From 3b2f192977cd3be951a4bf3366d2836f387888c7 Mon Sep 17 00:00:00 2001 From: ryan Date: Fri, 9 Sep 2022 10:34:41 -0400 Subject: [PATCH] Update stix to correspond to MBC v2.3 --- USAGE.md | 2 +- ...-001ca78e-188e-4725-9f43-706d0f487837.json | 4 +- ...-006afc45-b6df-4e75-8102-b38ccb09db58.json | 2 +- ...-010c8801-3ad4-479b-8c56-c29e108121c9.json | 2 +- ...-013fce9b-0645-41a4-b6ec-03a70b319715.json | 2 +- ...-023243fb-9971-4e64-9bca-5976fa84f08f.json | 4 +- ...-02b99b72-6baa-4329-9a48-1ce8aae4383a.json | 4 +- ...-02f5dda2-da92-4e5b-88bb-67e9e542c444.json | 4 +- ...-03996e71-dfa7-4585-8a42-da7f95c50436.json | 16 +- ...-03d1844f-241a-4ed9-858f-47e5e6543746.json | 4 +- ...-0469984a-07e7-4160-ba64-f1abf02346bb.json | 4 +- ...-048440e7-8adb-4a71-9ee3-922ca4040b1f.json | 9 +- ...-04da331b-6112-420c-9358-58cb21e5a4af.json | 4 +- ...-04e25839-3207-4600-8972-618aa7cf44af.json | 4 +- ...05f154ce-4547-45cf-a664-ca231fdcff54.json} | 19 +- ...-063274b5-04c4-4987-98d6-850c2598b601.json | 4 +- ...-068a3a77-caf2-4951-9e38-97ad68c792d6.json | 4 +- ...-06c3d5c7-d4bf-4b28-8385-e169ba81e744.json | 2 +- ...-07181568-3663-4ade-ac99-3e32bd7d5400.json | 4 +- ...-0741d3d3-4027-430d-a574-5bc06d62a9c0.json | 6 +- ...-0947cd27-a2b6-466f-b47c-4d36e4ce06cb.json | 4 +- ...-0985829f-204f-4760-8ece-ff0f3031a715.json | 4 +- ...098a700a-4cc0-4d0a-8bc5-42e7181eff1e.json} | 21 +- ...-09aa0bf7-bdec-4642-ad23-c8f1c9b01297.json | 2 +- ...-09c1ddac-3b9f-487d-acba-78be3b686519.json | 4 +- ...0a5b94d6-6800-4855-8cd9-d100af9f67d9.json} | 14 +- ...-0aeb39aa-febf-463e-97e0-546f558daed6.json | 4 +- ...-0b1371c5-4bec-466a-b643-43b719537894.json | 4 +- ...-0b6c8517-62d1-49c1-9a2d-9300806d1370.json | 4 +- ...-0be642a6-a030-4ecf-9c30-83f9cbc9fd56.json | 4 +- ...0c59fe14-659a-4248-b205-7fc3371af6c7.json} | 12 +- ...-0e2fb8df-bef3-4664-88f9-f6614b80f107.json | 4 +- ...-0e87261d-5234-4ccb-87c1-2f9bb32b5c11.json | 4 +- ...-0eb664b8-73e1-4799-9e22-277ab898579d.json | 4 +- ...-0f77be56-a5ef-4c06-8557-46782bb2cd67.json | 4 +- ...-0fe6e31d-fd22-4140-8e31-6ff5ad8cd47f.json | 4 +- ...-1004c879-79b0-44db-996c-910a7f9e3857.json | 4 +- ...-1011a561-6f17-4f8d-874a-8ad491a2b470.json | 4 +- ...-1057fe1c-c844-4de3-b72d-05313572a36c.json | 4 +- ...-10bee884-590b-45f4-8577-5cbe6d6efa1a.json | 4 +- ...-112d8251-af9c-404d-b3f6-44bd15c42a5d.json | 4 +- ...-1212c336-4105-477e-9e3a-0789790a3941.json | 4 +- ...-12c16b13-65d4-49ea-9dcb-3a88553ac5d3.json | 4 +- ...-13631209-26c3-481c-bd8c-fa6c57c3dbe5.json | 2 +- ...-13d8f97e-b0dc-4ced-918d-31297b1f9aff.json | 4 +- ...-146be7e5-feeb-4dd2-8283-796b29394ac1.json | 4 +- ...-14abf3a5-065b-4a7b-b5d7-16ba7ae62e3a.json | 4 +- ...-1504bfdb-bc65-4fc2-9afd-8d2e82737dd6.json | 4 +- ...-1506d910-1208-4064-a633-8291f6d36e74.json | 4 +- ...-1540ed37-87c4-485f-b729-1e418a63762c.json | 9 +- ...-155facb0-bb4a-4df0-b276-70c16f4c12f9.json | 4 +- ...-168ed95b-0c10-42c4-9f0a-c1c462b39f6c.json | 4 +- ...-17cf477e-a8e5-4c52-b207-7023cfd16c1d.json | 4 +- ...-17e05846-68f4-4f0c-bc23-88e01515bfcf.json | 4 +- ...-180d573a-3efb-477c-b306-721bc3906eae.json | 4 +- ...-18377be7-e46d-48a0-ac85-b6af8f777b78.json | 2 +- ...-187b4cd8-132e-4514-9ad2-e0b20abc2b70.json | 8 +- ...-195e17be-fac3-4ffe-a961-631e2af205bb.json | 4 +- ...-1a424274-077f-4c21-bc63-ef2d8e574ed0.json | 6 +- ...-1a89f398-f3ef-484a-8735-024823241a11.json | 4 +- ...-1adddaa3-6164-4adf-b910-6b8a78fb3111.json | 4 +- ...-1afb242c-883b-40c2-8a37-fc5064dd7d2b.json | 4 +- ...-1b5c05fd-3785-4710-8ee2-efadad6ef437.json | 4 +- ...-1bfa0256-c28e-4dcc-82f6-8fa6880328f6.json | 4 +- ...-1c9f410c-8e61-4d75-80be-e80461c54971.json | 16 +- ...-1cca12fe-f5c4-4c35-979b-5c6962dd9484.json | 4 +- ...-1d1b8b46-c3d7-49e5-8856-367b48272f5e.json | 21 +- ...-1d9b88e8-2bab-44ac-b1ae-26faf8f07f48.json | 4 +- ...-1dd62131-bc8e-4de7-b68a-1ea4c6b44c03.json | 4 +- ...-1df0593b-0f35-41c8-b7d8-41d6a3e9cf8c.json | 53 - ...-1e4a21a9-2d09-48fc-bcea-13d1359f2bbd.json | 4 +- ...-1e5a85a2-73fc-467c-a94b-ec867885b4c3.json | 4 +- ...-1ef444d5-6292-4701-be04-7d8bbd677b95.json | 4 +- ...-200ecf0e-33a7-4a9c-af4a-a3033b64e238.json | 4 +- ...-2010a1d6-4a0a-4a07-ae97-2fbad0f81439.json | 34 +- ...-2080b6b4-a74c-43da-97db-1a2ca33ca589.json | 4 +- ...-20bb8954-7d15-4f3f-b015-6de301407391.json | 4 +- ...-21399f14-f429-48f6-be04-d971783ba531.json | 4 +- ...-225f1311-c972-428d-be5e-f99a9edb705c.json | 4 +- ...-23949fea-4e13-41e3-b8c7-b25efd93f346.json | 4 +- ...-23cc9528-7b14-4f75-9daf-0afb8d9c24fa.json | 53 - ...-243d3475-704e-4bc1-b8a6-42ca4bda02fc.json | 4 +- ...-24464dee-85e0-4fbf-b604-130f783c3689.json | 4 +- ...-245f1add-7e00-4b25-9f57-a88febbd9359.json | 4 +- ...-2494ac41-5d2b-4112-903a-fdc2a09d376b.json | 4 +- ...-24d2552e-d0ee-4ab5-8e75-743b233379e1.json | 4 +- ...-24ed02f2-afad-49c8-a3c4-8ab1c418443e.json | 9 +- ...-2514d117-a906-491c-bdef-fdc0ca4ab49b.json | 2 +- ...-25dbb3ef-6301-4f8c-a8d2-a03b5c23dafd.json | 4 +- ...-2620e845-cb45-43b5-91a4-dd72dcf3339d.json | 4 +- ...-26a24fc4-3488-408f-ae36-9e5e881f4b9e.json | 2 +- ...-26d8815b-c8d1-4fc9-a6f6-218c0436b7a1.json | 4 +- ...-276108d0-bfef-45d8-9e20-0e6f5c107f6f.json | 2 +- ...-27a1c173-3d93-430b-9544-8dd2db602b87.json | 12 +- ...-2847e96e-8080-4f95-96df-b2194e42ac25.json | 4 +- ...-28715d14-8b3f-4be9-95f6-e306de73f53f.json | 53 - ...-28c6f55a-126f-436b-ab2e-af77f91d0cec.json | 2 +- ...-295a3b88-2a7e-4bae-9c50-014fce6d5739.json | 14 +- ...-2a23ab2e-fd3b-4c5f-991c-021d9a132754.json | 21 +- ...-2b01bf8e-63cf-495c-8e2f-d18a8c286ad5.json | 4 +- ...-2b4653a5-2865-4768-ae75-e1f7cb84b39a.json | 4 +- ...-2baec974-fab4-4fe3-92a6-c477893f132d.json | 4 +- ...-2bef87a4-e803-4bb7-8f8f-fac4f63a02e1.json | 4 +- ...-2bf1a1a6-82ff-4e52-b11c-bd2d0495e830.json | 2 +- ...-2c55e74c-c066-43e0-bdaa-8d74959b7694.json | 16 +- ...-2c90706d-0b4a-45e1-b9f0-0292ebb69edf.json | 4 +- ...-2cab79e4-750b-43e3-9486-0d7801d8fdd8.json | 2 +- ...-2e82d33e-a804-42a2-9931-57f7b7af78f9.json | 4 +- ...-2ed5189e-8701-45ab-b222-b4b23f2bbb0e.json | 2 +- ...-2f16f65d-4fba-4574-882d-97d54392f5bb.json | 4 +- ...-2f1cafa6-177a-4731-aad5-a747e5514ad9.json | 13 +- ...-2f605aaf-790b-4ba1-9603-3b14cf2f1c52.json | 4 +- ...-2f82d3b5-c6f8-4f4b-89e1-8605ea457749.json | 4 +- ...-2fdbb4b2-a02a-42de-a6de-2263b48392f1.json | 4 +- ...-2ff4ce39-a726-471a-92d9-21a5c51a0bc3.json | 22 +- ...-3018beac-a047-4b14-9c72-3340866b4c67.json | 4 +- ...-30b37187-7b90-4271-b554-e0a5265fc977.json | 37 + ...-3110ab37-847b-4f50-be91-9748cee0f4a0.json | 2 +- ...-31c2f227-2583-4f36-a24f-0f2610f1e055.json | 4 +- ...-333a4ca2-d8a5-4829-abcb-c42736a41f0d.json | 4 +- ...-33ac3946-4bd9-4904-b02e-45e2d17dbfdd.json | 4 +- ...-33c50b1a-84dd-4b11-ba7b-ba64199ce18f.json | 20 +- ...-35284c4d-652f-40bd-b49b-7d625914bc75.json | 4 +- ...-352fc821-2bbf-4d2a-a9a2-3a69b3bac30c.json | 4 +- ...-35365158-0007-49fa-bc45-da311d3c6246.json | 4 +- ...-35a8f2ce-05e2-4a25-a469-e07a6360eee3.json | 4 +- ...-35d551ab-014b-4fab-8ba8-b91fb42a3985.json | 4 +- ...-36074f02-7b9b-4052-998f-cb6c56447031.json | 4 +- ...-373415cb-bc3b-4602-8032-584b7cf758c5.json | 2 +- ...-373bb770-4890-4e13-a0d6-94459bed37aa.json | 4 +- ...-37487e77-eda2-495c-bf1c-48f05062b2ca.json | 4 +- ...-37eb387f-ecb3-4098-926b-2e1d2c3da16e.json | 4 +- ...-38dad326-aeb6-4341-9a2b-233fcd5698cd.json | 2 +- ...-3955de8e-1ab7-4ab0-b7ca-226822885913.json | 8 +- ...-39d98cff-ebf0-4824-8a7a-55ba1058664b.json | 4 +- ...-39df68e5-9065-4b60-8ad1-ff626707b95a.json | 4 +- ...-3a9b6fab-01af-47ef-9563-69427ed4090c.json | 4 +- ...-3aa1c4d4-06c4-4d48-bc44-601b29abded8.json | 4 +- ...-3b11e590-980e-4850-a9a1-6189b62f62b1.json | 4 +- ...-3bb917e7-25d9-42de-8b23-d040a51c08e5.json | 2 +- ...-3c0f36be-c4c0-4769-9be4-50682bc6a467.json | 4 +- ...-3cb4d50f-649d-4b09-b9a4-151bcc7ebc43.json | 4 +- ...-3d34b429-1686-44be-8b63-bded4942cee7.json | 4 +- ...-3d502650-c707-4d28-b520-f440faa33ade.json | 2 +- ...-3dc536c2-fa47-4acd-9043-1b0a0c2b2db6.json | 2 +- ...-3f00f5b3-a3bf-4c9c-8874-f7998c391aa8.json | 11 +- ...-3f907716-eb0f-4fd6-8db6-46f6932ab585.json | 4 +- ...-3fe270a3-09a5-4ca9-937f-d2bee9afed96.json | 4 +- ...-405c94b9-4f0e-476b-982d-72bb1905daa9.json | 2 +- ...-415ff076-0f63-4040-940e-439321695a67.json | 4 +- ...-41746d12-dfb1-4e7d-bd7e-81678b93b977.json | 4 +- ...-41c176c1-6258-4bd4-9518-c2dc433c254c.json | 8 +- ...-4283aa07-89f3-40d8-b45f-87ef48c8a86d.json | 4 +- ...-4294b63a-0b68-473a-8e57-bd5da8d90bf6.json | 44 +- ...-42a50e42-61c1-4eb0-a7a2-f7f278feb391.json | 4 +- ...-42c0847a-d4e3-497e-9540-c691ae0364c1.json | 4 +- ...-42cea877-6723-4126-a016-6f2b8954eb6b.json | 6 +- ...-454163a6-b453-449c-88c1-96919f92705a.json | 4 +- ...-45c5ccc6-f44e-4b7e-b2af-d5b1a0d01cd2.json | 4 +- ...-45f0c217-fd80-4ce1-a9b1-4a62418162bb.json | 4 +- ...-461d88f4-10e9-4db1-b91d-e9a8cd0f8654.json | 4 +- ...-46c39f69-1900-4558-9c0d-2d9fe322dd41.json | 4 +- ...-46d77a13-9d20-4c9c-9846-cf6f298f6836.json | 4 +- ...-48018d04-fcd1-4e5d-b29f-6ccf841ae65f.json | 4 +- ...-48964591-554c-420d-896b-89ad16f17eec.json | 4 +- ...-489d6e43-968b-432d-b89b-e9e4f974423b.json | 4 +- ...-4a062538-03cd-44da-a19f-6ed4401a4c36.json | 4 +- ...-4b908d8d-dc10-4114-99e6-8a82fe6a5e7f.json | 4 +- ...-4c1c0aca-7fca-4aae-9d17-6fc99c8d7d0a.json | 10 +- ...-4c1e6e56-1c8d-4bce-b696-68ac83cb33f6.json | 2 +- ...-4c4a5671-e788-40b8-8fd9-56d94ba32901.json | 4 +- ...-4c89f923-0e3e-41ff-b128-2e47acbd80b7.json | 4 +- ...-4ca9173b-10b3-4a35-8507-f6b34fa4fc23.json | 4 +- ...-4ce382af-356c-4906-b6f1-e44b4d71ed02.json | 4 +- ...-4d618788-4089-4149-8948-3d3524c766c5.json | 2 +- ...-4e6169c5-7791-4c39-b6c9-d79628a85448.json | 4 +- ...-4e688c01-10a1-41e9-a909-5442531069ac.json | 2 +- ...-4ec39934-4cf3-4e7a-96fb-425ea2f56d15.json | 4 +- ...-4f3bc817-8162-41b5-b617-5c9a261b66e0.json | 4 +- ...-4f786f90-7679-427a-932b-2d212faffa37.json | 4 +- ...-4f994303-c449-4d22-8ead-5c531a36ecf5.json | 4 +- ...-50e612f9-3481-42fc-aa7f-a468ce59a556.json | 2 +- ...-51147afe-363a-4b8f-8bdd-2f3601c785f1.json | 4 +- ...-5146900f-415f-4817-9153-a9a3f857b3cd.json | 4 +- ...-5280b393-729d-43d5-b9e7-81da3d31b450.json | 2 +- ...-531f2659-2119-40c0-b3a6-d921feabb3ce.json | 12 +- ...-53354aca-b791-4d12-875c-730f75d9be91.json | 2 +- ...-5389958e-188f-453f-ba90-e886291f200e.json | 4 +- ...-541b3b19-6e67-4c06-9f03-1b3f5a4395c4.json | 4 +- ...-54782583-3e1e-4e43-a038-882e989e0c0f.json | 33 + ...-54c7f1ed-7132-4022-8f3e-3fd4e5b88169.json | 2 +- ...-55040e64-313d-4656-8e1c-1146ff2f47d7.json | 4 +- ...-5543a067-b312-42fa-8943-f58e3f709332.json | 4 +- ...-5625baf5-d4bd-4920-b541-abc2e8466405.json | 4 +- ...-56e26c80-e09f-4a51-8947-3c5a07dd3bf9.json | 4 +- ...-56e97c05-06ca-49f9-bf50-d663993dee22.json | 4 +- ...-5706671b-371d-40dd-95ae-d9574ba49291.json | 4 +- ...-574e1bad-081e-43d5-a6e5-665cdc815b8d.json | 4 +- ...-58245c62-d50e-40d4-b31e-63902657709f.json | 4 +- ...-598efe94-7195-42ad-9af8-d1d9c39433ba.json | 2 +- ...-5a28507d-35d5-4a9c-83e0-4ecb9774c23c.json | 4 +- ...-5a3611aa-4253-4302-b09e-02fe53a1af9d.json | 12 +- ...-5a895abc-11b8-4f33-a05d-47daa38002af.json | 4 +- ...-5aed60b2-8feb-4d3a-a585-b399a41bbc6f.json | 2 +- ...-5b65a982-2a1d-4b32-ad40-b9e05b4d0284.json | 4 +- ...-5b93eef5-683e-44cb-b737-0e80feb890d2.json | 2 +- ...-5c5601b2-b0ce-4732-a2b2-d45c30efef8c.json | 2 +- ...-5c965b91-a0fd-4a85-b688-9be91a7a5aa8.json | 53 - ...-5cd1a1ce-0012-4e78-9449-24a8e3b0f4e2.json | 4 +- ...-5d116564-0ef7-4791-9a34-e86d81840b49.json | 20 +- ...-5eef016e-6366-41e1-a33d-d85727dd5d65.json | 4 +- ...-5ef50fb5-9da5-4926-85a6-8049dc0be9b3.json | 4 +- ...-5f35c276-1599-47f2-b4df-468ccfa1e08b.json | 4 +- ...-5f9d93b4-1083-440c-a170-eb181041fc56.json | 2 +- ...-603e1968-92e1-41ec-86f1-c2ea0d28b7bf.json | 4 +- ...-6069021d-57ec-403e-b6fc-013b995aa2f0.json | 4 +- ...-608a4855-fe3a-4bff-a7a2-46db2ffd360b.json | 4 +- ...-6168e69c-f827-4f92-8404-cd24fff9802c.json | 13 +- ...-61eb90ad-4b2a-4d85-b264-7f248a05507d.json | 9 +- ...-623daf49-2a74-4fd8-a7f0-e11a8475999f.json | 2 +- ...-62792aba-aba0-4623-b7b7-479bae7d314b.json | 4 +- ...-6287eb18-a197-4822-b0f5-99b4237fe18a.json | 4 +- ...-62e27cc8-6e08-4d62-af86-2eb0e42fc530.json | 2 +- ...-641e7321-439b-4888-8624-f3ceace8465e.json | 4 +- ...-6479f655-1a26-4a37-96b4-170c5a57a31d.json | 2 +- ...-648530a1-e16b-45c6-ae10-d3d47fc8bcb7.json | 4 +- ...-6495c1d8-c694-4fc0-8063-05f0a42cad27.json | 4 +- ...-64b0c35c-a5fc-4410-aff8-0c85f9689f60.json | 2 +- ...-64ec233c-8762-4e4a-af40-475ebd3aa127.json | 4 +- ...-656e96ac-b245-4c79-8b28-81423fd5d3cf.json | 4 +- ...-65ac0031-387e-41f5-8c05-4a7484fa460d.json | 2 +- ...-6636c8bd-41a4-4a1e-965d-642c08be68db.json | 6 +- ...-664457b6-7f76-4745-a92d-6acbfe3ee384.json | 4 +- ...-665d234f-6c97-4ae2-b43f-18ea89336220.json | 4 +- ...-66639ad1-1214-46af-9ce6-31b526ef6d9c.json | 14 +- ...-66995783-bfea-4c72-8fcb-4bdb015dc98f.json | 16 +- ...-66f0b43c-19fd-40b8-ae4f-de356df77371.json | 4 +- ...-673cfd52-f67e-4fad-80b2-64465de4f7b0.json | 4 +- ...-677563ae-beb5-47f2-b85c-ece6d7c7dc7e.json | 4 +- ...-683507af-37f1-4db4-a922-d41cceaa8789.json | 4 +- ...