Operation Wocao|Gamaredon Group|Tropic Trooper|Frankenstein|APT1|APT28|Patchwork|OilRig|FIN5|Threat Group-3390|FIN6 -T1115,Clipboard Data,Collection,Operation Wocao|APT39|APT38 -T1114,Email Collection,Collection,Magic Hound|Silent Librarian -T1113,Screen Capture,Collection,Dragonfly|GOLD SOUTHFIELD|Gamaredon Group|APT39|Silence|MuddyWater|Dragonfly 2.0|OilRig|Dark Caracal|FIN7|BRONZE BUTLER|Magic Hound|Group5|APT28 -T1112,Modify Registry,Defense Evasion,Dragonfly|Operation Wocao|Kimsuky|Gamaredon Group|Blue Mockingbird|Wizard Spider|Silence|APT41|Turla|APT32|APT38|Patchwork|Gorgon Group|Threat Group-3390|Dragonfly 2.0|APT19|Honeybee|FIN8 -T1111,Two-Factor Authentication Interception,Credential Access,Kimsuky|Chimera|Operation Wocao -T1110,Brute Force,Credential Access,Lazarus Group|Dragonfly|APT38|APT28|Fox Kitten|DarkVishnya|APT39|OilRig|FIN5|Turla -T1106,Native API,Execution,BlackTech|Lazarus Group|APT38|Higaisa|menuPass|Operation Wocao|Chimera|Gamaredon Group|Tropic Trooper|Sharpshooter|Turla|Silence|APT37|Gorgon Group -T1105,Ingress Tool Transfer,Command And Control,LazyScripter|Ke3chang|Aquatic Panda|Winnti Group|Confucius|Dragonfly|TeamTNT|Nomadic Octopus|IndigoZebra|Andariel|BackdoorDiplomacy|Tonto Team|HAFNIUM|APT29|Ajax Security Team|Mustang Panda|Windshift|Darkhotel|ZIRCONIUM|TA551|Volatile Cedar|Indrik Spider|Evilnum|Sidewinder|Fox Kitten|Kimsuky|Operation Wocao|Chimera|Sandworm Team|Whitefly|Rocke|APT39|Tropic Trooper|Sharpshooter|Molerats|Frankenstein|Silence|APT-C-36|APT41|GALLIUM|TA505|WIRTE|APT33|MuddyWater|APT18|APT38|Rancor|Gorgon Group|OilRig|Turla|Cobalt Group|Dragonfly 2.0|FIN8|PLATINUM|APT37|Elderwood|Leviathan|APT32|Magic Hound|BRONZE BUTLER|APT3|menuPass|FIN7|Gamaredon Group|Patchwork|Lazarus Group|Threat Group-3390|APT28 -T1104,Multi-Stage Channels,Command And Control,Lazarus Group|APT41|MuddyWater|APT3 -T1102,Web Service,Command And Control,Mustang Panda|LazyScripter|TeamTNT|FIN8|Fox Kitten|Turla|APT32|Gamaredon Group|Rocke|Inception|FIN6 -T1098,Account Manipulation,Persistence,Kimsuky|Dragonfly|Sandworm Team|APT3|Dragonfly 2.0|Lazarus Group -T1095,Non-Application Layer Protocol,Command And Control,BackdoorDiplomacy|HAFNIUM|Operation Wocao|FIN6|APT29|PLATINUM|APT3 -T1092,Communication Through Removable Media,Command And Control,APT28 -T1091,Replication Through Removable Media,Lateral Movement|Initial Access,FIN7|Mustang Panda|Tropic Trooper|Darkhotel|APT28 -T1090,Proxy,Command And Control,Windigo|Fox Kitten|Operation Wocao|Sandworm Team|Blue Mockingbird|APT41|Turla -T1087,Account Discovery,Discovery,APT29 -T1083,File and Directory Discovery,Discovery,Winnti Group|Confucius|Dragonfly|APT38|APT29|Mustang Panda|Darkhotel|Windigo|Sidewinder|Chimera|Fox Kitten|menuPass|APT39|Sandworm Team|Operation Wocao|Gamaredon Group|Tropic Trooper|Inception|APT41|Kimsuky|APT32|MuddyWater|APT18|Leafminer|Honeybee|Dark Caracal|Dragonfly 2.0|APT3|Sowbug|Magic Hound|BRONZE BUTLER|APT28|Patchwork|Lazarus Group|Dust Storm|admin@338|Turla|Ke3chang -T1082,System Information Discovery,Discovery,Aquatic Panda|Confucius|TeamTNT|APT38|APT29|Mustang Panda|Windshift|ZIRCONIUM|Higaisa|Windigo|Sidewinder|Chimera|Operation Wocao|Wizard Spider|Rocke|Sandworm Team|Blue Mockingbird|Tropic Trooper|Frankenstein|Inception|Kimsuky|Darkhotel|MuddyWater|APT18|APT32|APT37|Honeybee|APT19|Magic Hound|Sowbug|OilRig|APT3|Gamaredon Group|Patchwork|Stealth Falcon|Lazarus Group|admin@338|Turla|Ke3chang -T1080,Taint Shared Content,Lateral Movement,Gamaredon Group|BRONZE BUTLER|Darkhotel -T1078,Valid Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Ke3chang|Lazarus Group|Axiom|Dragonfly|FIN7|Leviathan|APT29|Silent Librarian|Fox Kitten|Operation Wocao|Chimera|Sandworm Team|Wizard Spider|Silence|APT41|GALLIUM|TEMP.Veles|APT39|FIN4|Night Dragon|Dragonfly 2.0|FIN8|APT33|FIN5|OilRig|APT28|menuPass|FIN10|Suckfly|FIN6|Threat Group-3390|APT18|PittyTiger|Carbanak -T1074,Data Staged,Collection,Wizard Spider -T1072,Software Deployment Tools,Execution|Lateral Movement,Silence|APT32|Threat Group-1314 -T1071,Application Layer Protocol,Command And Control,Dragonfly|TeamTNT|Rocke|Magic Hound|Dragonfly 2.0 -T1070,Indicator Removal on Host,Defense Evasion,Lazarus Group|APT29 -T1069,Permission Groups Discovery,Discovery,APT29|TA505|APT3 -T1068,Exploitation for Privilege Escalation,Privilege Escalation,APT29|Tonto Team|ZIRCONIUM|Turla|Whitefly|APT33|Cobalt Group|PLATINUM|FIN8|APT32|Threat Group-3390|FIN6|APT28 -T1059,Command and Scripting Interpreter,Execution,Dragonfly|APT37|Windigo|Fox Kitten|APT32|Whitefly|APT39|Dragonfly 2.0|FIN7|APT19|OilRig|FIN5|Stealth Falcon|FIN6|Ke3chang -T1057,Process Discovery,Discovery,Gamaredon Group|Kimsuky|TeamTNT|Andariel|APT29|Mustang Panda|Windshift|Higaisa|Sidewinder|Chimera|Operation Wocao|Rocke|Frankenstein|Inception|Darkhotel|MuddyWater|APT1|APT38|Tropic Trooper|APT37|Honeybee|OilRig|APT3|Magic Hound|APT28|Winnti Group|Stealth Falcon|Poseidon Group|Lazarus Group|Molerats|Turla|Deep Panda|Ke3chang -T1056,Input Capture,Collection|Credential Access,APT39 -T1055,Process Injection,Defense Evasion|Privilege Escalation,Operation Wocao|APT32|Sharpshooter|Silence|APT41|Kimsuky|Cobalt Group|Turla|APT37|Honeybee|PLATINUM -T1053,Scheduled Task/Job,Execution|Persistence|Privilege Escalation,no -T1052,Exfiltration Over Physical Medium,Exfiltration,no -T1049,System Network Connections Discovery,Discovery,Lazarus Group|TeamTNT|Andariel|BackdoorDiplomacy|Mustang Panda|MuddyWater|Chimera|Sandworm Team|Operation Wocao|Tropic Trooper|APT41|APT38|GALLIUM|APT32|APT1|OilRig|APT3|menuPass|Threat Group-3390|Poseidon Group|admin@338|Turla|Ke3chang -T1048,Exfiltration Over Alternative Protocol,Exfiltration,no -T1047,Windows Management Instrumentation,Execution,Gamaredon Group|Sandworm Team|FIN7|Indrik Spider|Naikon|Mustang Panda|Windshift|Operation Wocao|Chimera|Blue Mockingbird|Wizard Spider|Frankenstein|APT41|FIN6|GALLIUM|APT32|MuddyWater|Threat Group-3390|OilRig|FIN8|Leviathan|menuPass|Stealth Falcon|Lazarus Group|APT29|Deep Panda -T1046,Network Service Scanning,Discovery,BlackTech|Lazarus Group|TeamTNT|BackdoorDiplomacy|Naikon|CostaRicto|Chimera|Fox Kitten|Operation Wocao|Rocke|DarkVishnya|APT41|Tropic Trooper|APT39|APT32|OilRig|Cobalt Group|Leafminer|menuPass|Suckfly|FIN6|Threat Group-3390 -T1041,Exfiltration Over C2 Channel,Exfiltration,Confucius|Leviathan|ZIRCONIUM|Higaisa|Chimera|APT39|Operation Wocao|Sandworm Team|MuddyWater|Wizard Spider|Frankenstein|Kimsuky|GALLIUM|APT32|APT3|Gamaredon Group|Stealth Falcon|Lazarus Group|Ke3chang -T1040,Network Sniffing,Credential Access|Discovery,Kimsuky|Sandworm Team|DarkVishnya|APT33|APT28 -T1039,Data from Network Shared Drive,Collection,APT28|Chimera|Fox Kitten|Gamaredon Group|BRONZE BUTLER|Sowbug|menuPass -T1037,Boot or Logon Initialization Scripts,Persistence|Privilege Escalation,Rocke -T1036,Masquerading,Defense Evasion,Kimsuky|Lazarus Group|Dragonfly|LazyScripter|APT28|Nomadic Octopus|OilRig|APT29|ZIRCONIUM|TA551|Windshift|APT32|BRONZE BUTLER|menuPass|PLATINUM|Dragonfly 2.0 -T1033,System Owner/User Discovery,Discovery,Threat Group-3390|Ke3chang|Dragonfly|APT38|Windshift|ZIRCONIUM|Sidewinder|Chimera|Sandworm Team|Operation Wocao|Wizard Spider|Frankenstein|APT41|GALLIUM|Tropic Trooper|APT39|MuddyWater|APT37|Dragonfly 2.0|APT19|APT32|Magic Hound|OilRig|FIN10|Gamaredon Group|Patchwork|Stealth Falcon|Lazarus Group|APT3 -T1030,Data Transfer Size Limits,Exfiltration,APT28|Threat Group-3390 -T1029,Scheduled Transfer,Exfiltration,Higaisa -T1027,Obfuscated Files or Information,Defense Evasion,Aquatic Panda|Ke3chang|LazyScripter|TeamTNT|BackdoorDiplomacy|Transparent Tribe|APT39|Mustang Panda|Windshift|TA551|Higaisa|Sidewinder|Fox Kitten|GOLD SOUTHFIELD|Operation Wocao|Kimsuky|FIN6|Chimera|Gamaredon Group|Rocke|Sandworm Team|Blue Mockingbird|Whitefly|Molerats|Wizard Spider|Mofang|Frankenstein|Inception|APT-C-36|APT41|GALLIUM|Turla|TA505|Silence|APT33|Night Dragon|Darkhotel|Gallmaker|APT29|APT18|Tropic Trooper|Patchwork|menuPass|APT37|Threat Group-3390|Cobalt Group|Dark Caracal|Leafminer|Honeybee|APT19|BlackOasis|Leviathan|FIN8|MuddyWater|FIN7|Elderwood|OilRig|Magic Hound|APT3|APT32|Group5|Dust Storm|Lazarus Group|Putter Panda|APT28 -T1025,Data from Removable Media,Collection,Turla|Gamaredon Group|APT28 -T1021,Remote Services,Lateral Movement,no -T1020,Automated Exfiltration,Exfiltration,Ke3chang|Sidewinder|Gamaredon Group|Tropic Trooper|Frankenstein|Honeybee -T1018,Remote System Discovery,Discovery,Dragonfly|Indrik Spider|Naikon|APT29|Chimera|Fox Kitten|Operation Wocao|Sandworm Team|Rocke|Wizard Spider|Silence|GALLIUM|APT39|APT32|Deep Panda|Ke3chang|Threat Group-3390|Dragonfly 2.0|Leafminer|FIN8|FIN5|APT3|BRONZE BUTLER|menuPass|FIN6|Turla -T1016,System Network Configuration Discovery,Discovery,Kimsuky|Dragonfly|TeamTNT|ZIRCONIUM|Mustang Panda|Higaisa|Sidewinder|Chimera|Operation Wocao|Wizard Spider|Sandworm Team|Tropic Trooper|Frankenstein|APT41|GALLIUM|APT32|Darkhotel|MuddyWater|APT1|APT19|Dragonfly 2.0|Magic Hound|OilRig|Threat Group-3390|menuPass|Stealth Falcon|Lazarus Group|APT3|Naikon|admin@338|Turla|Ke3chang -T1014,Rootkit,Defense Evasion,TeamTNT|Rocke|APT41|APT28|Winnti Group -T1012,Query Registry,Discovery,Kimsuky|Dragonfly|ZIRCONIUM|Chimera|Fox Kitten|APT39|Operation Wocao|APT32|Dragonfly 2.0|Threat Group-3390|OilRig|Stealth Falcon|Lazarus Group|Turla -T1011,Exfiltration Over Other Network Medium,Exfiltration,no -T1010,Application Window