-68791849-d1ec-436a-983a-b6ca41bea52c.json | 4 +- ...-68d12b85-7712-4572-a801-222a375b7033.json | 4 +- ...-69154c09-d2ee-4328-9543-1d0c1233df31.json | 4 +- ...-69401771-6ed2-45b5-bc81-68444a3dc4c9.json | 4 +- ...-69af89da-bf40-4b9e-93c5-baa8fb937099.json | 4 +- ...-69d4e839-b6ce-4299-b242-83192d6b62c2.json | 4 +- ...-69df421d-b8ea-49d2-9bd2-9df44aa3ced6.json | 2 +- ...-69f9ba6a-eb9e-4486-ae5e-fb7de1012c90.json | 4 +- ...-6a54a038-71b7-4b4c-87c2-2e5b433404af.json | 4 +- ...-6a958b33-6517-459c-afda-7f4f490ac15d.json | 2 +- ...-6ac62da2-e142-4fca-afba-bc0a0722cefc.json | 4 +- ...-6bb4c9f7-d08e-42c0-bb01-5df9d5ea632d.json | 4 +- ...-6dfa5d14-e016-4572-a2c9-ca4f697c7a14.json | 2 +- ...-6dfe201d-34d6-4474-9210-e0364cca9de0.json | 4 +- ...-6e6d534f-57ae-49cd-be41-0b6a77fbb6fb.json | 6 +- ...-6e892e5f-0d39-4e58-9a69-1ff8cc479291.json | 4 +- ...-6f4c9cb2-1417-4f3e-a907-bce53e3a68a3.json | 4 +- ...6f73f473-5fb0-4777-a951-6de90d9ea01f.json} | 12 +- ...-6ffd281c-acc5-4543-9fb5-aa0002339ea8.json | 4 +- ...-7069df4d-92ef-4a18-b5a5-bf27dc9ef446.json | 8 +- ...-70de257e-38ed-4422-864b-3b6d74aa5fab.json | 4 +- ...-71d88456-13b6-48de-b779-e6ff71aa3b5e.json | 4 +- ...-73478759-d9de-4bbd-a687-081c5f00c935.json | 4 +- ...-73482bd3-d3d1-4f57-a5ac-59bf22866f16.json | 10 +- ...-739b9d69-ce7d-4ef5-b39e-9bcdb6796200.json | 18 +- ...-741edcac-607c-4ebf-a8d0-928e02fe1461.json | 4 +- ...-74d536e7-5fb3-4633-8f42-ca413aa2beea.json | 2 +- ...-74f89ee2-f4c0-4221-8951-e3a8f1fc449b.json | 2 +- ...-75109dae-5db7-4582-be8b-edcea907659d.json | 4 +- ...7533526d-569f-460b-9e00-5ef2d6eff9e2.json} | 21 +- ...-758df510-b765-4172-94ad-70561cd0ef62.json | 4 +- ...-75f19e70-8d96-4a7b-a3cf-e629c8d5e779.json | 24 +- ...-76206161-2e14-48a0-9191-998ef774b345.json | 4 +- ...-763fa6dd-331c-4c07-bc09-00f40cc958cc.json | 4 +- ...-767a1acf-9e83-4181-82cd-2bcb9d8871d9.json | 9 +- ...-772c8a08-0dbb-4059-8459-7ac1193840bc.json | 4 +- ...-7781ebfd-13bd-4a00-9c51-ed98a45f8749.json | 33 + ...-77932220-efa9-44d5-b3a9-c5d9ed4f3573.json | 2 +- ...-77b42d45-8bcf-4d7d-b6d1-4756b6edf272.json | 4 +- ...-77bdb86e-a847-45fa-bf4b-0ef6d2038da6.json | 8 +- ...-7850a582-f8c8-4582-a473-1b12e1f45929.json | 4 +- ...-7855768b-8130-4981-8420-6e8a8d2a277a.json | 4 +- ...-791870bd-2325-4d30-b437-5e90ee997f3c.json | 4 +- ...-793f4091-8c74-4062-95e0-0b32bccb5777.json | 4 +- ...-795aa535-959e-44b7-9f5e-2d5d0ca3cd1c.json | 4 +- ...-7981f82d-ff58-4d38-a420-69d73a67bbc9.json | 4 +- ...-79e12011-d4af-449f-b2da-6b4227564808.json | 4 +- ...-7aa33db8-4800-430a-8068-8b57b85a9b8a.json | 4 +- ...-7adc736f-d3ca-438a-8bce-46967e062ea3.json | 2 +- ...-7ae3202c-73b7-4153-a577-4d3084e2675f.json | 2 +- ...-7c01a0a6-5081-4609-9546-120f0652f1d4.json | 4 +- ...-7c1bb00d-f8cb-4ca8-aa11-b59f5b108996.json | 9 +- ...-7c5cb62b-9374-47b1-8a2f-82204b8640b6.json | 4 +- ...-7c77b8ac-f548-48ae-813d-028de1a8d9fd.json | 8 +- ...-7c7b98c3-b136-439f-83ce-4dd357e76c89.json | 2 +- ...-7c9e2694-0dce-4dc3-aa06-199d5d002a05.json | 2 +- ...-7d349643-5ab8-4dc6-934f-bf16d0b0ea29.json | 8 +- ...-7f30f323-51eb-42a6-8331-834b0da343cc.json | 4 +- ...-7f779291-853e-4e30-a57c-0b3276b70905.json | 2 +- ...-7fac651b-a6ae-494c-9386-d75a454776da.json | 2 +- ...-7fb51daf-9a09-4cab-b202-fec90ad30e03.json | 8 +- ...-80d3bfbb-e88b-4396-9233-9fc88096a938.json | 4 +- ...-80ee5a98-6e25-4cb6-a6d2-3321855e14e2.json | 2 +- ...-81062418-20ac-4df8-86e0-856587b02533.json | 18 +- ...-81090849-4ac4-4838-9e06-6a027036d936.json | 2 +- ...-81bed55c-e336-4637-bae0-07d7d4d82ebe.json | 4 +- ...-81c902fa-0862-4f21-b951-f82a5d39f204.json | 4 +- ...-8226e7fa-8e78-497b-9967-32e5d1395e12.json | 2 +- ...-82b547ba-e0b0-457f-95fc-c661d1aa0942.json | 4 +- ...-83145b10-974b-4bcd-8547-1f441be18d36.json | 2 +- ...-83576712-779f-4c76-9459-939092f6cd70.json | 4 +- ...-83892ea2-fded-49dd-bca7-d415f8fea8f9.json | 2 +- ...-838d57ce-1e63-4898-9054-14851119e5fc.json | 2 +- ...-84157800-81cd-4b3a-abb0-5f7ada18a28f.json | 4 +- ...-84b9dfc5-4109-40fb-8378-52ecc2919cb4.json | 2 +- ...-85137da0-876b-4ce2-a1ce-d582043ed578.json | 2 +- ...-856d6d11-4b8a-47d6-afb0-b79aa462fa26.json | 4 +- ...-85809708-79ee-4bff-824e-471b7bbd30a9.json | 4 +- ...-85d9ce2b-1b52-4de5-8b03-74ed590639d6.json | 4 +- ...-85da3a4e-287a-45b9-91d2-019b59af07e3.json | 4 +- ...-8736d370-3b61-4b4d-a371-0a01e988cbde.json | 4 +- ...-87414f49-bf46-4a09-9999-979d71eb16a5.json | 2 +- ...-878a631a-286b-4df2-bd6c-29a14053c402.json | 4 +- ...-87adc62c-05e8-4594-94f6-d6e034597859.json | 24 +- ...-87b6586d-145f-47d9-8183-755ca03e5921.json | 2 +- ...-8845345d-4d1d-4527-9b6a-93f23f247992.json | 2 +- ...-88906eb3-c6df-452f-a16d-d276a39a39d4.json | 4 +- ...-89594c9d-1e28-49a2-8969-694ade43e857.json | 4 +- ...-89a1d613-7163-493b-8aa9-7a528dd1dd3e.json | 4 +- ...-89bb05dd-fd11-40c4-918e-db0c3cde0955.json | 4 +- ...-89cee1bf-b7ab-4c13-8011-22364628422d.json | 4 +- ...-8a7350ca-f1f6-42db-9fbf-aa110d02e338.json | 53 - ...-8abe31b2-7123-41f1-9ca3-5653bc1c0fdc.json | 4 +- ...-8b1810b0-5885-47ec-963b-b3fecbe1825a.json | 4 +- ...-8b39b092-d827-4e58-9b67-a9b9e8c6f297.json | 4 +- ...8b3b15fa-f369-47b2-9e6d-b30094a799b8.json} | 31 +- ...-8bf7607c-b292-40e6-9372-8624fc971a66.json | 4 +- ...-8c803835-6fd8-4af8-a178-be3e2dc43687.json | 2 +- ...-8cae892e-69de-4f27-a49c-a369c2f8f20a.json | 4 +- ...-8cf4e8d0-21b6-4e35-97c2-97e6c5322509.json | 4 +- ...-8d788ace-f057-449d-bd8b-b0db3fdb5b07.json | 4 +- ...-8d901ae3-1492-4090-b730-438071314947.json | 4 +- ...-8df78326-a8e8-4039-82a7-3dd375910e71.json | 2 +- ...-8f139c3f-7cc6-4d7f-a05e-7139a156fdeb.json | 16 +- ...-8fb51611-3f2a-42e3-9af0-fd8eda882cf8.json | 4 +- ...-8fcb44c9-dec3-4358-bf3d-35b4174f7d2b.json | 4 +- ...-90006260-5019-4c35-8c88-6ee23826734e.json | 2 +- ...-90206369-0c71-47cd-abf2-65e4e75fee99.json | 4 +- ...-903b44e8-0547-4945-ac5a-ee21d0898d4d.json | 4 +- ...-9048df12-c89f-45a6-99ac-caaa7446d6db.json | 4 +- ...-904b465b-d733-4619-b0d5-5c394cd2b7f3.json | 4 +- ...-90bb4fe0-057f-40b0-8fba-37005e7f6524.json | 4 +- ...-916d6dca-adbc-4af9-b810-eb7cd72779c8.json | 2 +- ...-91859e1a-022e-420a-bc00-af0546d891cb.json | 4 +- ...-91b7e621-49fe-4f7b-a8c6-0a377ceac3cd.json | 4 +- ...-91e25008-204c-4723-9c53-ca041c5fd2b1.json | 4 +- ...-92ac0cef-de80-4baa-869c-dc993492c0da.json | 4 +- ...-9398839c-520f-4aab-9c81-92d6518800e7.json | 2 +- ...-93ac6386-6f04-44cd-b7a5-78da3ced8b13.json | 4 +- ...-93bd89e3-9cfd-47f6-9fed-bb13b58acd82.json | 4 +- ...-9406d0e3-7e61-42c9-8532-a35459deb4e7.json | 4 +- ...-94813d2d-0eb5-4037-8c03-07896bd7233b.json | 2 +- ...-948cdf0e-8ac2-46a4-8bc0-a5ab5eda55a2.json | 4 +- ...-957f9b42-4f80-4da0-8dd1-75738e470fe2.json | 2 +- ...-95c86aee-57b2-4cc2-9354-772a30b4024f.json | 4 +- ...-9615d610-999a-417d-bf19-54da01c38b89.json | 4 +- ...-963d7b96-04f2-4c34-82ae-64bc6d5d37dc.json | 4 +- ...-965ddf96-4218-468f-be38-7ccd6ec29397.json | 14 +- ...-966c59f0-e5f7-4c3f-80f8-49091c015ad7.json | 4 +- ...-968a2baa-33b0-4c2a-afb8-b899e1acbc0a.json | 4 +- ...-97024953-18b1-43d8-adf2-207ac2dca44e.json | 4 +- ...-97a53670-fbd8-40bb-a950-acec7a6e7958.json | 4 +- ...-97dff623-9e06-4810-b316-8eedabe893f0.json | 4 +- ...97ebea10-8852-4c4f-bf50-8b866ebc90ab.json} | 20 +- ...-97fc67af-9ec6-44a7-8187-32e07b5cdcb5.json | 4 +- ...-98cc634e-8ebb-4c19-b3f1-bea0abef18ae.json | 4 +- ...-999fdac4-2cd5-471e-960e-993f82214902.json | 4 +- ...-99bd055e-cadd-4ed3-94a4-b21570cd8350.json | 2 +- ...-9a20e319-4340-469f-a31c-5153dbd05bd0.json | 4 +- ...-9a5f43f7-dd94-4035-b335-9d0d388c93ae.json | 4 +- ...-9aa48852-5d9f-45e3-a094-113bc10c1cbc.json | 4 +- ...-9aa6cbcb-2654-4533-a47c-3b44b62cb6a2.json | 2 +- ...-9b4638cb-2e9b-480e-a502-4ac8acfa4dd8.json | 4 +- ...-9c6a7353-74f8-468b-94d8-faee128fa78d.json | 4 +- ...-9dd6ef57-b3b3-48e8-a77e-233ffee5d45b.json | 4 +- ...-9f4141a2-af76-4a8e-b493-f3c1f5bdc9ac.json | 4 +- ...-9f6817c0-0ec9-4097-a55b-b39b08db2b92.json | 2 +- ...-9fb37268-5250-495b-b80c-96315169c1a8.json | 33 + ...-9fb8ebbb-efc5-4f9c-8059-dca2a21412fd.json | 4 +- ...-a0021942-1e00-442e-8ed8-285293eeb5e9.json | 4 +- ...-a0033d2f-e4c5-4bbf-854b-198fd82d0c0b.json | 4 +- ...-a03af833-a578-465a-bf8c-43c9db4f4775.json | 4 +- ...-a385dfe3-ba5e-4cc7-9a6d-a38349b44739.json | 33 + ...-a438adb9-e8d8-40da-8fb3-0500b0c812f5.json | 4 +- ...-a453cf88-1389-4ffd-8f3c-e95475f10a9f.json | 4 +- ...-a46f5dce-2530-4823-8253-d702c8b2abeb.json | 4 +- ...-a53ab24d-020a-46dc-8a13-7ef51ab07f35.json | 6 +- ...-a5490a04-b672-4587-ae13-f0a25eb1cea4.json | 2 +- ...-a5589cd0-a6ee-4d1a-9963-3c44e9734242.json | 4 +- ...-a5bc5daf-255e-4e9b-a4c4-508dc3a434ff.json | 4 +- ...-a60432c5-54ee-4c76-be1b-409f3f0e4795.json | 4 +- ...-a6389b1f-c2f4-4bb7-8b52-6725b00f6052.json | 4 +- ...-a67c8a5d-cce9-4892-9338-9fec55e45419.json | 4 +- ...-a6c50b34-3247-4e39-91d5-75f4fb97a9f9.json | 4 +- ...-a7d53e43-1336-49be-bf6b-9cc3fb832ab2.json | 4 +- ...-a8761808-d474-430a-9bd9-c770bc1163be.json | 4 +- ...-a894c73b-8a05-4d53-86e8-39434b189fb6.json | 4 +- ...-a90fbac2-8ec1-486c-85bf-6cb6269a5ea6.json | 4 +- ...-a9364e83-2893-4989-b01a-e74ea9ced03a.json | 4 +- ...-a9530e23-d959-40a7-870a-bd6b29bee078.json | 4 +- ...-a962a19b-79e6-4154-a634-b85d9e9d0264.json | 6 +- ...-a9dd9c1d-b3dd-4dec-9ab2-1a99f1f3e483.json | 4 +- ...-aaa5cf52-8414-4ac3-9bbb-3a45ba1f6d0d.json | 4 +- ...-aaa95359-3220-45fe-9ae6-397718608ee4.json | 4 +- ...-ab2e210b-f2a3-4f50-b42a-7304b875429c.json | 4 +- ...-ab699bec-3a3f-498f-a658-1eabe6fe90c9.json | 4 +- ...-ac446754-73f8-4642-ac66-26b41c5f24ce.json | 4 +- ...-acddeb41-5339-4148-8a12-04b9ca687086.json | 4 +- ...-ad4ab2e7-0491-4ef3-b69b-f4a73a5a7cd4.json | 25 +- ...-ad80fa16-a148-4562-951c-be0510a866fb.json | 2 +- ...-adac5b9d-77f6-4c07-898d-1515fbf37162.json | 4 +- ...-add320e6-3798-40f7-91be-5062eb3a9e00.json | 4 +- ...-adf43bd9-7112-42fe-8024-7f7fe5a2225f.json | 4 +- ...-ae167f71-8166-4906-97ba-8b9efb6daca2.json | 4 +- ...ae29c6ea-39f3-47f5-b2e9-49a18cbe3d9f.json} | 27 +- ...-ae4acd7c-89e1-44d8-a5fa-0d53fe88911e.json | 33 + ...-ae865c4b-d90b-46be-aae6-6fbe897b76d9.json | 2 +- ...-af4729ed-7659-496d-9028-0b9efbedd9a4.json | 13 +- ...-af706b89-56dd-4b02-81e6-eb64fe57c2e6.json | 4 +- ...-af70b2f4-e552-4ec0-b6ce-1c8c38e6748c.json | 4 +- ...-b063a520-75fb-41bc-afd7-bf13a8118dc5.json | 33 + ...-b0cd3324-b762-4e02-8e9d-7dd3708d5e0a.json | 8 +- ...-b1089154-3ee0-4713-893f-af97047f8ab5.json | 4 +- ...-b16029de-92c1-4b77-b334-733f0d099ecd.json | 4 +- ...-b1656b25-ea6a-485b-88e2-4c509b69caae.json | 13 +- ...-b1937ce5-4376-4b5d-944e-5406d8501413.json | 4 +- ...-b1c9e70b-d514-4924-848d-c6403560e6c5.json | 4 +- ...-b1f9e736-1435-4f76-9690-06562f843b58.json | 47 +- ...-b2320873-c5bb-4691-80f6-ffbd143b8b9a.json | 4 +- ...-b3030683-9d60-4b63-8498-f7fac91c244d.json | 4 +- ...-b3369595-ed1a-4660-a239-08f6abd5810c.json | 4 +- ...-b3bc7ff9-4ea7-4b1a-9301-ea0e07e4a85f.json | 2 +- ...-b40aba49-57d9-4a99-a29e-2629e35991c9.json | 4 +- ...-b4931f82-5f27-4329-a0c4-4f953195e6f1.json | 4 +- ...-b535d57f-a2e0-427b-8f4d-69d948e6ebf4.json | 4 +- ...-b5d3d3c7-f9bd-4d61-8a73-593972018a8b.json | 4 +- ...-b5f07958-9aea-4414-ab2c-d5a46399dc23.json | 4 +- ...-b5f930c9-ea8f-45dd-9317-60b270606cb2.json | 6 +- ...-b62ec15e-4b56-482f-9721-72733c520d1b.json | 2 +- ...-b6679c6a-6312-44ec-a6fe-628a66d0cefe.json | 4 +- ...-b67d0824-50d3-4066-906b-93dd26a9f05f.json | 4 +- ...-b7225469-01b6-4708-8bf9-aff549a703ce.json | 4 +- ...-b729ab37-a73c-4d87-a72b-4123385a2581.json | 4 +- ...-b74af853-9674-4bc7-9d30-be251db05e3d.json | 4 +- ...-b7727763-8ffd-4588-b8a1-15168d18f0dd.json | 4 +- ...-b7a3c18a-0a7c-407a-8857-3e2e8d941775.json | 4 +- ...-b7d3d8a7-75a8-4e3b-a1e8-c20844d0a8cf.json | 2 +- ...-b7df4632-63d2-4195-a529-643ab6098e16.json | 33 + ...-b82bbd87-e936-4b0e-a708-a277630fec11.json | 2 +- ...-b82faecb-bcb2-4dcc-9155-bbd52d31c35d.json | 4 +- ...-b8311cd4-85f0-4e4c-83c5-0af831e6d7f1.json | 9 +- ...-b85681f8-57a9-485e-bc46-ab3602990675.json | 4 +- ...-b87f5902-5985-4b45-b8df-b3b24f214650.json | 2 +- ...-b9a7ebfb-ce75-4050-b9ac-79d2bf146c4f.json | 2 +- ...-b9cf6d75-631e-4209-b84d-63a7dcaf9b65.json | 2 +- ...-baae0d7a-88a9-479c-879e-9bbd0dea3bf0.json | 4 +- ...-bab113ca-bbe4-4b39-bcac-d7fa7325b1e9.json | 4 +- ...-bad6ec3f-e218-4190-8033-3e4e8dae8d00.json | 2 +- ...-bb0c753c-31a4-48b9-9548-47a29cce149a.json | 4 +- ...-bb3514c7-f3ad-4236-b5b9-a38aa432ea17.json | 4 +- ...-bb61fa8d-d4d6-492b-9885-17b320bddf36.json | 4 +- ...-bbcbbd85-689f-486f-b3be-e36852dfe5c5.json | 4 +- ...-bd879126-0126-4f7a-a1b7-d9944efb251f.json | 25 +- ...-bdeba524-0f2d-4d2f-a107-2b7516a0b496.json | 4 +- ...-bdf66c87-1488-4eed-ae9c-2482bc93e93d.json | 4 +- ...-be9f9f28-01bb-4b94-b973-14f06a71c968.json | 4 +- ...-becb5385-146e-42a3-a343-5beffc43a15c.json | 4 +- ...-befe8d09-ebeb-4a60-89a4-9efaaf325e9b.json | 4 +- ...-bf25a194-496a-4db2-801b-f2c5d3f951b5.json | 4 +- ...-bf339932-e456-44db-a711-b2d3482d9065.json | 4 +- ...-c08285dc-2707-4016-9db1-187e19f504f6.json | 4 +- ...-c09b91df-e723-4ad4-b021-04d2773094f9.json | 4 +- ...-c1e8e932-3864-444e-b56b-70292bb7695c.json | 4 +- ...