Discovery,Discovery,Lazarus Group -T1008,Fallback Channels,Command And Control,FIN7|APT41|OilRig|Lazarus Group -T1007,System Service Discovery,Discovery,Kimsuky|Aquatic Panda|Indrik Spider|Chimera|Operation Wocao|BRONZE BUTLER|APT1|OilRig|Poseidon Group|admin@338|Turla|Ke3chang +T1047,Windows Management Instrumentation,Execution,APT41|FIN7|APT32|GALLIUM|Sandworm Team|Volt Typhoon|Blue Mockingbird|Mustang Panda|Deep Panda|TA2541|Indrik Spider|OilRig|MuddyWater|Gamaredon Group|menuPass|FIN6|Leviathan|Stealth Falcon|Windshift|Earth Lusca|Threat Group-3390|FIN13|Magic Hound|Chimera|Lazarus Group|APT29|Wizard Spider|FIN8|Naikon +T1560.002,Archive via Library,Collection,Lazarus Group|Threat Group-3390 +T1583.005,Botnet,Resource Development,no +T1621,Multi-Factor Authentication Request Generation,Credential Access,Scattered Spider|LAPSUS$|APT29 +T1110.002,Password Cracking,Credential Access,APT3|Dragonfly|FIN6|APT41 +T1566,Phishing,Initial Access,Axiom|GOLD SOUTHFIELD +T1059.007,JavaScript,Execution,Kimsuky|Cobalt Group|Indrik Spider|Leafminer|FIN7|MuddyWater|Molerats|TA505|Silence|FIN6|APT32|Earth Lusca|LazyScripter|Turla|Evilnum|Higaisa|Ember Bear|MoustachedBouncer|Sidewinder +T1592.004,Client Configurations,Reconnaissance,HAFNIUM +T1529,System Shutdown/Reboot,Impact,Lazarus Group|APT37|APT38 +T1218.012,Verclsid,Defense Evasion,no +T1550.004,Web Session Cookie,Defense Evasion|Lateral Movement,no +T1217,Browser Information Discovery,Discovery,Chimera|Fox Kitten|APT38 +T1218,System Binary Proxy Execution,Defense Evasion,Lazarus Group +T1578,Modify Cloud Compute Infrastructure,Defense Evasion,no +T1546.015,Component Object Model Hijacking,Privilege Escalation|Persistence,APT28 T1006,Direct Volume Access,Defense Evasion,no -T1005,Data from Local System,Collection,Axiom|Dragonfly|FIN7|APT41|APT38|Andariel|APT29|Windigo|Fox Kitten|Sandworm Team|Operation Wocao|FIN6|Gamaredon Group|APT39|Frankenstein|Inception|Kimsuky|GALLIUM|Turla|menuPass|Dark Caracal|Dragonfly 2.0|Honeybee|APT37|APT28|APT3|BRONZE BUTLER|Patchwork|Stealth Falcon|Lazarus Group|Dust Storm|Threat Group-3390|APT1|Ke3chang -T1003,OS Credential Dumping,Credential Access,Tonto Team|APT39|Frankenstein|APT32|APT28|Leviathan|Sowbug|Suckfly|Poseidon Group|Axiom -T1001,Data Obfuscation,Command And Control,Operation Wocao|Axiom +T1586.002,Email Accounts,Resource Development,APT29|APT28|Leviathan|LAPSUS$|IndigoZebra|HEXANE|Kimsuky|Magic Hound +T1137.003,Outlook Forms,Persistence,no +T1584.006,Web Services,Resource Development,Turla|Earth Lusca +T1134.001,Token Impersonation/Theft,Defense Evasion|Privilege Escalation,APT28|FIN8 +T1070,Indicator Removal,Defense Evasion,Lazarus Group +T1550.002,Pass the Hash,Defense Evasion|Lateral Movement,APT1|FIN13|APT28|APT32|Chimera|GALLIUM|Kimsuky|Wizard Spider +T1567.003,Exfiltration to Text Storage Sites,Exfiltration,no +T1030,Data Transfer Size Limits,Exfiltration,Threat Group-3390|LuminousMoth|APT28 +T1137.004,Outlook Home Page,Persistence,OilRig +T1036.006,Space after Filename,Defense Evasion,no +T1539,Steal Web Session Cookie,Credential Access,Evilnum|LuminousMoth +T1518.001,Security Software Discovery,Discovery,Cobalt Group|Kimsuky|TA2541|Tropic Trooper|APT38|Sidewinder|MuddyWater|Darkhotel|TeamTNT|Patchwork|Windshift|Rocke|The White Company|Naikon|Aquatic Panda|Wizard Spider|Turla|FIN8|SideCopy +T1578.002,Create Cloud Instance,Defense Evasion,LAPSUS$ +T1037.004,RC Scripts,Persistence|Privilege Escalation,APT29 +T1036.008,Masquerade File Type,Defense Evasion,Volt Typhoon +T1556.007,Hybrid Identity,Credential Access|Defense Evasion|Persistence,APT29 +T1114.001,Local Email Collection,Collection,APT1|Chimera|Magic Hound +T1490,Inhibit System Recovery,Impact,Wizard Spider +T1027.012,LNK Icon Smuggling,Defense Evasion,no +T1558.004,AS-REP Roasting,Credential Access,no +T1601.001,Patch System Image,Defense Evasion,no +T1132.001,Standard Encoding,Command And Control,MuddyWater|Tropic Trooper|HAFNIUM|BRONZE BUTLER|APT19|Lazarus Group|Sandworm Team|APT33|TA551|Patchwork +T1003.004,LSA Secrets,Credential Access,APT33|OilRig|Leafminer|menuPass|Threat Group-3390|Dragonfly|MuddyWater|Ke3chang|APT29 +T1566.001,Spearphishing Attachment,Initial Access,Ember Bear|Gorgon Group|OilRig|Naikon|Wizard Spider|Machete|Nomadic Octopus|IndigoZebra|RTM|Confucius|Gamaredon Group|APT28|FIN4|Rancor|Mustang Panda|TA551|DarkHydrus|Cobalt Group|APT12|menuPass|WIRTE|APT39|APT29|APT19|Tropic Trooper|Inception|LazyScripter|Silence|APT38|APT30|APT33|APT1|Patchwork|Sandworm Team|Leviathan|Windshift|APT37|Lazarus Group|Darkhotel|PLATINUM|Gallmaker|APT32|FIN6|Dragonfly|BITTER|Sidewinder|Tonto Team|Andariel|The White Company|FIN8|Transparent Tribe|BRONZE BUTLER|Threat Group-3390|TA505|EXOTIC LILY|Elderwood|SideCopy|Molerats|Ajax Security Team|MuddyWater|Ferocious Kitten|APT-C-36|Mofang|Higaisa|APT41|FIN7|TA2541|BlackTech|admin@338|Kimsuky|TA459 +T1102,Web Service,Command And Control,FIN6|EXOTIC LILY|Turla|APT32|Mustang Panda|Rocke|FIN8|TeamTNT|LazyScripter|Gamaredon Group|Inception|Fox Kitten|Ember Bear +T1649,Steal or Forge Authentication Certificates,Credential Access,APT29 +T1590,Gather Victim Network Information,Reconnaissance,HAFNIUM +T1562.010,Downgrade Attack,Defense Evasion,no +T1003,OS Credential Dumping,Credential Access,Axiom|Leviathan|APT28|Tonto Team|Poseidon Group|Suckfly|APT32|Sowbug|APT39 +T1087.004,Cloud Account,Discovery,APT29 +T1552.005,Cloud Instance Metadata API,Credential Access,TeamTNT +T1562.003,Impair Command History Logging,Defense Evasion,APT38 +T1608.004,Drive-by Target,Resource Development,FIN7|Threat Group-3390|APT32|Transparent Tribe|LuminousMoth|Dragonfly +T1553,Subvert Trust Controls,Defense Evasion,Axiom +T1547.001,Registry Run Keys / Startup Folder,Persistence|Privilege Escalation,Leviathan|Ke3chang|RTM|TeamTNT|Inception|Threat Group-3390|MuddyWater|FIN6|PROMETHIUM|Higaisa|Magic Hound|APT3|Sidewinder|APT29|TA2541|FIN10|Dark Caracal|Dragonfly|BRONZE BUTLER|FIN13|Tropic Trooper|LazyScripter|Rocke|APT33|APT19|ZIRCONIUM|APT28|Confucius|APT39|Turla|LuminousMoth|Darkhotel|APT37|Gamaredon Group|Mustang Panda|Patchwork|FIN7|Naikon|APT18|Silence|Kimsuky|Wizard Spider|Lazarus Group|Gorgon Group|Putter Panda|APT41|Windshift|Cobalt Group|Molerats|APT32 +T1526,Cloud Service Discovery,Discovery,no +T1027.011,Fileless Storage,Defense Evasion,Turla|APT32 +T1599,Network Boundary Bridging,Defense Evasion,no +T1218.014,MMC,Defense Evasion,no +T1216,System Script Proxy Execution,Defense Evasion,no +T1036.003,Rename System Utilities,Defense Evasion,Lazarus Group|GALLIUM|APT32|menuPass +T1569.001,Launchctl,Execution,no +T1571,Non-Standard Port,Command And Control,Silence|Lazarus Group|Magic Hound|Rocke|APT-C-36|DarkVishnya|TEMP.Veles|APT32|WIRTE|Sandworm Team|APT33|FIN7 +T1069.002,Domain Groups,Discovery,OilRig|Inception|Ke3chang|FIN7|Dragonfly|Turla|Volt Typhoon|LAPSUS$ +T1003.006,DCSync,Credential Access,LAPSUS$|Earth Lusca +T1497.002,User Activity Based Checks,Defense Evasion|Discovery,Darkhotel|FIN7 +T1110,Brute Force,Credential Access,APT38|OilRig|HEXANE|APT28|FIN5|Fox Kitten|APT39|Dragonfly|Turla|DarkVishnya +T1531,Account Access Removal,Impact,LAPSUS$ +T1596.004,CDNs,Reconnaissance,no +T1132,Data Encoding,Command And Control,no +T1589,Gather Victim Identity Information,Reconnaissance,Magic Hound|APT32|FIN13|HEXANE|LAPSUS$ +T1546.013,PowerShell Profile,Privilege Escalation|Persistence,Turla +T1036,Masquerading,Defense Evasion,OilRig|APT28|Nomadic Octopus|menuPass|ZIRCONIUM|FIN13|Windshift|TA551|APT32|Kimsuky|TeamTNT|PLATINUM|LazyScripter|BRONZE BUTLER|Dragonfly +T1102.002,Bidirectional Communication,Command And Control,APT28|APT37|Carbanak|Lazarus Group|APT12|FIN7|APT39|ZIRCONIUM|POLONIUM|HEXANE|Turla|Sandworm Team|MuddyWater|Magic Hound|Kimsuky +T1588.001,Malware,Resource Development,TA2541|LuminousMoth|LazyScripter|APT1|LAPSUS$|Aquatic Panda|Metador|Andariel|BackdoorDiplomacy|Earth Lusca|Turla|TA505 +T1033,System Owner/User Discovery,Discovery,ZIRCONIUM|APT37|Gamaredon Group|Magic Hound|FIN10|Sidewinder|HAFNIUM|HEXANE|GALLIUM|Stealth Falcon|Dragonfly|APT32|Tropic Trooper|APT19|Sandworm Team|APT39|OilRig|Patchwork|Ke3chang|APT41|FIN8|APT38|Earth Lusca|Wizard Spider|FIN7|Windshift|MuddyWater|Lazarus Group|Threat Group-3390|APT3|LuminousMoth|Chimera|Volt Typhoon +T1021.006,Windows Remote Management,Lateral Movement,Wizard Spider|Chimera|FIN13|Threat Group-3390 +T1497,Virtualization/Sandbox Evasion,Defense Evasion|Discovery,Darkhotel +T1136.002,Domain Account,Persistence,GALLIUM|Wizard Spider|HAFNIUM +T1556.004,Network Device Authentication,Credential Access|Defense Evasion|Persistence,no +T1078.004,Cloud Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,APT28|Ke3chang|APT29|APT33|LAPSUS$ diff --git a/pipeline/.app_inspect.yml b/pipeline/.app_inspect.yml new file mode 100644 index 0000000000..5c796aa342 --- /dev/null +++ b/pipeline/.app_inspect.yml @@ -0,0 +1,23 @@ +app_inspect: + stage: app_inspect + needs: + - validate_escu + - generate_escu + artifacts: + when: always + paths: + - artifacts/* + before_script: + - pip3 install poetry + - git submodule update --init contentctl + - cd contentctl + - git checkout main + - poetry install + script: + - poetry run contentctl -p ../ build --appinspect_api_username $APPINSPECT_USERNAME --appinspect_api_password $APPINSPECT_PASSWORD + after_script: + - mkdir -p artifacts/app_inspect_report + - cp -r dist/*.