-c25f5d58-e8e5-49ef-a54d-68e17b4ac824.json | 8 +- ...-c2c8a6d7-c5be-40c2-98ae-96640b2048af.json | 2 +- ...-c2e926cc-5d54-4cce-91f3-acf946574563.json | 2 +- ...-c31eb81c-b21c-4ae2-aed3-bcc77821d3ca.json | 4 +- ...-c3a03554-f52e-49bd-ad0d-f01d4ded7f39.json | 2 +- ...-c4004f59-4494-4ba9-b5d0-334fd96068ee.json | 2 +- ...-c44b1c58-8da1-4ebe-a427-a9f2821e7a85.json | 4 +- ...-c484a07a-2c0e-4141-bfd0-161a38812c64.json | 4 +- ...-c550625d-7b0c-4db2-9f30-486767c9cf63.json | 13 +- ...-c5c986d0-cf3f-44bb-9f0e-023783e6066d.json | 33 + ...-c6c8f32e-7d92-401e-930f-d193a59e4c95.json | 4 +- ...-c6f384e3-bf80-4251-8591-265ab51480cc.json | 2 +- ...-c774c10b-dc56-43b1-a30a-a7fdc3485644.json | 4 +- ...-c863faee-3dcc-4fc0-9d16-9d0b7e75051c.json | 6 +- ...-c8a2e7c9-e359-43de-ba00-ca147397701e.json | 2 +- ...-c8d17860-f4e4-4403-a28b-02c784a3ca70.json | 4 +- ...-c9223618-2865-499f-890e-2848db80a6d9.json | 4 +- ...-ca32295b-c968-4099-a010-e8758c066be6.json | 4 +- ...ca97cf63-678d-45e3-8ac8-bca2334e520e.json} | 17 +- ...-cada9d62-2163-42e3-88ec-d37e2ade1030.json | 4 +- ...-cb1c9047-e589-4aed-b5d5-c6062a1ab340.json | 2 +- ...-cb329a09-0291-4a05-ac20-3b35500bfd9b.json | 4 +- ...-cb5e801d-a60f-497e-93b6-23d5e29c09fd.json | 4 +- ...-cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae.json | 8 +- ...-cbfcfc30-2fa3-4160-a9ba-4cc6c0f48345.json | 2 +- ...-cc396380-d266-4e87-8fc7-412e89a2b4b0.json | 9 +- ...-cc89a8c1-00d2-4ae2-bda2-a35398a63214.json | 4 +- ...-cd438b37-74b0-433b-85d2-8530724401fa.json | 4 +- ...-ce322a95-0385-40cb-af25-96e377a7de8f.json | 4 +- ...-ce6015e7-3065-420f-aea8-c9e0e5d5ed74.json | 25 +- ...-ced26a03-d356-4f8e-8337-9a07c0becd86.json | 4 +- ...-cefefa87-2f06-4008-afcf-847a8bd746af.json | 4 +- ...-cfa8658b-c504-41eb-9886-05de4962319c.json | 4 +- ...-d10a18cc-23b6-4421-82e1-1ba28319012b.json | 4 +- ...-d141c588-8a3c-4cd8-8421-86b2625c9263.json | 61 - ...-d1a3a19c-bcd0-40fc-8b5f-9e755260abc2.json | 4 +- ...-d26aaa4d-5143-4888-b81c-346d3b51641b.json | 2 +- ...-d27a6bf4-7e7b-4007-9301-20eec9d8fe20.json | 4 +- ...-d2dd9838-ea8f-4a2f-99f4-8a8a468110a4.json | 4 +- ...-d320eec6-6fe3-4fd8-81f8-700742858f19.json | 2 +- ...-d3656287-db62-4856-860d-6b3ff60e23b2.json | 4 +- ...-d37365f4-63c4-4c3e-a81e-be518e7561f1.json | 4 +- ...-d447c221-2ab5-4378-bb19-78b97869fa58.json | 4 +- ...-d4aefa59-0817-4916-ad93-6ef174e070d3.json | 4 +- ...d4b4af24-91a5-4f21-82c6-7f67f316239f.json} | 12 +- ...-d4b96b74-7cf9-46c2-8c09-ea8fd124b15a.json | 4 +- ...-d5762c67-a576-4aa8-aacd-3fba3a7f4599.json | 6 +- ...-d5e09700-cfae-43b7-831e-958a4e64251b.json | 4 +- ...-d6181cb9-7268-4ff7-99db-94df827e746e.json | 2 +- ...-d61dcb50-dcf8-408d-96e2-f3cd75f93be0.json | 4 +- ...-d61e7edf-865e-4d88-99cb-09dad9e44195.json | 4 +- ...-d6e1b096-1595-47e7-8230-223aa9cad622.json | 4 +- ...-d7183ad6-af24-4400-9539-f3a70be04a76.json | 9 +- ...-d71d433d-6815-4cca-940c-b21b05ab9a47.json | 16 +- ...-d7c408e8-d813-46aa-8267-a76f8d53ec35.json | 4 +- ...-d83c8fbc-c7bf-4108-ba64-f1a9ac737da1.json | 4 +- ...-d850864e-1db4-40f3-b891-b1db177d48b3.json | 4 +- ...-d92af9d8-3491-4c6b-88c2-10785900052e.json | 4 +- ...-da0fe52b-e2c5-4574-a572-09c999c86b59.json | 4 +- ...-da7d23d7-ead0-4926-a7ee-be9ea77bb2cd.json | 4 +- ...-dad3c536-a9a6-492b-baae-4353f2c6f601.json | 4 +- ...-db58e527-5e81-489f-b05a-537ea9b6bae9.json | 4 +- ...-dc49a540-64a4-47e7-8931-0ad5ce595cb7.json | 4 +- ...-dc5231d1-332e-45ab-9995-412a5da4c10d.json | 4 +- ...-dcd263ce-1f73-4f82-a7cf-5571498a8d36.json | 4 +- ...-dcd29dd1-20d2-4387-90dd-95480c4e0f1c.json | 2 +- ...-dcfb5c52-a6e0-4c64-a937-91d730cd7a5b.json | 4 +- ...-dd40dbb6-6220-4b7b-93e1-20fe081eb219.json | 4 +- ...-dd5c1c28-0fa4-4c34-8008-7a2fba8a4a25.json | 20 +- ...-dd5fd5f1-cc85-409b-a4c0-96cea106cd82.json | 4 +- ...-dd600655-8b9a-4a67-be72-3088d96e0e5a.json | 4 +- ...-ded5f278-1acc-4f7b-be58-abc38e6b8436.json | 4 +- ...-e04595b9-234a-4495-a9ca-25c78e137291.json | 4 +- ...-e0563aa9-70e1-41b8-ae78-0434ece93e36.json | 4 +- ...-e059fc35-3fbe-407e-b4aa-0b3616ae288b.json | 2 +- ...-e1be431c-d113-4b11-bfe1-ea117eefc3cf.json | 33 + ...-e1c3c48b-0b4d-418f-b7af-44715b214972.json | 4 +- ...-e22860a9-1026-46ee-a75e-feedc26196d5.json | 2 +- ...-e23ee3ae-6960-4b56-b962-33184f999657.json | 4 +- ...-e2558f71-7409-4203-bd5b-8a331f29327a.json | 17 +- ...-e25edc0c-3631-4df8-a37f-4695d3cec86e.json | 9 +- ...-e35d4dd6-591c-4f6d-b182-16adc70ce74f.json | 4 +- ...-e365ec9c-2c0b-41fe-9a6a-f2b4042f37f3.json | 2 +- ...-e393c36e-9939-44df-8f4a-8e7cb57c9b4e.json | 2 +- ...-e399ce8e-2c1d-4bc4-9669-308cb99f1e10.json | 4 +- ...-e39e7007-c7b1-4a8c-a1c1-5f94ea3ae8fa.json | 4 +- ...-e3f453d4-03f3-4a8a-bfb1-d603016e234f.json | 17 +- ...-e4678b94-bfec-402e-9682-17a32ae8c379.json | 4 +- ...-e57c3d95-67fc-4d26-a74e-12953fff494b.json | 4 +- ...-e5fd1ce1-e1a7-4f9c-b757-58b6895fef2d.json | 4 +- ...-e60f2ef0-615c-4158-92f6-4db808bc116d.json | 4 +- ...-e72b1f9b-69a5-44fa-8de6-fa7d4ccc726c.json | 2 +- ...-e7d60710-0081-4d47-9fd3-3e2d410828e7.json | 4 +- ...-e82333e9-4719-464b-87d9-164c6b00cb5d.json | 4 +- ...-e84f764e-ace1-4149-b73d-664b17954d7b.json | 4 +- ...-e85ffef6-8593-4bff-a6f0-d54b2e64fc70.json | 4 +- ...-e97aa9eb-a7d6-4c4a-810f-140f1dda08ca.json | 4 +- ...-eab3d576-e947-486b-857c-ffa680b30050.json | 2 +- ...-ebb8ef31-6c69-4dac-9b99-a69e8c76fcd3.json | 4 +- ...-ebdd8ba8-4235-4ee3-8866-a9d33f9dd11e.json | 4 +- ...-ec7f9541-06af-4db7-a9c2-183b513f144a.json | 2 +- ...-ecf1cd8c-ffef-40bd-a2e3-441e77a84a77.json | 2 +- ...-eee013e1-4cfd-42f9-9f46-71f4b1598ef3.json | 2 +- ...-ef5fd901-d515-4842-9119-c330c900e2e1.json | 4 +- ...-f05383f9-1d15-4eb9-97a4-13812f310acd.json | 2 +- ...-f0df8409-6168-481b-97a9-eb15c77c1317.json | 4 +- ...-f1212d9e-3af6-4ef4-a19e-ff2793564ffd.json | 4 +- ...-f1b3a223-fa61-4341-9d0c-9f71b399ee00.json | 4 +- ...-f1e778ba-e457-445f-888f-a3ee4e5dbeef.json | 4 +- ...-f1e8e35a-e893-403a-b34c-1b5d54945764.json | 4 +- ...-f1f9a410-ce13-4c3d-8728-69e517d71fb9.json | 2 +- ...-f21fda77-e6ff-4351-87d9-0e2f5780a1c3.json | 12 +- ...-f25b4262-78aa-48e6-b9c9-6069058a918a.json | 4 +- ...-f277deb3-f676-4536-b7c0-8cc76354b631.json | 4 +- ...-f286389b-6374-4b58-ae99-975a32ad18ce.json | 4 +- ...-f30b55fa-0ddf-49d9-884b-8cdb9e567758.json | 4 +- ...-f4d0e9ac-c868-42fa-9b1f-0d0bee913da1.json | 4 +- ...-f4ee9b7f-24f9-4c1c-9f4d-54d3e6eb47da.json | 4 +- ...-f50e1610-ac57-4256-85b8-4f16db37b184.json | 2 +- ...-f5f683c9-7cc4-41b9-a607-16e3c09461f4.json | 4 +- ...-f60a86ef-7e8a-4a7b-91fa-64a4c137068c.json | 2 +- ...-f62b419a-6b84-4bc4-865c-b58abc012795.json | 4 +- ...-f65d15c6-c325-42f5-a824-9ff3089f751f.json | 2 +- ...-f78bf329-48e4-4f8c-9468-0f8cd2ec08b5.json | 4 +- ...-f7d5a289-5ab3-4b74-912a-c7ab2748770c.json | 4 +- ...-f7edbfa2-7ebf-4e66-bad5-a13150f5ce7a.json | 2 +- ...-f867931f-8c8a-4b28-bc5b-0482852124b6.json | 2 +- ...-f919567a-9038-415c-a76b-10c702d929b0.json | 6 +- ...-f93d127d-164b-47c1-81e9-e7011cb478f8.json | 4 +- ...-fb0ec928-14d1-49f3-9897-14e3613b4ad7.json | 4 +- ...-fb6ca685-805a-467b-8f10-460f41360731.json | 4 +- ...-fbaedc87-7d0b-447c-a9e5-0f6c2658770a.json | 4 +- ...-fd682f82-1a49-4f4f-8ff8-18ef8c3d0f8b.json | 4 +- ...-fd9f551a-f0ef-42e2-bf82-acdf1062852b.json | 4 +- ...-fdc4b63d-2ee4-49af-b2d4-2defeff3d87d.json | 4 +- ...-fdd6cb04-8d0a-4808-b50a-0e7f8061b42b.json | 4 +- ...-fe31be5f-2912-4056-b70b-62988d5c3829.json | 9 +- ...-fe39ee83-4f97-4989-b1f4-11a95d36b9d2.json | 4 +- ...-fe662062-536d-43ca-912b-534a2936ddad.json | 4 +- ...-fecc2029-1268-4e13-b4b7-2b9f00c84972.json | 2 +- ...-ff66c503-48b3-4f2b-a462-f54258d2cfca.json | 4 +- ...-ff830778-b9bc-4636-9dc7-884d5dad8c2c.json | 24 +- ...-ff838892-3d1a-46ba-a3f5-5787e0e82830.json | 4 +- ...-0c0d59b7-4ff0-4a09-9c64-558334485ece.json | 9 +- ...-19d14868-ff81-4c8c-9a6a-c57baf7e7f52.json | 13 +- ...-2640ed9a-24d9-4975-90c2-c8ab94d544e3.json | 21 +- ...-2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e.json | 33 +- ...-2def59e9-a1ba-4c23-9f7d-437935d1e965.json | 11 +- ...-30666a55-e3de-40ff-a680-8bca9c163cb0.json | 11 +- ...-31e78af0-0509-4f7b-b304-77a8e5bf7ead.json | 31 +- ...-36e75009-8fd6-467a-aa8c-c6a4d3511dfa.json | 12 +- ...-4188f951-4400-406c-8281-509395fc8e11.json | 15 +- ...-49b9796a-27fd-414e-a87d-b071aaff295b.json | 23 +- ...-4fe657cf-373f-4a71-a2b8-8de5c109eef9.json | 14 +- ...-508cadaa-4fd5-4105-803e-8944e388ee45.json | 13 +- ...-542141d9-e98d-4d4a-9b15-dfc3f8933e48.json | 9 +- ...-549d1c35-f214-4760-ab97-2142c66cf111.json | 13 +- ...-5dcefe05-4ead-4f84-9919-ebefe968df27.json | 9 +- ...-5fe2035d-58a0-4cd6-9561-cf4442871a10.json | 24 +- ...-6875c768-4212-474d-85dc-1e89c62e9a65.json | 11 +- ...-6a1bde20-a344-4738-9df5-b568fa4b5f33.json | 20 +- ...-8297b846-885e-4751-9e2b-d777ae7d21e3.json | 9 +- ...-86cfa430-ca3b-4322-bdfe-989aca5305f0.json | 12 +- ...-92f9ba45-2fb3-4d97-9865-eda477e7b779.json | 15 +- ...-a456fdcd-68f2-46fb-adb0-97c6817338c9.json | 22 +- ...-a6ad7a2e-f619-4598-914b-16f68b372789.json | 9 +- ...-b0625dd2-cc91-4936-9e12-289960aa0b41.json | 9 +- ...-bb2ac91f-90ad-4ed5-95ef-a899346ba4ce.json | 15 +- ...-cb022b7d-775c-4db8-ab25-3add7e215d54.json | 9 +- ...-cdd198e2-3f6f-42c4-adfd-d97dc66c5f19.json | 19 +- ...-d36b0186-1e10-4dd8-a1df-076e9a692c57.json | 23 +- ...-dbe9ee23-f01d-4cdb-bf53-066c77352dac.json | 9 +- ...-dd874fc3-691c-4825-95cc-bbe52e5406f5.json | 9 +- ...-e616d9d2-36b4-4510-84ad-66f19442fe3e.json | 13 +- ...-f31598c3-8d55-440f-ac5f-4b8ea34fc09b.json | 15 +- ...-fa095747-0ca8-4965-a222-cf1fe7647e12.json | 15 +- mbc/mbc.json | 37705 ++++++++-------- ...-040473ba-ea4c-4f70-9afa-61750d1d6d87.json | 20 - ...-08ddf2f3-b656-4731-8ef1-514e0c2209e3.json | 21 - ...-101b237e-e613-4c1c-a14e-5f6e023962ea.json | 21 - ...-14bb7996-f709-47a8-b56f-284e80a05814.json | 20 - ...-14e22077-05d7-49c6-a6ee-868c7ee5698d.json | 21 - ...-1549dbad-5b3b-4701-b762-6e83daff0d13.json | 21 - ...-168fef73-7235-4bdb-a038-94b8c4ec1dfb.json | 20 - ...-17d45a89-9ebf-4a5b-8dc8-1e6e6e3e6089.json | 21 - ...-1a2f02aa-1fd6-45a7-b189-40ce1956f93c.json | 20 - ...-234e3d9c-b4f3-494c-987a-c70e725522c4.json | 20 - ...-272e945b-6d94-4755-83dd-df035dd5a7ef.json | 21 - ...-27f65cb2-f647-4914-af5f-949ddd8ed52a.json | 21 - ...-292a4fcc-2932-48f2-a1e6-62584547c6e7.json | 21 - ...2c24d182-4d28-489a-ac98-a3db334fc636.json} | 12 +- ...-2cec369a-ebbb-4bf4-ae8a-81311b7ad6ee.json | 20 - ...-2d1c8c16-3b50-4d04-b79d-54168c19af90.json | 21 - ...-343d0c6c-f9a4-4c0a-9421-1b810982e3fb.json | 21 - ...-36f2a08b-55c5-46f5-9fbc-71ee8ac382cc.json | 21 - ...-3ce0217e-a3e8-4735-9eda-f19656c3d7b2.json | 20 - ...-3d11a5ca-28e7-4f1e-aed7-14f93c9b7181.json | 20 + ...-40af3048-e15a-48e0-89f3-bd10073bd777.json | 21 - ...-43b39c15-6e60-420f-b0a5-3c2afaa08148.json | 20 - ...-459d2b7d-7d81-4468-bc6a-901ba11fb154.json | 21 - ...-46602894-3b25-4e09-b8ef-14a2e0c49208.json | 21 - ...-4696f9bf-84c4-4d96-9843-b7d105dfab7c.json | 20 - ...48fec1d5-1bc4-4803-88ad-9220672885c6.json} | 10 +- ...-4bff68b3-9d4e-4ba5-b2fe-95b583cbc03f.json | 20 - ...-4fab69d4-4418-4097-9fba-8aa22661f8d5.json | 21 - ...-57543e32-d9cc-4f12-b7f6-9a15aa1f1a73.json | 21 - ...-576dd954-f983-47d9-a0f8-edd3abfd1660.json | 21 - ...-58da90a9-db0b-43cc-99f9-3e562dcf4a90.json | 21 - ...-5d0f5931-bb24-4dff-8119-36c01f33373e.json | 20 - ...-5e02aacb-3140-4ae6-81c3-3512b2862b53.json | 21 - ...-5eb31591-a592-41ab-86e3-cb93ed9e1c80.json | 20 - ...-627fca8c-c3a2-49cc-a31b-c7e138829e81.json | 20 - ...-63b781c3-a8f4-4c5a-b432-5ea29beb76e5.json | 20 - ...-65089091-ff7b-4b1a-b96f-24c10d611194.json | 20 - ...-6da04862-dd32-45b6-b7d4-c18f6594bba9.json | 21 - ...6dcabe56-17b8-491b-8fd9-87edae835658.json} | 10 +- ...-706003e5-02d2-4e24-b6fc-731d4b36509c.json | 20 - ...-7219324e-57db-4a0a-b08b-62b12c0dc34b.json | 21 - ...-73c3780f-ca3d-4e58-88af-fce45e47d165.json | 21 - ...-743c0cb2-bba4-4dfa-bbd6-ac5ed8875761.json | 21 - ...76e0d327-5877-43d1-957d-4b07239f216f.json} | 10 +- ...-78d819da-3841-4091-afac-7ab38b3ed476.json | 20 + ...-7a4e0f35-e30b-4447-a0cc-125626d39656.json | 20 - ...-81f4bfa5-9f8d-4aa1-a84e-b47f33aab606.json | 21 - ...-826fbc55-db75-4781-948b-adde0c819fed.json | 21 - ...-89cb978e-d4f7-4a13-95ae-5599dd877131.json | 21 - ...-89f5a894-a725-48cf-a061-fcc45f2d370d.json | 20 - ...8a59149c-0a38-46a8-a1c8-2aa236149116.json} | 12 +- ...-8ae4a607-2f5f-45ad-974f-43760f7679f6.json | 20 - ...-8fca40b2-f90d-4f34-b7c6-de4a36dc6757.json | 20 - ...-911a73f0-177c-4664-9bc7-9be9ff2dd265.json | 20 - ...-9fce1966-24ac-4f7b-b6b8-7cf2dcc68220.json | 21 - ...-a0277302-44bd-4134-9323-df422100c727.json | 21 - ...-a25ebab5-27c6-43bc-8067-a1b5e9a8e287.json | 21 - ...-a45880ae-06ce-40dc-9cf8-c1048d4703fb.json | 21 - ...a60acc51-7a7a-4346-b015-f74485f0beb1.json} | 10 +- ...-a73c3c48-d1bd-4e8d-920a-312b103d37ea.json | 21 - ...-a75d4a45-4b89-4b7f-b716-09f22ce93d22.json | 20 - ...-a87b3bb5-4abd-4577-b425-0e99af7191fb.json | 20 - ...-ab9cf0eb-332f-4bad-ab2d-37a909799aec.json | 21 - ...b43139f5-8626-4df1-948b-30f6042af7ae.json} | 12 +- ...b59c70f6-dd4c-44b9-bf95-d8ea33bf78b2.json} | 10 +- ...-b9410d22-a339-4bc1-9228-9770c6f18a66.json | 20 - ...bc673d2f-0836-4e03-992e-e2fe9c3adeb0.json} | 12 +- ...-bcd12692-9e2b-4267-8c4c-3e4cd0e7a70b.json | 21 - ...-bd4fadc4-7acb-4ed0-b916-3f2ac4daa301.json | 21 - ...-be0cd60b-1d8f-4b6d-9408-edd531d4ffa4.json | 21 - ...-c3b2136c-216f-47e7-a621-b38bd2bf5477.json | 20 + ...-c4f72d93-9b4a-4115-88d6-bae28231abba.json | 20 + ...-c79f3ad7-7069-47f0-b139-72773445b23a.json | 20 - ...-cf892647-cc52-464f-b71e-d67b7af8a3ea.json | 21 - ...-d0a2c078-fd60-437e-9ab2-4b6fb9471175.json | 21 - ...-d1f3731f-61f7-45f4-be59-c3028c327241.json | 21 - ...-d4484029-7085-4b0f-b9c9-576ef3789d4c.json | 20 + ...-dd9c6578-5364-41b2-a576-7f06aae7afbf.json | 21 - ...-df269863-bfd7-413d-96bc-5b8009d8032d.json | 20 - ...-e0398d36-3ea5-4a01-be20-c154804c4f73.json | 21 - ...-e1b148c6-22c8-4cd4-9c09-cd6c935aa8a3.json | 21 - ...-e1c53003-22cd-41c0-bc29-57e5646b7107.json | 20 - ...-e3c2dd0c-247b-437a-819a-b2d6a2382c94.json | 21 - ...-e75ee57b-7d71-4412-a60c-c8c567a59312.json | 20 - ...-e8485cd9-001e-4669-91f8-04a7a825dacb.json | 21 - ...-e8fc5f25-a362-45e2-b289-f676377faee9.json | 21 - ...-e9f86b70-5b39-4c87-ba9c-a6753c8f03d0.json | 21 - ...-ea58d3c1-8cd8-406c-9816-fc9fca3b9657.json | 21 - ...-eaa586d2-6279-4254-9a97-260e41a91a94.json | 20 - ...-ecceb8ef-d79b-4d04-8bc8-4c2e6d596891.json | 20 - ...ece9840d-26ec-4e09-94b7-41f3f523e84a.json} | 10 +- ...ed91cc79-a8c4-4b1a-88cd-eaccec835932.json} | 10 +- ...-ef5f7499-451a-49fe-b39d-c624f250d50a.json | 21 - ...-f0cd9f17-b82b-48f4-883d-983432608abd.json | 20 - ...-f84e13d4-ae67-4f1c-96fa-56a340d01b42.json | 20 - ...-f99239c7-9c45-4ca4-9c38-f4630792dcf2.json | 21 - ...-fa38bbbd-0d90-4772-a08e-17efcff22b56.json | 21 - ...-fb09f83d-1a82-4501-9db6-bad58433707c.json | 21 - ...-fca68d5f-25cb-4d48-a88b-ac71774471f8.json | 20 + ...-fef23c74-9626-4912-bb2a-d0f1f563aab6.json | 21 - ...-d5eae189-586e-4f87-bf4f-51fa251f0ba6.json | 26 +- ...-0735bfd3-bffa-4476-9e3b-e33cc5c553e0.json | 2 +- ...-1f99e060-c0e8-449c-8629-216ef75d7828.json | 6 +- ...-225d85b5-6806-4760-a9d7-b5e38ca66153.json | 6 +- ...-30f8323e-ca97-4067-bb76-b14edff2fa88.json | 2 +- ...-389367d2-9dea-4ffe-b794-cfeaba83bcf6.json | 6 +- ...-408ef4fa-de24-489a-ac9e-1f51af84bf5d.json | 2 +- ...-578d34bc-28b7-4467-afe1-a969e00797d3.json | 2 +- ...-5ca03153-2bfb-4540-acad-4eb54f188589.json | 10 +- ...6771a9e9-03e2-45df-bc92-2ce9249123bc.json} | 14 +- ...-69c52ee6-8372-40be-8efc-200896493343.json | 6 +- ...-7f07ea86-c44a-4f1f-86d0-3d904c7ddb59.json | 2 +- ...-911377e6-b712-4754-a865-3e2989512b9a.json | 6 +- ...-9b3422b7-bc43-4b28-8d51-ba68782a9da2.json | 6 +- ...-9f09f947-5fc6-455f-b7eb-504c2ba972aa.json | 6 +- ...-d896bd1c-d0e9-4281-9755-9b76a7c963d3.json | 6 +- ...da7738af-46f6-4bc6-bfa2-91a466439391.json} | 14 +- ...-db22e244-4c56-4a42-9e3a-6285bde88a5d.json | 2 +- ...-dd9a101e-8fea-4b2e-afd0-4c0c3f0f864e.json | 2 +- ...-e4edf677-0ea0-474a-a14d-da3ea660d69f.json | 2 +- ...-eb6166b0-f3c9-4124-aeb9-662941baa19e.json | 6 +- ...-f95436cf-2e09-4541-b88a-f3fb6ec3b63b.json | 6 +- 782 files changed, 21104 insertions(+), 22932 deletions(-) rename mbc/attack-pattern/{attack-pattern--5e4e232e-e441-4223-8b73-f160e9957a52.json => attack-pattern--05f154ce-4547-45cf-a664-ca231fdcff54.json} (60%) rename mbc/attack-pattern/{attack-pattern--f06491eb-ea99-46cd-81fe-ee55fc12d504.json => attack-pattern--098a700a-4cc0-4d0a-8bc5-42e7181eff1e.json} (60%) rename mbc/attack-pattern/{attack-pattern--9108b308-b962-4468-86bf-8921f77c963c.json => attack-pattern--0a5b94d6-6800-4855-8cd9-d100af9f67d9.json} (59%) rename mbc/attack-pattern/{attack-pattern--be6d8982-3619-4f2f-b5c7-64d9e934ac43.json => attack-pattern--0c59fe14-659a-4248-b205-7fc3371af6c7.json} (80%) delete mode 100644 mbc/attack-pattern/attack-pattern--1df0593b-0f35-41c8-b7d8-41d6a3e9cf8c.json delete mode 100644 mbc/attack-pattern/attack-pattern--23cc9528-7b14-4f75-9daf-0afb8d9c24fa.json delete mode 100644 mbc/attack-pattern/attack-pattern--28715d14-8b3f-4be9-95f6-e306de73f53f.json create mode 100644 mbc/attack-pattern/attack-pattern--30b37187-7b90-4271-b554-e0a5265fc977.json create mode 100644 mbc/attack-pattern/attack-pattern--54782583-3e1e-4e43-a038-882e989e0c0f.json delete mode 100644 mbc/attack-pattern/attack-pattern--5c965b91-a0fd-4a85-b688-9be91a7a5aa8.json rename mbc/attack-pattern/{attack-pattern--6c07f7cb-fd9d-4acf-9b99-b15ecafc8dca.json => attack-pattern--6f73f473-5fb0-4777-a951-6de90d9ea01f.json} (76%) rename mbc/attack-pattern/{attack-pattern--f5f2f408-2c67-40aa-9937-8fe582501e0a.json => attack-pattern--7533526d-569f-460b-9e00-5ef2d6eff9e2.json} (63%) create mode 100644 mbc/attack-pattern/attack-pattern--7781ebfd-13bd-4a00-9c51-ed98a45f8749.json delete mode 100644 mbc/attack-pattern/attack-pattern--8a7350ca-f1f6-42db-9fbf-aa110d02e338.json rename mbc/attack-pattern/{attack-pattern--8911f215-156e-489a-a1fb-f2cdb69772f8.json => attack-pattern--8b3b15fa-f369-47b2-9e6d-b30094a799b8.json} (51%) rename mbc/attack-pattern/{attack-pattern--bc6ed4f1-4e73-477a-b05c-a49a3dd52642.json => attack-pattern--97ebea10-8852-4c4f-bf50-8b866ebc90ab.json} (54%) create mode 100644 mbc/attack-pattern/attack-pattern--9fb37268-5250-495b-b80c-96315169c1a8.json create mode 100644 mbc/attack-pattern/attack-pattern--a385dfe3-ba5e-4cc7-9a6d-a38349b44739.json rename mbc/attack-pattern/{attack-pattern--a6d7b549-6392-47dd-a5b3-f5ba522166c4.json => attack-pattern--ae29c6ea-39f3-47f5-b2e9-49a18cbe3d9f.json} (55%) create mode 100644 mbc/attack-pattern/attack-pattern--ae4acd7c-89e1-44d8-a5fa-0d53fe88911e.json create mode 100644 mbc/attack-pattern/attack-pattern--b063a520-75fb-41bc-afd7-bf13a8118dc5.json create mode 100644 mbc/attack-pattern/attack-pattern--b7df4632-63d2-4195-a529-643ab6098e16.json create mode 100644 mbc/attack-pattern/attack-pattern--c5c986d0-cf3f-44bb-9f0e-023783e6066d.json rename mbc/attack-pattern/{attack-pattern--1b8eadb6-6e0f-4739-b31c-2805b225aa89.json => attack-pattern--ca97cf63-678d-45e3-8ac8-bca2334e520e.json} (68%) delete mode 100644 mbc/attack-pattern/attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263.json rename mbc/attack-pattern/{attack-pattern--8c5ccf4d-b443-4803-8e69-eb83b1564c48.json => attack-pattern--d4b4af24-91a5-4f21-82c6-7f67f316239f.json} (84%) create mode 100644 mbc/attack-pattern/attack-pattern--e1be431c-d113-4b11-bfe1-ea117eefc3cf.json delete mode 100644 mbc/relationship/relationship--040473ba-ea4c-4f70-9afa-61750d1d6d87.json delete mode 100644 mbc/relationship/relationship--08ddf2f3-b656-4731-8ef1-514e0c2209e3.json delete mode 100644 mbc/relationship/relationship--101b237e-e613-4c1c-a14e-5f6e023962ea.json delete mode 100644 mbc/relationship/relationship--14bb7996-f709-47a8-b56f-284e80a05814.json delete mode 100644 mbc/relationship/relationship--14e22077-05d7-49c6-a6ee-868c7ee5698d.json delete mode 100644 mbc/relationship/relationship--1549dbad-5b3b-4701-b762-6e83daff0d13.json delete mode 100644 mbc/relationship/relationship--168fef73-7235-4bdb-a038-94b8c4ec1dfb.json delete mode 100644 mbc/relationship/relationship--17d45a89-9ebf-4a5b-8dc8-1e6e6e3e6089.json delete mode 100644 mbc/relationship/relationship--1a2f02aa-1fd6-45a7-b189-40ce1956f93c.json delete mode 100644 mbc/relationship/relationship--234e3d9c-b4f3-494c-987a-c70e725522c4.json delete mode 100644 mbc/relationship/relationship--272e945b-6d94-4755-83dd-df035dd5a7ef.json delete mode 100644 mbc/relationship/relationship--27f65cb2-f647-4914-af5f-949ddd8ed52a.json delete mode 100644 mbc/relationship/relationship--292a4fcc-2932-48f2-a1e6-62584547c6e7.json rename mbc/relationship/{relationship--febddf0b-01eb-422c-a5ad-d0977801ec9c.json => relationship--2c24d182-4d28-489a-ac98-a3db334fc636.json} (53%) delete mode 100644 mbc/relationship/relationship--2cec369a-ebbb-4bf4-ae8a-81311b7ad6ee.json delete mode 100644 mbc/relationship/relationship--2d1c8c16-3b50-4d04-b79d-54168c19af90.json delete mode 100644 mbc/relationship/relationship--343d0c6c-f9a4-4c0a-9421-1b810982e3fb.json delete mode 100644 mbc/relationship/relationship--36f2a08b-55c5-46f5-9fbc-71ee8ac382cc.json delete mode 100644 mbc/relationship/relationship--3ce0217e-a3e8-4735-9eda-f19656c3d7b2.json create mode 100644 mbc/relationship/relationship--3d11a5ca-28e7-4f1e-aed7-14f93c9b7181.json delete mode 100644 mbc/relationship/relationship--40af3048-e15a-48e0-89f3-bd10073bd777.json delete mode 100644 mbc/relationship/relationship--43b39c15-6e60-420f-b0a5-3c2afaa08148.json delete mode 100644 mbc/relationship/relationship--459d2b7d-7d81-4468-bc6a-901ba11fb154.json delete mode 100644 mbc/relationship/relationship--46602894-3b25-4e09-b8ef-14a2e0c49208.json delete mode 100644 mbc/relationship/relationship--4696f9bf-84c4-4d96-9843-b7d105dfab7c.json rename mbc/relationship/{relationship--52577eb5-283f-4d59-afa3-e2aff4979371.json => relationship--48fec1d5-1bc4-4803-88ad-9220672885c6.json} (59%) delete mode 100644 mbc/relationship/relationship--4bff68b3-9d4e-4ba5-b2fe-95b583cbc03f.json delete mode 100644 mbc/relationship/relationship--4fab69d4-4418-4097-9fba-8aa22661f8d5.json delete mode 100644 mbc/relationship/relationship--57543e32-d9cc-4f12-b7f6-9a15aa1f1a73.json delete mode 100644 mbc/relationship/relationship--576dd954-f983-47d9-a0f8-edd3abfd1660.json delete mode 100644 mbc/relationship/relationship--58da90a9-db0b-43cc-99f9-3e562dcf4a90.json delete mode 100644 mbc/relationship/relationship--5d0f5931-bb24-4dff-8119-36c01f33373e.json delete mode 100644 mbc/relationship/relationship--5e02aacb-3140-4ae6-81c3-3512b2862b53.json delete mode 100644 mbc/relationship/relationship--5eb31591-a592-41ab-86e3-cb93ed9e1c80.json delete mode 100644 mbc/relationship/relationship--627fca8c-c3a2-49cc-a31b-c7e138829e81.json delete mode 100644 mbc/relationship/relationship--63b781c3-a8f4-4c5a-b432-5ea29beb76e5.json delete mode 100644 mbc/relationship/relationship--65089091-ff7b-4b1a-b96f-24c10d611194.json delete mode 100644 mbc/relationship/relationship--6da04862-dd32-45b6-b7d4-c18f6594bba9.json rename mbc/relationship/{relationship--41cd43e4-bc45-4ed3-ace0-2efdbf47eafe.json => relationship--6dcabe56-17b8-491b-8fd9-87edae835658.json} (59%) delete mode 100644 mbc/relationship/relationship--706003e5-02d2-4e24-b6fc-731d4b36509c.json delete mode 100644 mbc/relationship/relationship--7219324e-57db-4a0a-b08b-62b12c0dc34b.json delete mode 100644 mbc/relationship/relationship--73c3780f-ca3d-4e58-88af-fce45e47d165.json delete mode 100644 mbc/relationship/relationship--743c0cb2-bba4-4dfa-bbd6-ac5ed8875761.json rename mbc/relationship/{relationship--69192ee9-36d6-464b-a53d-c70b6433e7de.json => relationship--76e0d327-5877-43d1-957d-4b07239f216f.json} (59%) create mode 100644 mbc/relationship/relationship--78d819da-3841-4091-afac-7ab38b3ed476.json delete mode 100644 mbc/relationship/relationship--7a4e0f35-e30b-4447-a0cc-125626d39656.json delete mode 100644 mbc/relationship/relationship--81f4bfa5-9f8d-4aa1-a84e-b47f33aab606.json delete mode 100644 mbc/relationship/relationship--826fbc55-db75-4781-948b-adde0c819fed.json delete mode 100644 mbc/relationship/relationship--89cb978e-d4f7-4a13-95ae-5599dd877131.json delete mode 100644 mbc/relationship/relationship--89f5a894-a725-48cf-a061-fcc45f2d370d.json rename mbc/relationship/{relationship--06bd4ba6-d0ca-4c1d-b879-92d6151dbfb0.json => relationship--8a59149c-0a38-46a8-a1c8-2aa236149116.json} (53%) delete mode 100644 mbc/relationship/relationship--8ae4a607-2f5f-45ad-974f-43760f7679f6.json delete mode 100644 mbc/relationship/relationship--8fca40b2-f90d-4f34-b7c6-de4a36dc6757.json delete mode 100644 mbc/relationship/relationship--911a73f0-177c-4664-9bc7-9be9ff2dd265.json delete mode 100644 mbc/relationship/relationship--9fce1966-24ac-4f7b-b6b8-7cf2dcc68220.json delete mode 100644 mbc/relationship/relationship--a0277302-44bd-4134-9323-df422100c727.json delete mode 100644 mbc/relationship/relationship--a25ebab5-27c6-43bc-8067-a1b5e9a8e287.json delete mode 100644 mbc/relationship/relationship--a45880ae-06ce-40dc-9cf8-c1048d4703fb.json rename mbc/relationship/{relationship--9019f14b-be9e-4d46-b63e-652e178cb845.json => relationship--a60acc51-7a7a-4346-b015-f74485f0beb1.json} (59%) delete mode 100644 mbc/relationship/relationship--a73c3c48-d1bd-4e8d-920a-312b103d37ea.json delete mode 100644 mbc/relationship/relationship--a75d4a45-4b89-4b7f-b716-09f22ce93d22.json delete mode 100644 mbc/relationship/relationship--a87b3bb5-4abd-4577-b425-0e99af7191fb.json delete mode 100644 mbc/relationship/relationship--ab9cf0eb-332f-4bad-ab2d-37a909799aec.json rename mbc/relationship/{relationship--eb80b1d5-e2dd-454f-86f3-b1459c75df93.json => relationship--b43139f5-8626-4df1-948b-30f6042af7ae.json} (53%) rename mbc/relationship/{relationship--2498808a-e193-4149-a3ea-1298d76fb2af.json => relationship--b59c70f6-dd4c-44b9-bf95-d8ea33bf78b2.json} (59%) delete mode 100644 mbc/relationship/relationship--b9410d22-a339-4bc1-9228-9770c6f18a66.json rename mbc/relationship/{relationship--bfb97f13-10a9-430f-9887-80bc455b387c.json => relationship--bc673d2f-0836-4e03-992e-e2fe9c3adeb0.json} (51%) delete mode 100644 mbc/relationship/relationship--bcd12692-9e2b-4267-8c4c-3e4cd0e7a70b.json delete mode 100644 mbc/relationship/relationship--bd4fadc4-7acb-4ed0-b916-3f2ac4daa301.json delete mode 100644 mbc/relationship/relationship--be0cd60b-1d8f-4b6d-9408-edd531d4ffa4.json create mode 100644 mbc/relationship/relationship--c3b2136c-216f-47e7-a621-b38bd2bf5477.json create mode 100644 mbc/relationship/relationship--c4f72d93-9b4a-4115-88d6-bae28231abba.json delete mode 100644 mbc/relationship/relationship--c79f3ad7-7069-47f0-b139-72773445b23a.json delete mode 100644 mbc/relationship/relationship--cf892647-cc52-464f-b71e-d67b7af8a3ea.json delete mode 100644 mbc/relationship/relationship--d0a2c078-fd60-437e-9ab2-4b6fb9471175.json delete mode 100644 mbc/relationship/relationship--d1f3731f-61f7-45f4-be59-c3028c327241.json create mode 100644 mbc/relationship/relationship--d4484029-7085-4b0f-b9c9-576ef3789d4c.json delete mode 100644 mbc/relationship/relationship--dd9c6578-5364-41b2-a576-7f06aae7afbf.json delete mode 100644 mbc/relationship/relationship--df269863-bfd7-413d-96bc-5b8009d8032d.json delete mode 100644 mbc/relationship/relationship--e0398d36-3ea5-4a01-be20-c154804c4f73.json delete mode 100644 mbc/relationship/relationship--e1b148c6-22c8-4cd4-9c09-cd6c935aa8a3.json delete mode 100644 mbc/relationship/relationship--e1c53003-22cd-41c0-bc29-57e5646b7107.json delete mode 100644 mbc/relationship/relationship--e3c2dd0c-247b-437a-819a-b2d6a2382c94.json delete mode 100644 mbc/relationship/relationship--e75ee57b-7d71-4412-a60c-c8c567a59312.json delete mode 100644 mbc/relationship/relationship--e8485cd9-001e-4669-91f8-04a7a825dacb.json delete mode 100644 mbc/relationship/relationship--e8fc5f25-a362-45e2-b289-f676377faee9.json delete mode 100644 mbc/relationship/relationship--e9f86b70-5b39-4c87-ba9c-a6753c8f03d0.json delete mode 100644 mbc/relationship/relationship--ea58d3c1-8cd8-406c-9816-fc9fca3b9657.json delete mode 100644 mbc/relationship/relationship--eaa586d2-6279-4254-9a97-260e41a91a94.json delete mode 100644 mbc/relationship/relationship--ecceb8ef-d79b-4d04-8bc8-4c2e6d596891.json rename mbc/relationship/{relationship--bbf88cc5-ef00-4af1-9bd2-e174454bff2e.json => relationship--ece9840d-26ec-4e09-94b7-41f3f523e84a.json} (59%) rename mbc/relationship/{relationship--8569d3d1-2f9f-44ac-afcc-768271d8a890.json => relationship--ed91cc79-a8c4-4b1a-88cd-eaccec835932.json} (59%) delete mode 100644 mbc/relationship/relationship--ef5f7499-451a-49fe-b39d-c624f250d50a.json delete mode 100644 mbc/relationship/relationship--f0cd9f17-b82b-48f4-883d-983432608abd.json delete mode 100644 mbc/relationship/relationship--f84e13d4-ae67-4f1c-96fa-56a340d01b42.json delete mode 100644 mbc/relationship/relationship--f99239c7-9c45-4ca4-9c38-f4630792dcf2.json delete mode 100644 mbc/relationship/relationship--fa38bbbd-0d90-4772-a08e-17efcff22b56.json delete mode 100644 mbc/relationship/relationship--fb09f83d-1a82-4501-9db6-bad58433707c.json create mode 100644 mbc/relationship/relationship--fca68d5f-25cb-4d48-a88b-ac71774471f8.json delete mode 100644 mbc/relationship/relationship--fef23c74-9626-4912-bb2a-d0f1f563aab6.json rename mbc/x-mitre-tactic/{x-mitre-tactic--d2f87328-9fe0-4f81-800e-ea1058f49906.json => x-mitre-tactic--6771a9e9-03e2-45df-bc92-2ce9249123bc.json} (58%) rename mbc/x-mitre-tactic/{x-mitre-tactic--4fd027ac-dddc-4744-aa72-d1b4598d9898.json => x-mitre-tactic--da7738af-46f6-4bc6-bfa2-91a466439391.json} (65%) diff --git a/USAGE.md b/USAGE.md index 3e91bc1b..28930eb8 100644 --- a/USAGE.md +++ b/USAGE.md @@ -240,7 +240,7 @@ The [ATT&CKĀ® Navigator](https://github.com/mitre-attack/attack-navigator) has d ```json { - "name": "MBC v2.2", + "name": "MBC v2.3", "domains": [ { "name": "2.2 Release", diff --git a/mbc/attack-pattern/attack-pattern--001ca78e-188e-4725-9f43-706d0f487837.json b/mbc/attack-pattern/attack-pattern--001ca78e-188e-4725-9f43-706d0f487837.json index 7bde24e8..22ca2e47 100644 --- a/mbc/attack-pattern/attack-pattern--001ca78e-188e-4725-9f43-706d0f487837.json +++ b/mbc/attack-pattern/attack-pattern--001ca78e-188e-4725-9f43-706d0f487837.json @@ -8,7 +8,7 @@ "id": "attack-pattern--001ca78e-188e-4725-9f43-706d0f487837", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.607265Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.230081Z", "name": "Send Data", "description": "Send data to a controller.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", "external_id": "B0030.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--006afc45-b6df-4e75-8102-b38ccb09db58.json b/mbc/attack-pattern/attack-pattern--006afc45-b6df-4e75-8102-b38ccb09db58.json index f2f8fda1..b523ea76 100644 --- a/mbc/attack-pattern/attack-pattern--006afc45-b6df-4e75-8102-b38ccb09db58.json +++ b/mbc/attack-pattern/attack-pattern--006afc45-b6df-4e75-8102-b38ccb09db58.json @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/persistence/component-firmware.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/persistence/component-firmware.md", "external_id": "F0009.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--010c8801-3ad4-479b-8c56-c29e108121c9.json b/mbc/attack-pattern/attack-pattern--010c8801-3ad4-479b-8c56-c29e108121c9.json index ad9199b4..1708e625 100644 --- a/mbc/attack-pattern/attack-pattern--010c8801-3ad4-479b-8c56-c29e108121c9.json +++ b/mbc/attack-pattern/attack-pattern--010c8801-3ad4-479b-8c56-c29e108121c9.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/wininet.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/wininet.md", "external_id": "C0005.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--013fce9b-0645-41a4-b6ec-03a70b319715.json b/mbc/attack-pattern/attack-pattern--013fce9b-0645-41a4-b6ec-03a70b319715.json index 0deba307..ea438482 100644 --- a/mbc/attack-pattern/attack-pattern--013fce9b-0645-41a4-b6ec-03a70b319715.json +++ b/mbc/attack-pattern/attack-pattern--013fce9b-0645-41a4-b6ec-03a70b319715.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/create-file.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/create-file.md", "external_id": "C0016.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--023243fb-9971-4e64-9bca-5976fa84f08f.json b/mbc/attack-pattern/attack-pattern--023243fb-9971-4e64-9bca-5976fa84f08f.json index 6979f7cf..62702b1b 100644 --- a/mbc/attack-pattern/attack-pattern--023243fb-9971-4e64-9bca-5976fa84f08f.json +++ b/mbc/attack-pattern/attack-pattern--023243fb-9971-4e64-9bca-5976fa84f08f.json @@ -8,7 +8,7 @@ "id": "attack-pattern--023243fb-9971-4e64-9bca-5976fa84f08f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.828261Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.361213Z", "name": "Request::SMTP Communication", "description": "Makes SMTP request.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/smtp-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/smtp-communication.md", "external_id": "C0012.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--02b99b72-6baa-4329-9a48-1ce8aae4383a.json b/mbc/attack-pattern/attack-pattern--02b99b72-6baa-4329-9a48-1ce8aae4383a.json index 789279c5..e612e189 100644 --- a/mbc/attack-pattern/attack-pattern--02b99b72-6baa-4329-9a48-1ce8aae4383a.json +++ b/mbc/attack-pattern/attack-pattern--02b99b72-6baa-4329-9a48-1ce8aae4383a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--02b99b72-6baa-4329-9a48-1ce8aae4383a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.486264Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.299473Z", "name": "Timing/Uptime Check", "description": "Comparing single GetTickCount with some value to see if system has been started at least *X* amount ago. This behavior can be mitigated in non-automated analysis environments.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", "external_id": "B0007.009" } ], diff --git a/mbc/attack-pattern/attack-pattern--02f5dda2-da92-4e5b-88bb-67e9e542c444.json b/mbc/attack-pattern/attack-pattern--02f5dda2-da92-4e5b-88bb-67e9e542c444.json index 76ef715d..0dc8d02d 100644 --- a/mbc/attack-pattern/attack-pattern--02f5dda2-da92-4e5b-88bb-67e9e542c444.json +++ b/mbc/attack-pattern/attack-pattern--02f5dda2-da92-4e5b-88bb-67e9e542c444.json @@ -8,7 +8,7 @@ "id": "attack-pattern--02f5dda2-da92-4e5b-88bb-67e9e542c444", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.67367Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.318985Z", "name": "RtlAdjustPrivilege", "description": "Malware may call RtlAdjustPrivilege to detect if a debugger is attached (or to prevent a debugger from attaching).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.022" } ], diff --git a/mbc/attack-pattern/attack-pattern--03996e71-dfa7-4585-8a42-da7f95c50436.json b/mbc/attack-pattern/attack-pattern--03996e71-dfa7-4585-8a42-da7f95c50436.json index dc45804c..a731c29f 100644 --- a/mbc/attack-pattern/attack-pattern--03996e71-dfa7-4585-8a42-da7f95c50436.json +++ b/mbc/attack-pattern/attack-pattern--03996e71-dfa7-4585-8a42-da7f95c50436.json @@ -8,10 +8,22 @@ "id": "attack-pattern--03996e71-dfa7-4585-8a42-da7f95c50436", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", + "modified": "2022-09-08T18:26:13.420199Z", "name": "Shadow System Service Dispatch Table Hooking", "description": "The Shadow System Service Dispatch Table (SSDT) can be hooked similarly to how the SSDT and IAT are hooked. The target of the hooking with the Shadow SSDT is the Windows subsystem (win32k.sys).", "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + }, { "kill_chain_name": "mitre-mbc", "phase_name": "defense-evasion" @@ -28,7 +40,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hijack-execution-flow.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hijack-execution-flow.md", "external_id": "F0015.004" }, { diff --git a/mbc/attack-pattern/attack-pattern--03d1844f-241a-4ed9-858f-47e5e6543746.json b/mbc/attack-pattern/attack-pattern--03d1844f-241a-4ed9-858f-47e5e6543746.json index e9cc7a98..c796822d 100644 --- a/mbc/attack-pattern/attack-pattern--03d1844f-241a-4ed9-858f-47e5e6543746.json +++ b/mbc/attack-pattern/attack-pattern--03d1844f-241a-4ed9-858f-47e5e6543746.json @@ -8,7 +8,7 @@ "id": "attack-pattern--03d1844f-241a-4ed9-858f-47e5e6543746", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.458263Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.311826Z", "name": "API Hook Detection", "description": "Module bounds based .", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.001" }, { diff --git a/mbc/attack-pattern/attack-pattern--0469984a-07e7-4160-ba64-f1abf02346bb.json b/mbc/attack-pattern/attack-pattern--0469984a-07e7-4160-ba64-f1abf02346bb.json index 5429563d..84186e5d 100644 --- a/mbc/attack-pattern/attack-pattern--0469984a-07e7-4160-ba64-f1abf02346bb.json +++ b/mbc/attack-pattern/attack-pattern--0469984a-07e7-4160-ba64-f1abf02346bb.json @@ -8,7 +8,7 @@ "id": "attack-pattern--0469984a-07e7-4160-ba64-f1abf02346bb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.484262Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.297643Z", "name": "Product Key/ID Testing", "description": "Checking for a particular product key/ID associated with a sandbox environment (commonly associated with the Windows host OS used in the environment) can be used to detect whether a malware instance is being executed in a particular sandbox. This can be achieved through several means, including testing for the Key/ID in the Windows registry.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", "external_id": "B0007.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--048440e7-8adb-4a71-9ee3-922ca4040b1f.json b/mbc/attack-pattern/attack-pattern--048440e7-8adb-4a71-9ee3-922ca4040b1f.json index 1b563dc7..463727af 100644 --- a/mbc/attack-pattern/attack-pattern--048440e7-8adb-4a71-9ee3-922ca4040b1f.json +++ b/mbc/attack-pattern/attack-pattern--048440e7-8adb-4a71-9ee3-922ca4040b1f.json @@ -8,7 +8,7 @@ "id": "attack-pattern--048440e7-8adb-4a71-9ee3-922ca4040b1f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.936476Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.211623Z", "name": "Application Window Discovery", "description": "Malware may attempt to get a listing of open application windows.", "kill_chain_phases": [ @@ -20,13 +20,8 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/app-window-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/application-window-discovery.md", "external_id": "E1010" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1010/", - "external_id": "T1010" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--04da331b-6112-420c-9358-58cb21e5a4af.json b/mbc/attack-pattern/attack-pattern--04da331b-6112-420c-9358-58cb21e5a4af.json index f5359be0..2473e350 100644 --- a/mbc/attack-pattern/attack-pattern--04da331b-6112-420c-9358-58cb21e5a4af.json +++ b/mbc/attack-pattern/attack-pattern--04da331b-6112-420c-9358-58cb21e5a4af.json @@ -8,7 +8,7 @@ "id": "attack-pattern--04da331b-6112-420c-9358-58cb21e5a4af", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.556264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.192025Z", "name": "Fake Code Insertion", "description": "Add fake code similar to known packers or known goods to fool identification. Can confuse some automated unpackers.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", "external_id": "B0032.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--04e25839-3207-4600-8972-618aa7cf44af.json b/mbc/attack-pattern/attack-pattern--04e25839-3207-4600-8972-618aa7cf44af.json index 4cfcd628..2cc98889 100644 --- a/mbc/attack-pattern/attack-pattern--04e25839-3207-4600-8972-618aa7cf44af.json +++ b/mbc/attack-pattern/attack-pattern--04e25839-3207-4600-8972-618aa7cf44af.json @@ -8,7 +8,7 @@ "id": "attack-pattern--04e25839-3207-4600-8972-618aa7cf44af", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.606261Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.229515Z", "name": "Request Email Address List", "description": "Request email address list.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", "external_id": "B0030.010" } ], diff --git a/mbc/attack-pattern/attack-pattern--5e4e232e-e441-4223-8b73-f160e9957a52.json b/mbc/attack-pattern/attack-pattern--05f154ce-4547-45cf-a664-ca231fdcff54.json similarity index 60% rename from mbc/attack-pattern/attack-pattern--5e4e232e-e441-4223-8b73-f160e9957a52.json rename to mbc/attack-pattern/attack-pattern--05f154ce-4547-45cf-a664-ca231fdcff54.json index d4dd4fba..4883813f 100644 --- a/mbc/attack-pattern/attack-pattern--5e4e232e-e441-4223-8b73-f160e9957a52.json +++ b/mbc/attack-pattern/attack-pattern--05f154ce-4547-45cf-a664-ca231fdcff54.json @@ -1,16 +1,16 @@ { "type": "bundle", - "id": "bundle--9d5634d2-e793-40f9-b580-2c20ad40cdd0", + "id": "bundle--263116e2-4652-40f9-9e52-30f4ba9fdaa7", "objects": [ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--5e4e232e-e441-4223-8b73-f160e9957a52", + "id": "attack-pattern--05f154ce-4547-45cf-a664-ca231fdcff54", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.648262Z", - "modified": "2022-02-05T00:37:22.616726Z", + "created": "2022-09-08T18:26:13.423869Z", + "modified": "2022-09-08T18:26:13.423869Z", "name": "Install Insecure or Malicious Configuration", - "description": "Malware may install malicious configuration settings or may modify existing configuration settings. This MBC behavior extends the related ATT&CK technique to all platforms and to the Persistence objective.", + "description": "Malware may install malicious configuration settings or may modify existing configuration settings. For example, malware may change configuration settings associated with security mechanisms to make it difficult to detect or change configuration settings to maintain a foothold on the network.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -24,13 +24,12 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/config-mod.md", - "external_id": "E1478" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/install-insecure-or-malicious-configuration.md", + "external_id": "B0047" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1478", - "external_id": "T1478" + "source_name": "external_source", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--063274b5-04c4-4987-98d6-850c2598b601.json b/mbc/attack-pattern/attack-pattern--063274b5-04c4-4987-98d6-850c2598b601.json index b646697e..ff59830a 100644 --- a/mbc/attack-pattern/attack-pattern--063274b5-04c4-4987-98d6-850c2598b601.json +++ b/mbc/attack-pattern/attack-pattern--063274b5-04c4-4987-98d6-850c2598b601.json @@ -8,7 +8,7 @@ "id": "attack-pattern--063274b5-04c4-4987-98d6-850c2598b601", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.805261Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.379149Z", "name": "Resolve Free Hosting Domain::DNS Communication", "description": "Resolves a free hosting domain (e.g., freeiz.com).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/dns-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/dns-communication.md", "external_id": "C0011.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--068a3a77-caf2-4951-9e38-97ad68c792d6.json b/mbc/attack-pattern/attack-pattern--068a3a77-caf2-4951-9e38-97ad68c792d6.json index 269dcf54..2e7f085f 100644 --- a/mbc/attack-pattern/attack-pattern--068a3a77-caf2-4951-9e38-97ad68c792d6.json +++ b/mbc/attack-pattern/attack-pattern--068a3a77-caf2-4951-9e38-97ad68c792d6.json @@ -8,7 +8,7 @@ "id": "attack-pattern--068a3a77-caf2-4951-9e38-97ad68c792d6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.510265Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.304109Z", "name": "Code Integrity Check", "description": "Check that the unpacking code is unmodified. Variation exists where unpacking code is part of the \"key\" used to unpack, therefore any Software Breakpoints during debugging causes unpacking to completely fail or result in malformed unpacked code.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--06c3d5c7-d4bf-4b28-8385-e169ba81e744.json b/mbc/attack-pattern/attack-pattern--06c3d5c7-d4bf-4b28-8385-e169ba81e744.json index b265cca3..1834912e 100644 --- a/mbc/attack-pattern/attack-pattern--06c3d5c7-d4bf-4b28-8385-e169ba81e744.json +++ b/mbc/attack-pattern/attack-pattern--06c3d5c7-d4bf-4b28-8385-e169ba81e744.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/lateral-movement/supply-chain-compromise.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/lateral-movement/supply-chain-compromise.md", "external_id": "E1195.m02" } ], diff --git a/mbc/attack-pattern/attack-pattern--07181568-3663-4ade-ac99-3e32bd7d5400.json b/mbc/attack-pattern/attack-pattern--07181568-3663-4ade-ac99-3e32bd7d5400.json index 5a7e86fd..642c81f0 100644 --- a/mbc/attack-pattern/attack-pattern--07181568-3663-4ade-ac99-3e32bd7d5400.json +++ b/mbc/attack-pattern/attack-pattern--07181568-3663-4ade-ac99-3e32bd7d5400.json @@ -8,7 +8,7 @@ "id": "attack-pattern--07181568-3663-4ade-ac99-3e32bd7d5400", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.468265Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.317662Z", "name": "Process Environment Block BeingDebugged", "description": "The BeingDebugged field is tested to determine whether the process is being debugged.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.035" } ], diff --git a/mbc/attack-pattern/attack-pattern--0741d3d3-4027-430d-a574-5bc06d62a9c0.json b/mbc/attack-pattern/attack-pattern--0741d3d3-4027-430d-a574-5bc06d62a9c0.json index 81100d46..5bbfea7f 100644 --- a/mbc/attack-pattern/attack-pattern--0741d3d3-4027-430d-a574-5bc06d62a9c0.json +++ b/mbc/attack-pattern/attack-pattern--0741d3d3-4027-430d-a574-5bc06d62a9c0.json @@ -8,9 +8,9 @@ "id": "attack-pattern--0741d3d3-4027-430d-a574-5bc06d62a9c0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:36.03097Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.383336Z", "name": "Hashed Message Authentication Code", - "description": "Malware uses an HMAC schema.", + "description": "Malware uses a hashed message authentication code (HMAC) schema.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/hmac.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/hashed-message-authentication-code.md", "external_id": "C0061" } ], diff --git a/mbc/attack-pattern/attack-pattern--0947cd27-a2b6-466f-b47c-4d36e4ce06cb.json b/mbc/attack-pattern/attack-pattern--0947cd27-a2b6-466f-b47c-4d36e4ce06cb.json index 0556dcd6..d895a1be 100644 --- a/mbc/attack-pattern/attack-pattern--0947cd27-a2b6-466f-b47c-4d36e4ce06cb.json +++ b/mbc/attack-pattern/attack-pattern--0947cd27-a2b6-466f-b47c-4d36e4ce06cb.json @@ -8,7 +8,7 @@ "id": "attack-pattern--0947cd27-a2b6-466f-b47c-4d36e4ce06cb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.824262Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.368736Z", "name": "Write Pipe::Interprocess Communication", "kill_chain_phases": [ { @@ -19,7 +19,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/inter-process.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/interprocess-communication.md", "external_id": "C0003.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--0985829f-204f-4760-8ece-ff0f3031a715.json b/mbc/attack-pattern/attack-pattern--0985829f-204f-4760-8ece-ff0f3031a715.json index 4a3c41b4..67388402 100644 --- a/mbc/attack-pattern/attack-pattern--0985829f-204f-4760-8ece-ff0f3031a715.json +++ b/mbc/attack-pattern/attack-pattern--0985829f-204f-4760-8ece-ff0f3031a715.json @@ -8,7 +8,7 @@ "id": "attack-pattern--0985829f-204f-4760-8ece-ff0f3031a715", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.484262Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.297178Z", "name": "Injected DLL Testing", "description": "Testing for the name of a particular DLL that is known to be injected by a sandbox for API hooking is a common way of detecting sandbox environments. This can be achieved through the kernel32!GetModuleHandle API call and other means.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", "external_id": "B0007.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--f06491eb-ea99-46cd-81fe-ee55fc12d504.json b/mbc/attack-pattern/attack-pattern--098a700a-4cc0-4d0a-8bc5-42e7181eff1e.json similarity index 60% rename from mbc/attack-pattern/attack-pattern--f06491eb-ea99-46cd-81fe-ee55fc12d504.json rename to mbc/attack-pattern/attack-pattern--098a700a-4cc0-4d0a-8bc5-42e7181eff1e.json index 05cb5129..fa45eb35 100644 --- a/mbc/attack-pattern/attack-pattern--f06491eb-ea99-46cd-81fe-ee55fc12d504.json +++ b/mbc/attack-pattern/attack-pattern--098a700a-4cc0-4d0a-8bc5-42e7181eff1e.json @@ -1,15 +1,15 @@ { "type": "bundle", - "id": "bundle--caf8e08b-ef63-435e-845d-1727eba04b0a", + "id": "bundle--8896c6f0-8cf0-46b6-a560-be439a682473", "objects": [ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f06491eb-ea99-46cd-81fe-ee55fc12d504", + "id": "attack-pattern--098a700a-4cc0-4d0a-8bc5-42e7181eff1e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Hidden Artifacts", + "created": "2022-09-08T18:26:13.427132Z", + "modified": "2022-09-08T18:26:13.427132Z", + "name": "Hide Artifacts", "description": "Malware may hide artifacts to evade detection and/or to persist on the system. See potential methods related to malware below.", "kill_chain_phases": [ { @@ -24,13 +24,16 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hide-artifacts.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hide-artifacts.md", "external_id": "E1564" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1564", - "external_id": "T1564" + "source_name": "external_source", + "url": "http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--09aa0bf7-bdec-4642-ad23-c8f1c9b01297.json b/mbc/attack-pattern/attack-pattern--09aa0bf7-bdec-4642-ad23-c8f1c9b01297.json index 5de3a9e2..032083ab 100644 --- a/mbc/attack-pattern/attack-pattern--09aa0bf7-bdec-4642-ad23-c8f1c9b01297.json +++ b/mbc/attack-pattern/attack-pattern--09aa0bf7-bdec-4642-ad23-c8f1c9b01297.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/destroy-hardware.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/destroy-hardware.md", "external_id": "B0017" }, { diff --git a/mbc/attack-pattern/attack-pattern--09c1ddac-3b9f-487d-acba-78be3b686519.json b/mbc/attack-pattern/attack-pattern--09c1ddac-3b9f-487d-acba-78be3b686519.json index d6c527a3..fcc22a50 100644 --- a/mbc/attack-pattern/attack-pattern--09c1ddac-3b9f-487d-acba-78be3b686519.json +++ b/mbc/attack-pattern/attack-pattern--09c1ddac-3b9f-487d-acba-78be3b686519.json @@ -8,7 +8,7 @@ "id": "attack-pattern--09c1ddac-3b9f-487d-acba-78be3b686519", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.530265Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.302142Z", "name": "Unusual/Undocumented API Calls", "description": "Call unusual APIs to block non-exhaustive emulators (particularly anti-virus).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-emulator.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-evasion.md", "external_id": "B0005.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--9108b308-b962-4468-86bf-8921f77c963c.json b/mbc/attack-pattern/attack-pattern--0a5b94d6-6800-4855-8cd9-d100af9f67d9.json similarity index 59% rename from mbc/attack-pattern/attack-pattern--9108b308-b962-4468-86bf-8921f77c963c.json rename to mbc/attack-pattern/attack-pattern--0a5b94d6-6800-4855-8cd9-d100af9f67d9.json index 43278e78..459eaf71 100644 --- a/mbc/attack-pattern/attack-pattern--9108b308-b962-4468-86bf-8921f77c963c.json +++ b/mbc/attack-pattern/attack-pattern--0a5b94d6-6800-4855-8cd9-d100af9f67d9.json @@ -1,16 +1,16 @@ { "type": "bundle", - "id": "bundle--5d5dfe6c-974a-4cdd-9ea6-259721a4b2c5", + "id": "bundle--e9da7826-3e81-446f-abbd-c02a57317232", "objects": [ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--9108b308-b962-4468-86bf-8921f77c963c", + "id": "attack-pattern--0a5b94d6-6800-4855-8cd9-d100af9f67d9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.461261Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Interrupt 0x2d", - "description": "If int 0x2d is mishandled by the debugger, it can cause a single-byte instruction to be inadvertently skipped, which can be detected by malware.", + "created": "2022-09-08T18:26:13.313959Z", + "modified": "2022-09-08T18:26:13.313959Z", + "name": "Interruption", + "description": "If an interruption is mishandled by the debugger, it can cause a single-byte instruction to be inadvertently skipped, which can be detected by malware. Examples include Interrupt 0x2d and Interrupt 1 [7].", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.006" } ], diff --git a/mbc/attack-pattern/attack-pattern--0aeb39aa-febf-463e-97e0-546f558daed6.json b/mbc/attack-pattern/attack-pattern--0aeb39aa-febf-463e-97e0-546f558daed6.json index cadac0b0..9333ae4c 100644 --- a/mbc/attack-pattern/attack-pattern--0aeb39aa-febf-463e-97e0-546f558daed6.json +++ b/mbc/attack-pattern/attack-pattern--0aeb39aa-febf-463e-97e0-546f558daed6.json @@ -8,7 +8,7 @@ "id": "attack-pattern--0aeb39aa-febf-463e-97e0-546f558daed6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.472261Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.319554Z", "name": "SetHandleInformation", "description": "(Protected Handle)", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.024" } ], diff --git a/mbc/attack-pattern/attack-pattern--0b1371c5-4bec-466a-b643-43b719537894.json b/mbc/attack-pattern/attack-pattern--0b1371c5-4bec-466a-b643-43b719537894.json index 2bd8c9d3..37d7dc8c 100644 --- a/mbc/attack-pattern/attack-pattern--0b1371c5-4bec-466a-b643-43b719537894.json +++ b/mbc/attack-pattern/attack-pattern--0b1371c5-4bec-466a-b643-43b719537894.json @@ -8,7 +8,7 @@ "id": "attack-pattern--0b1371c5-4bec-466a-b643-43b719537894", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.502264Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.29162Z", "name": "Modern Specs Check - USB drive", "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment. Checks whether there is a potential USB drive; if not a virtual environment is suspected.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.016" } ], diff --git a/mbc/attack-pattern/attack-pattern--0b6c8517-62d1-49c1-9a2d-9300806d1370.json b/mbc/attack-pattern/attack-pattern--0b6c8517-62d1-49c1-9a2d-9300806d1370.json index e58160da..8483e83d 100644 --- a/mbc/attack-pattern/attack-pattern--0b6c8517-62d1-49c1-9a2d-9300806d1370.json +++ b/mbc/attack-pattern/attack-pattern--0b6c8517-62d1-49c1-9a2d-9300806d1370.json @@ -8,7 +8,7 @@ "id": "attack-pattern--0b6c8517-62d1-49c1-9a2d-9300806d1370", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.973483Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.364095Z", "name": "Create Request::HTTP Communication", "description": "HTTP client creates request.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", "external_id": "C0002.012" } ], diff --git a/mbc/attack-pattern/attack-pattern--0be642a6-a030-4ecf-9c30-83f9cbc9fd56.json b/mbc/attack-pattern/attack-pattern--0be642a6-a030-4ecf-9c30-83f9cbc9fd56.json index b9d38b0d..a47b62ff 100644 --- a/mbc/attack-pattern/attack-pattern--0be642a6-a030-4ecf-9c30-83f9cbc9fd56.json +++ b/mbc/attack-pattern/attack-pattern--0be642a6-a030-4ecf-9c30-83f9cbc9fd56.json @@ -8,7 +8,7 @@ "id": "attack-pattern--0be642a6-a030-4ecf-9c30-83f9cbc9fd56", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.504264Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.293225Z", "name": "Unique Hardware/Firmware Check - MAC Address", "description": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment. VMware uses specific virtual MAC address that can be detected. The usual MAC address used started with the following numbers: \"00:0C:29\", \"00:1C:14\", \"00:50:56\", \"00:05:69\". Virtualbox uses specific virtual MAC address that can be detected by Malware. The usual MAC address used started with the following numbers: 08:00:27.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.028" }, { diff --git a/mbc/attack-pattern/attack-pattern--be6d8982-3619-4f2f-b5c7-64d9e934ac43.json b/mbc/attack-pattern/attack-pattern--0c59fe14-659a-4248-b205-7fc3371af6c7.json similarity index 80% rename from mbc/attack-pattern/attack-pattern--be6d8982-3619-4f2f-b5c7-64d9e934ac43.json rename to mbc/attack-pattern/attack-pattern--0c59fe14-659a-4248-b205-7fc3371af6c7.json index b6184dff..a2b00a78 100644 --- a/mbc/attack-pattern/attack-pattern--be6d8982-3619-4f2f-b5c7-64d9e934ac43.json +++ b/mbc/attack-pattern/attack-pattern--0c59fe14-659a-4248-b205-7fc3371af6c7.json @@ -1,14 +1,14 @@ { "type": "bundle", - "id": "bundle--742f9f6b-72af-4d0f-98e9-73c6e818b83e", + "id": "bundle--4d8aca7e-30f6-43d1-9a1d-4609e3be2280", "objects": [ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--be6d8982-3619-4f2f-b5c7-64d9e934ac43", + "id": "attack-pattern--0c59fe14-659a-4248-b205-7fc3371af6c7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.784263Z", - "modified": "2022-02-05T00:37:22.71051Z", + "created": "2022-09-08T18:26:13.257877Z", + "modified": "2022-09-08T18:26:13.257877Z", "name": "Click Hijacking", "description": "Malware alters DNS server settings to route to a rogue DNS server: when the user clicks on a search result link displayed through a search engine query, malware re-routes the user to different website. Instead of going to the requested site, the user is taken to an alternate website such that the click triggers payment to the threat actor.", "kill_chain_phases": [ @@ -20,8 +20,8 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/generate-fraud-rev.md", - "external_id": "E1472.m01" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/generate-traffic-from-victim.md", + "external_id": "E1643.m01" }, { "source_name": "external_source", diff --git a/mbc/attack-pattern/attack-pattern--0e2fb8df-bef3-4664-88f9-f6614b80f107.json b/mbc/attack-pattern/attack-pattern--0e2fb8df-bef3-4664-88f9-f6614b80f107.json index ccb03852..259ab7c8 100644 --- a/mbc/attack-pattern/attack-pattern--0e2fb8df-bef3-4664-88f9-f6614b80f107.json +++ b/mbc/attack-pattern/attack-pattern--0e2fb8df-bef3-4664-88f9-f6614b80f107.json @@ -8,7 +8,7 @@ "id": "attack-pattern--0e2fb8df-bef3-4664-88f9-f6614b80f107", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.502264Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.290615Z", "name": "Modern Specs Check - Total physical memory", "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment. Most modern machines have at leave 4 GB of memory. (GlobalMemoryStatusEx) .", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.014" }, { diff --git a/mbc/attack-pattern/attack-pattern--0e87261d-5234-4ccb-87c1-2f9bb32b5c11.json b/mbc/attack-pattern/attack-pattern--0e87261d-5234-4ccb-87c1-2f9bb32b5c11.json index 4237f40d..1d13bd64 100644 --- a/mbc/attack-pattern/attack-pattern--0e87261d-5234-4ccb-87c1-2f9bb32b5c11.json +++ b/mbc/attack-pattern/attack-pattern--0e87261d-5234-4ccb-87c1-2f9bb32b5c11.json @@ -8,7 +8,7 @@ "id": "attack-pattern--0e87261d-5234-4ccb-87c1-2f9bb32b5c11", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.512264Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.305366Z", "name": "Import Obfuscation", "description": "Add obfuscation between imports calls and APIs.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.010" } ], diff --git a/mbc/attack-pattern/attack-pattern--0eb664b8-73e1-4799-9e22-277ab898579d.json b/mbc/attack-pattern/attack-pattern--0eb664b8-73e1-4799-9e22-277ab898579d.json index 44c17b42..caf8c1e7 100644 --- a/mbc/attack-pattern/attack-pattern--0eb664b8-73e1-4799-9e22-277ab898579d.json +++ b/mbc/attack-pattern/attack-pattern--0eb664b8-73e1-4799-9e22-277ab898579d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--0eb664b8-73e1-4799-9e22-277ab898579d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.728262Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.241603Z", "name": "Sysinternals", "description": "Sysinternals tools are used for additional command line functionality.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/exploit-software.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/exploitation-for-client-execution.md", "external_id": "E1203.m05" } ], diff --git a/mbc/attack-pattern/attack-pattern--0f77be56-a5ef-4c06-8557-46782bb2cd67.json b/mbc/attack-pattern/attack-pattern--0f77be56-a5ef-4c06-8557-46782bb2cd67.json index 4a393f19..7bda2b67 100644 --- a/mbc/attack-pattern/attack-pattern--0f77be56-a5ef-4c06-8557-46782bb2cd67.json +++ b/mbc/attack-pattern/attack-pattern--0f77be56-a5ef-4c06-8557-46782bb2cd67.json @@ -8,7 +8,7 @@ "id": "attack-pattern--0f77be56-a5ef-4c06-8557-46782bb2cd67", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.992483Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.388689Z", "name": "Blowfish::Encrypt Data", "description": "Malware encrypts with the Blowfish algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", "external_id": "C0027.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--0fe6e31d-fd22-4140-8e31-6ff5ad8cd47f.json b/mbc/attack-pattern/attack-pattern--0fe6e31d-fd22-4140-8e31-6ff5ad8cd47f.json index 39602b02..4e0958be 100644 --- a/mbc/attack-pattern/attack-pattern--0fe6e31d-fd22-4140-8e31-6ff5ad8cd47f.json +++ b/mbc/attack-pattern/attack-pattern--0fe6e31d-fd22-4140-8e31-6ff5ad8cd47f.json @@ -8,7 +8,7 @@ "id": "attack-pattern--0fe6e31d-fd22-4140-8e31-6ff5ad8cd47f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.556264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.191784Z", "name": "Entry Point Obfuscation", "description": "Obfuscate the entry point of the malware executable.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", "external_id": "B0032.009" } ], diff --git a/mbc/attack-pattern/attack-pattern--1004c879-79b0-44db-996c-910a7f9e3857.json b/mbc/attack-pattern/attack-pattern--1004c879-79b0-44db-996c-910a7f9e3857.json index 703532ab..f7d744e9 100644 --- a/mbc/attack-pattern/attack-pattern--1004c879-79b0-44db-996c-910a7f9e3857.json +++ b/mbc/attack-pattern/attack-pattern--1004c879-79b0-44db-996c-910a7f9e3857.json @@ -8,7 +8,7 @@ "id": "attack-pattern--1004c879-79b0-44db-996c-910a7f9e3857", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.974485Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.366035Z", "name": "Set Header::HTTP Communication", "description": "HTTP header is set.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", "external_id": "C0002.013" } ], diff --git a/mbc/attack-pattern/attack-pattern--1011a561-6f17-4f8d-874a-8ad491a2b470.json b/mbc/attack-pattern/attack-pattern--1011a561-6f17-4f8d-874a-8ad491a2b470.json index 191ea90e..27213bd6 100644 --- a/mbc/attack-pattern/attack-pattern--1011a561-6f17-4f8d-874a-8ad491a2b470.json +++ b/mbc/attack-pattern/attack-pattern--1011a561-6f17-4f8d-874a-8ad491a2b470.json @@ -8,7 +8,7 @@ "id": "attack-pattern--1011a561-6f17-4f8d-874a-8ad491a2b470", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.729261Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.241881Z", "name": "Windows Utilities", "description": "One or more Windows utilities are used.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/exploit-software.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/exploitation-for-client-execution.md", "external_id": "E1203.m06" } ], diff --git a/mbc/attack-pattern/attack-pattern--1057fe1c-c844-4de3-b72d-05313572a36c.json b/mbc/attack-pattern/attack-pattern--1057fe1c-c844-4de3-b72d-05313572a36c.json index fad7c3b4..ed7c9e69 100644 --- a/mbc/attack-pattern/attack-pattern--1057fe1c-c844-4de3-b72d-05313572a36c.json +++ b/mbc/attack-pattern/attack-pattern--1057fe1c-c844-4de3-b72d-05313572a36c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--1057fe1c-c844-4de3-b72d-05313572a36c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.992483Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.388434Z", "name": "Block Cipher::Encrypt Data", "description": "Malware encrypts with a block cipher.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", "external_id": "C0027.014" } ], diff --git a/mbc/attack-pattern/attack-pattern--10bee884-590b-45f4-8577-5cbe6d6efa1a.json b/mbc/attack-pattern/attack-pattern--10bee884-590b-45f4-8577-5cbe6d6efa1a.json index 900ef844..6a0ffd80 100644 --- a/mbc/attack-pattern/attack-pattern--10bee884-590b-45f4-8577-5cbe6d6efa1a.json +++ b/mbc/attack-pattern/attack-pattern--10bee884-590b-45f4-8577-5cbe6d6efa1a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--10bee884-590b-45f4-8577-5cbe6d6efa1a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.916486Z", - "modified": "2022-02-05T00:37:22.616726Z", + "modified": "2022-09-08T18:26:13.430344Z", "name": "Bypass Windows File Protection", "description": "Malware bypasses Windows file protection.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", "external_id": "F0004.007" } ], diff --git a/mbc/attack-pattern/attack-pattern--112d8251-af9c-404d-b3f6-44bd15c42a5d.json b/mbc/attack-pattern/attack-pattern--112d8251-af9c-404d-b3f6-44bd15c42a5d.json index c88c1bb6..aeada676 100644 --- a/mbc/attack-pattern/attack-pattern--112d8251-af9c-404d-b3f6-44bd15c42a5d.json +++ b/mbc/attack-pattern/attack-pattern--112d8251-af9c-404d-b3f6-44bd15c42a5d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--112d8251-af9c-404d-b3f6-44bd15c42a5d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.816261Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.362409Z", "name": "Server::HTTP Communication", "description": "General HTTP server behavior.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", "external_id": "C0002.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--1212c336-4105-477e-9e3a-0789790a3941.json b/mbc/attack-pattern/attack-pattern--1212c336-4105-477e-9e3a-0789790a3941.json index 2f5cd3ca..47ec7fb4 100644 --- a/mbc/attack-pattern/attack-pattern--1212c336-4105-477e-9e3a-0789790a3941.json +++ b/mbc/attack-pattern/attack-pattern--1212c336-4105-477e-9e3a-0789790a3941.json @@ -8,7 +8,7 @@ "id": "attack-pattern--1212c336-4105-477e-9e3a-0789790a3941", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.559264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.193374Z", "name": "Interleaving Code", "description": "Split code into sections that may be rearranged and are connected by unconditional jumps.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", "external_id": "B0032.014" } ], diff --git a/mbc/attack-pattern/attack-pattern--12c16b13-65d4-49ea-9dcb-3a88553ac5d3.json b/mbc/attack-pattern/attack-pattern--12c16b13-65d4-49ea-9dcb-3a88553ac5d3.json index 1e2f4a61..82cca411 100644 --- a/mbc/attack-pattern/attack-pattern--12c16b13-65d4-49ea-9dcb-3a88553ac5d3.json +++ b/mbc/attack-pattern/attack-pattern--12c16b13-65d4-49ea-9dcb-3a88553ac5d3.json @@ -8,7 +8,7 @@ "id": "attack-pattern--12c16b13-65d4-49ea-9dcb-3a88553ac5d3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.989483Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.385292Z", "name": "HC-128::Decrypt Data", "description": "Malware decrypts data encrypted with the HC-128 algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", "external_id": "C0031.006" } ], diff --git a/mbc/attack-pattern/attack-pattern--13631209-26c3-481c-bd8c-fa6c57c3dbe5.json b/mbc/attack-pattern/attack-pattern--13631209-26c3-481c-bd8c-fa6c57c3dbe5.json index 363788eb..209bc9d3 100644 --- a/mbc/attack-pattern/attack-pattern--13631209-26c3-481c-bd8c-fa6c57c3dbe5.json +++ b/mbc/attack-pattern/attack-pattern--13631209-26c3-481c-bd8c-fa6c57c3dbe5.json @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", "external_id": "F0001.010" } ], diff --git a/mbc/attack-pattern/attack-pattern--13d8f97e-b0dc-4ced-918d-31297b1f9aff.json b/mbc/attack-pattern/attack-pattern--13d8f97e-b0dc-4ced-918d-31297b1f9aff.json index 65abd74d..3b9a2a91 100644 --- a/mbc/attack-pattern/attack-pattern--13d8f97e-b0dc-4ced-918d-31297b1f9aff.json +++ b/mbc/attack-pattern/attack-pattern--13d8f97e-b0dc-4ced-918d-31297b1f9aff.json @@ -8,7 +8,7 @@ "id": "attack-pattern--13d8f97e-b0dc-4ced-918d-31297b1f9aff", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.459263Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.313098Z", "name": "CloseHandle", "description": "(NtClose); If an invalid handle is passed to the CloseHandle function and a debugger is present, then an EXCEPTION_INVALID_HANDLE (0xC0000008) exception will be raised.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.003" }, { diff --git a/mbc/attack-pattern/attack-pattern--146be7e5-feeb-4dd2-8283-796b29394ac1.json b/mbc/attack-pattern/attack-pattern--146be7e5-feeb-4dd2-8283-796b29394ac1.json index 02abfd02..a57cc5a7 100644 --- a/mbc/attack-pattern/attack-pattern--146be7e5-feeb-4dd2-8283-796b29394ac1.json +++ b/mbc/attack-pattern/attack-pattern--146be7e5-feeb-4dd2-8283-796b29394ac1.json @@ -8,7 +8,7 @@ "id": "attack-pattern--146be7e5-feeb-4dd2-8283-796b29394ac1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.918444Z", - "modified": "2022-02-05T00:37:22.632387Z", + "modified": "2022-09-08T18:26:13.41559Z", "name": "Location", "description": "Malware may change or choose the location of itself, another file, or a directory to prevent detection.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hidden-files.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hidden-files-and-directories.md", "external_id": "F0005.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--14abf3a5-065b-4a7b-b5d7-16ba7ae62e3a.json b/mbc/attack-pattern/attack-pattern--14abf3a5-065b-4a7b-b5d7-16ba7ae62e3a.json index 51345fdf..e9196d05 100644 --- a/mbc/attack-pattern/attack-pattern--14abf3a5-065b-4a7b-b5d7-16ba7ae62e3a.json +++ b/mbc/attack-pattern/attack-pattern--14abf3a5-065b-4a7b-b5d7-16ba7ae62e3a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--14abf3a5-065b-4a7b-b5d7-16ba7ae62e3a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.736174Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.275737Z", "name": "Guard Pages", "description": "Encrypt blocks of code individually and decrypt temporarily only upon execution.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", "external_id": "B0006.006" } ], diff --git a/mbc/attack-pattern/attack-pattern--1504bfdb-bc65-4fc2-9afd-8d2e82737dd6.json b/mbc/attack-pattern/attack-pattern--1504bfdb-bc65-4fc2-9afd-8d2e82737dd6.json index 41cb17ef..4a0e282e 100644 --- a/mbc/attack-pattern/attack-pattern--1504bfdb-bc65-4fc2-9afd-8d2e82737dd6.json +++ b/mbc/attack-pattern/attack-pattern--1504bfdb-bc65-4fc2-9afd-8d2e82737dd6.json @@ -8,7 +8,7 @@ "id": "attack-pattern--1504bfdb-bc65-4fc2-9afd-8d2e82737dd6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.008483Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.337736Z", "name": "FNV::Non-Cryptographic Hash", "description": "Malware uses the FNV hash function.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/noncrypto-hash.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/noncryptographic-hash.md", "external_id": "C0030.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--1506d910-1208-4064-a633-8291f6d36e74.json b/mbc/attack-pattern/attack-pattern--1506d910-1208-4064-a633-8291f6d36e74.json index 221cc7a4..e5a60094 100644 --- a/mbc/attack-pattern/attack-pattern--1506d910-1208-4064-a633-8291f6d36e74.json +++ b/mbc/attack-pattern/attack-pattern--1506d910-1208-4064-a633-8291f6d36e74.json @@ -8,7 +8,7 @@ "id": "attack-pattern--1506d910-1208-4064-a633-8291f6d36e74", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.554264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.190681Z", "name": "API Hashing", "description": "Instead of storing function names in the Import Address Table (IAT) and calling GetProcAddress, a DLL is loaded and the name of each of its exports is hashed until it matches a specific hash. Manual symbol resolution is then used to access and execute the exported function. This method is often used by shellcode because it reduces the size of each import from a human-readable string to a sequence of four bytes. The Method is also known as \"Imports by Hash\" and \"GET_APIS_WITH_CRC.\"", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", "external_id": "B0032.001" }, { diff --git a/mbc/attack-pattern/attack-pattern--1540ed37-87c4-485f-b729-1e418a63762c.json b/mbc/attack-pattern/attack-pattern--1540ed37-87c4-485f-b729-1e418a63762c.json index ef730056..d6a74219 100644 --- a/mbc/attack-pattern/attack-pattern--1540ed37-87c4-485f-b729-1e418a63762c.json +++ b/mbc/attack-pattern/attack-pattern--1540ed37-87c4-485f-b729-1e418a63762c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--1540ed37-87c4-485f-b729-1e418a63762c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.845581Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.41022Z", "name": "Injection via Windows Fibers", "description": "Malware executes shellcode via Windows fibers by converting a thread to a fiber.", "kill_chain_phases": [ @@ -24,13 +24,12 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/process-inject.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/process-injection.md", "external_id": "E1055.m05" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1055", - "external_id": "T1055" + "source_name": "external_source", + "url": "https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--155facb0-bb4a-4df0-b276-70c16f4c12f9.json b/mbc/attack-pattern/attack-pattern--155facb0-bb4a-4df0-b276-70c16f4c12f9.json index 801cdc98..4f24f005 100644 --- a/mbc/attack-pattern/attack-pattern--155facb0-bb4a-4df0-b276-70c16f4c12f9.json +++ b/mbc/attack-pattern/attack-pattern--155facb0-bb4a-4df0-b276-70c16f4c12f9.json @@ -8,7 +8,7 @@ "id": "attack-pattern--155facb0-bb4a-4df0-b276-70c16f4c12f9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.503263Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.292955Z", "name": "Unique Hardware/Firmware Check - I/O Communication Port", "description": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment. VMware uses virtual I/O ports for communication between the virtual machine and the host operating system to support functionality like copy and paste between the two systems. The port can be queried and compared with a magic number VMXh to identify the use of VMware.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.025" } ], diff --git a/mbc/attack-pattern/attack-pattern--168ed95b-0c10-42c4-9f0a-c1c462b39f6c.json b/mbc/attack-pattern/attack-pattern--168ed95b-0c10-42c4-9f0a-c1c462b39f6c.json index f2b534a8..e61ea10c 100644 --- a/mbc/attack-pattern/attack-pattern--168ed95b-0c10-42c4-9f0a-c1c462b39f6c.json +++ b/mbc/attack-pattern/attack-pattern--168ed95b-0c10-42c4-9f0a-c1c462b39f6c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--168ed95b-0c10-42c4-9f0a-c1c462b39f6c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.561265Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.19438Z", "name": "Stack Strings", "description": "Build and decrypt strings on the stack at each use, then discard to avoid obvious references.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", "external_id": "B0032.017" } ], diff --git a/mbc/attack-pattern/attack-pattern--17cf477e-a8e5-4c52-b207-7023cfd16c1d.json b/mbc/attack-pattern/attack-pattern--17cf477e-a8e5-4c52-b207-7023cfd16c1d.json index 9ed47fc9..c43da514 100644 --- a/mbc/attack-pattern/attack-pattern--17cf477e-a8e5-4c52-b207-7023cfd16c1d.json +++ b/mbc/attack-pattern/attack-pattern--17cf477e-a8e5-4c52-b207-7023cfd16c1d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--17cf477e-a8e5-4c52-b207-7023cfd16c1d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.877737Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.244123Z", "name": "Host Fingerprint Check", "description": "Compare a previously computed host fingerprint(e.g., based on installed applications) to the current system's to determine if the malware instance is still executing on the same system. If not, execution stops, making debugging or sandbox analysis more difficult.", "kill_chain_phases": [ @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md", "external_id": "B0025.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--17e05846-68f4-4f0c-bc23-88e01515bfcf.json b/mbc/attack-pattern/attack-pattern--17e05846-68f4-4f0c-bc23-88e01515bfcf.json index 1b3a155a..24c2ed6d 100644 --- a/mbc/attack-pattern/attack-pattern--17e05846-68f4-4f0c-bc23-88e01515bfcf.json +++ b/mbc/attack-pattern/attack-pattern--17e05846-68f4-4f0c-bc23-88e01515bfcf.json @@ -8,7 +8,7 @@ "id": "attack-pattern--17e05846-68f4-4f0c-bc23-88e01515bfcf", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.720618Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.305101Z", "name": "Hook Interrupt", "description": "Modification of interrupt vector or descriptor tables.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.009" } ], diff --git a/mbc/attack-pattern/attack-pattern--180d573a-3efb-477c-b306-721bc3906eae.json b/mbc/attack-pattern/attack-pattern--180d573a-3efb-477c-b306-721bc3906eae.json index 90018a37..f715facf 100644 --- a/mbc/attack-pattern/attack-pattern--180d573a-3efb-477c-b306-721bc3906eae.json +++ b/mbc/attack-pattern/attack-pattern--180d573a-3efb-477c-b306-721bc3906eae.json @@ -8,7 +8,7 @@ "id": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.991483Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.387563Z", "name": "Decrypt Data", "description": "Malware may decrypt data.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", "external_id": "C0031" } ], diff --git a/mbc/attack-pattern/attack-pattern--18377be7-e46d-48a0-ac85-b6af8f777b78.json b/mbc/attack-pattern/attack-pattern--18377be7-e46d-48a0-ac85-b6af8f777b78.json index 2a5064f3..3b552e36 100644 