{json,html,log} artifacts/app_inspect_report + rules: + - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]$/' + when: on_success diff --git a/pipeline/.generate.yml b/pipeline/.generate.yml index 40a85697c1..0f4b889cda 100644 --- a/pipeline/.generate.yml +++ b/pipeline/.generate.yml @@ -15,10 +15,9 @@ generate_escu: script: - poetry run contentctl -p ../ build - cd .. - - mkdir -p artifacts/DA-ESS-ContentUpdate - - cp -r dist/DA-ESS-ContentUpdate/* artifacts/DA-ESS-ContentUpdate - - tar -czf artifacts/DA-ESS-ContentUpdate-latest.tar.gz -C artifacts/DA-ESS-ContentUpdate . - + - mkdir artifacts + - mv dist/DA-ESS-ContentUpdate-latest.tar.gz artifacts/ + generate_ba: stage: generate needs: diff --git a/pipeline/.release.yml b/pipeline/.release.yml index f64300b91e..0aa1b7be04 100644 --- a/pipeline/.release.yml +++ b/pipeline/.release.yml @@ -2,9 +2,9 @@ reporting: stage: release needs: - - generate_escu + - app_inspect variables: - BUCKET: "security-content-dev" + BUCKET: "security-content" before_script: - pip3 install poetry - git submodule update --init contentctl @@ -20,19 +20,19 @@ reporting: - aws s3 cp reporting s3://$BUCKET/reporting --recursive --exclude "*" --include "*.svg" rules: - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]$/' - when: always + when: on_success # Security Content API Update security_content_api: stage: release needs: - - generate_escu + - app_inspect artifacts: when: always paths: - artifacts/* variables: - BUCKET: "security-content-dev" + BUCKET: "security-content" before_script: - pip3 install poetry - git submodule update --init contentctl @@ -58,37 +58,37 @@ security_content_api: - aws s3 cp dist/api s3://$BUCKET/json --recursive --exclude "*" --include "*.json" rules: - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]$/' - when: always + when: on_success # Update Attack Range ESCU App attack_range_escu_app: stage: release needs: - - generate_escu + - app_inspect artifacts: when: always paths: - artifacts/* variables: - BUCKET: "attack-range-dev" + BUCKET: "attack-range-appbinaries" before_script: - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" - unzip awscliv2.zip - ./aws/install script: - aws s3 cp artifacts/DA-ESS-ContentUpdate-latest.tar.gz s3://$BUCKET/ -# - aws s3api put-object-acl --bucket $BUCKET --key DA-ESS-ContentUpdate-latest.tar.gz --acl public-read + - aws s3api put-object-acl --bucket $BUCKET --key DA-ESS-ContentUpdate-latest.tar.gz --acl public-read rules: - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]$/' - when: always + when: on_success # Sync change to GitHub develop github_push_develop: stage: release needs: - - generate_escu + - app_inspect variables: - BRANCH: "ci_cd_testing" + BRANCH: "gitlab_release_$CI_COMMIT_TAG" before_script: - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )' - eval $(ssh-agent -s) @@ -102,27 +102,27 @@ github_push_develop: - git config user.name "research bot" - git remote add github_origin git@github.com:splunk/security_content.git - git fetch --all - - git checkout -b $BRANCH github_origin/$BRANCH - - git pull - - git add --all - - git commit -m 'release' - - git push github_origin $BRANCH + - git checkout -b $BRANCH + - git push -u github_origin $BRANCH + # - 'curl -X POST -H "Authorization: token $CREATE_GH_RELEASE_PR" -H "Accept: application/vnd.github.v3+json" -d "{\"title\":\"Release $CI_COMMIT_TAG\", \"body\":\"This PR contains content for ESCU - $CI_COMMIT_TAG\", \"head\":\"develop\", \"base\":\"gitlab_release_$CI_COMMIT_TAG\"}" https://api.github.com/repos/splunk/security_content/pulls' rules: - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]$/' - when: always + when: on_success # Create Package GitLab -# need to be tested release_job: stage: release + needs: + - app_inspect image: registry.gitlab.com/gitlab-org/release-cli:latest script: - echo "running release_job" - release: # See https://docs.gitlab.com/ee/ci/yaml/#release for available properties + # See https://docs.gitlab.com/ee/ci/yaml/#release for available properties + release: tag_name: '$CI_COMMIT_TAG' description: '$CI_COMMIT_TAG' rules: - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]$/' - when: always + when: on_success \ No newline at end of file diff --git a/pipeline/.run_app_inspect.yml b/pipeline/.run_app_inspect.yml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml b/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml new file mode 100644 index 0000000000..f5ba4422be --- /dev/null +++ b/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml @@ -0,0 +1,99 @@ +name: Detect Prohibited Applications Spawning cmd exe browsers +id: c10a18cb-fd70-4ffa-a844-25026e0a0c94 +version: 1 +date: '2023-10-26' +author: Lou Stella, Splunk +type: Anomaly +status: validation +description: The following analytic identifies parent processes that are browsers, + spawning cmd.exe. By its very nature, many applications spawn cmd.exe natively or + built into macros. Much of this will need to be tuned to further enhance the risk. +data_source: +- Windows Security 4688 +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line + = lower(process.cmd_line) | eval actor_user = actor.user | eval actor_user_name + = actor_user.name | eval actor_process = actor.process | eval actor_process_pid + = actor_process.pid | eval actor_process_file = actor_process.file | eval actor_process_file_path + = actor_process_file.path | eval actor_process_file_name = lower(actor_process_file.name) + | eval device_hostname = device.hostname | where ((actor_process_file_name="iexplore.exe" + OR actor_process_file_name="opera.exe" OR actor_process_file_name="firefox.exe") + OR (actor_process_file_name="chrome.exe" AND (NOT process_cmd_line="chrome-extension"))) + AND process_file_name="cmd.exe" --finding_report--' +how_to_implement: In order to successfully implement this analytic, you will need + endpoint process data from a EDR product or Sysmon. This search has been modified + to process raw sysmon data from attack_range's nxlogs on DSP. +known_false_positives: There are circumstances where an application may legitimately + execute and interact with the Windows command-line interface. +references: +- https://attack.mitre.org/techniques/T1059/ +tags: + analytic_story: + - Suspicious Command-Line Executions + - Insider Threat + asset_type: Endpoint + confidence: 50 + impact: 70 + mitre_attack_id: + - T1059 + observable: + - name: process.pid + type: Other + - name: process.file.path + type: File + - name: process.file.name + type: File + - name: process.cmd_line + type: Other + - name: actor.user.name + type: User Name + - name: actor.process.pid + type: Other + - name: actor.process.file.path + type: File Name + - name: actor.process.file.name + type: File Name + - name: device.hostname + type: Hostname + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest_device_id$ by user $dest_user_id$, producing a suspicious event + that warrants investigating. + product: + - Splunk Behavioral Analytics + required_fields: + - process.pid + - process.file.path + - process.file.name + - process.cmd_line + - actor.user.name + - actor.process.pid + - actor.process.file.path + - actor.process.file.name + - device.hostname + risk_score: 35 + security_domain: endpoint + mappings: + - ocsf: process.pid + cim: process_id + - ocsf: process.file.path + cim: process_path + - ocsf: process.file.name + cim: process_name + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.name + cim: user + - ocsf: actor.process.pid + cim: parent_process_id + - ocsf: actor.process.file.path + cim: parent_process_path + - ocsf: actor.process.file.name + cim: parent_process_name + - ocsf: device.hostname + cim: dest +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/ssa_validation/browsers/windows-security.log + source: WinEventLog:Security diff --git a/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml b/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml new file mode 100644 index 0000000000..18cc724066 --- /dev/null +++ b/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml @@ -0,0 +1,100 @@ +name: Detect Prohibited Applications Spawning cmd exe office +id: c10a18cb-fd70-4ffa-a844-25026e0b0c94 +version: 1 +date: '2023-10-26' +author: Lou Stella, Splunk +type: Anomaly +status: validation +description: The following analytic identifies parent processes that are office/productivity + applications, spawning cmd.exe. By its very nature, many applications spawn cmd.exe + natively or built into macros. Much of this will need to be tuned to further enhance + the risk. +data_source: +- Windows Security 4688 +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = lower(actor_process_file.name) + | eval device_hostname = device.hostname | where (actor_process_file_name="winword.exe" + OR actor_process_file_name="excel.exe" OR actor_process_file_name="outlook.exe" + OR actor_process_file_name="acrobat.exe" OR actor_process_file_name="acrord32.exe") + AND process_file_name="cmd.exe" --finding_report--' +how_to_implement: In order to successfully implement this analytic, you will need + endpoint process data from a EDR product or Sysmon. This search has been modified + to process raw sysmon data from attack_range's nxlogs on DSP. +known_false_positives: There are circumstances where an application may legitimately + execute and interact with the Windows command-line interface. +references: +- https://attack.mitre.org/techniques/T1059/ +tags: + analytic_story: + - Suspicious Command-Line Executions + - Insider Threat + asset_type: Endpoint + confidence: 50 + impact: 70 + mitre_attack_id: + - T1059 + observable: + - name: process.pid + type: Other + - name: process.file.path + type: File + - name: process.file.name + type: File + - name: process.cmd_line + type: Other + - name: actor.user.name + type: User Name + - name: actor.process.pid + type: Other + - name: actor.process.file.path + type: File Name + - name: actor.process.file.name + type: File Name + - name: device.hostname + type: Hostname + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest_device_id$ by user $dest_user_id$, producing a suspicious event + that warrants investigating. + product: + - Splunk Behavioral Analytics + required_fields: + - process.pid + - process.file.path + - process.file.name + - process.cmd_line + - actor.user.name + - actor.process.pid + - actor.process.file.path + - actor.process.file.name + - device.hostname + risk_score: 35 + security_domain: endpoint + mappings: + - ocsf: process.pid + cim: process_id + - ocsf: process.file.path + cim: process_path + - ocsf: process.file.name + cim: process_name + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.name + cim: user + - ocsf: actor.process.pid + cim: parent_process_id + - ocsf: actor.process.file.path + cim: parent_process_path + - ocsf: actor.process.file.name + cim: parent_process_name + - ocsf: device.hostname + cim: dest +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/ssa_validation/office/windows-security.log + source: WinEventLog:Security diff --git a/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_powershell.yml b/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_powershell.yml new file mode 100644 index 0000000000..e048a142af --- /dev/null +++ b/ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe_powershell.yml @@ -0,0 +1,97 @@ +name: Detect Prohibited Applications Spawning cmd exe powershell +id: c10a18cb-fd70-4ffa-a844-25126e0b0d94 +version: 1 +date: '2023-10-26' +author: Lou Stella, Splunk +type: Anomaly +status: validation +description: The following analytic identifies parent processes that are powershell, + spawning cmd.exe. By its very nature, many applications spawn cmd.exe natively or + built into macros. Much of this will need to be tuned to further enhance the risk. +data_source: +- Windows Security 4688 +search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | + eval process_pid = process.pid | eval process_file = process.file | eval process_file_path + = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line + = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name + | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid + | eval actor_process_file = actor_process.file | eval actor_process_file_path = + actor_process_file.path | eval actor_process_file_name = lower(actor_process_file.name) + | eval device_hostname = device.hostname | where actor_process_file_name="powershell.exe" + AND process_file_name="cmd.exe" --finding_report--' +how_to_implement: In order to successfully implement this analytic, you will need + endpoint process data from a EDR product or Sysmon. This search has been modified + to process raw sysmon data from attack_range's nxlogs on DSP. +known_false_positives: There are circumstances where an application may legitimately + execute and interact with the Windows command-line interface. +references: +- https://attack.mitre.org/techniques/T1059/ +tags: + analytic_story: + - Suspicious Command-Line Executions + - Insider Threat + asset_type: Endpoint + confidence: 50 + impact: 70 + mitre_attack_id: + - T1059 + observable: + - name: process.pid + type: Other + - name: process.file.path + type: File + - name: process.file.name + type: File + - name: process.cmd_line + type: Other + - name: actor.user.name + type: User Name + - name: actor.process.pid + type: Other + - name: actor.process.file.path + type: File Name + - name: actor.process.file.name + type: File Name + - name: device.hostname + type: Hostname + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest_device_id$ by user $dest_user_id$, producing a suspicious event + that warrants investigating. + product: + - Splunk Behavioral Analytics + required_fields: + - process.pid + - process.file.path + - process.file.name + - process.cmd_line + - actor.user.name + - actor.process.pid + - actor.process.file.path + - actor.process.file.name + - device.hostname + risk_score: 35 + security_domain: endpoint + mappings: + - ocsf: process.pid + cim: process_id + - ocsf: process.file.path + cim: process_path + - ocsf: process.file.name + cim: process_name + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.name + cim: user + - ocsf: actor.process.pid + cim: parent_process_id + - ocsf: actor.process.file.path + cim: parent_process_path + - ocsf: actor.process.file.name + cim: parent_process_name + - ocsf: device.hostname + cim: dest +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-security.log + source: WinEventLog:Security diff --git a/stories/citrix_netscaler_adc_and_netscaler_gateway_cve_2023_4966.yml b/stories/citrix_netscaler_adc_and_netscaler_gateway_cve_2023_4966.yml new file mode 100644 index 0000000000..4af15b9434 --- /dev/null +++ b/stories/citrix_netscaler_adc_and_netscaler_gateway_cve_2023_4966.yml @@ -0,0 +1,22 @@ +name: Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966 +id: b194d644-4095-431a-bee0-a8e6ec067414 +version: 1 +date: '2023-10-24' +author: Michael Haag, Splunk +description: A critical security update, CVE-2023-4966, has been released for NetScaler ADC and NetScaler Gateway. This vulnerability, discovered by our internal team, can result in unauthorized data disclosure if exploited. Reports of incidents consistent with session hijacking have been received. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog. No workarounds are available for this vulnerability, and immediate installation of the recommended builds is strongly advised. +narrative: On October 10, 2023, Cloud Software Group released builds to fix CVE-2023-4966, a vulnerability affecting NetScaler ADC and NetScaler Gateway. This vulnerability, if exploited, can lead to unauthorized data disclosure and possibly session hijacking. Although there were no known exploits at the time of disclosure, we have since received credible reports of targeted attacks exploiting this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, which contains detection and mitigation guidance for observed exploitations of CVE-2023-4966 by threat actors against NetScaler ADC and NetScaler Gateway. We strongly recommend that users of affected builds immediately install the recommended builds, as this vulnerability has been identified as critical. No workarounds are available for this vulnerability. +references: + - https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/ + - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 + - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 + - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966 + - https://github.com/projectdiscovery/nuclei-templates/blob/b815d23b908de52996060163091395d1c89fbeea/http/cves/2023/CVE-2023-4966.yaml +tags: + analytic_story: Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966 + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection diff --git a/stories/plugx.yml b/stories/plugx.yml new file mode 100644 index 0000000000..3d2de036d4 --- /dev/null +++ b/stories/plugx.yml @@ -0,0 +1,35 @@ +name: PlugX +id: a2c94c99-b93b-4bc7-a749-e2198743d0d6 +version: 2 +date: '2023-10-12' +author: Teoderick Contreras, Splunk +description: PlugX, also referred to as "PlugX RAT" or "Kaba," is a highly sophisticated remote access Trojan (RAT) discovered in 2012. + This malware is notorious for its involvement in targeted cyberattacks, primarily driven by cyber espionage objectives. + PlugX provides attackers with comprehensive remote control capabilities over compromised systems, + granting them the ability to execute commands, collect sensitive data, and manipulate the infected host. +narrative: PlugX, known as the "silent infiltrator of the digital realm, is a shadowy figure in the world of cyber threats. + This remote access Trojan (RAT), first unveiled in 2012, is not your run-of-the-mill malware. + It's the go-to tool for sophisticated hackers with one goal in mind, espionage. + PlugX's repertoire of capabilities reads like a spy thriller. It doesn't just breach your defenses; + it goes a step further, slipping quietly into your systems, much like a ghost. Once inside, + it opens the door to a world of possibilities for cybercriminals. With a few keystrokes, + they can access your data, capture your screen, and silently watch your every move. + In the hands of skilled hackers, it's a versatile instrument for cyber espionage. + This malware thrives on persistence. It's not a one-time hit; it's in it for the long haul. + Even if you reboot your system, PlugX remains, ensuring that its grip on your infrastructure doesn't waver. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx + - https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/ + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse + - https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf + - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets + - https://attack.mitre.org/software/S0013/ +tags: + analytic_story: PlugX + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection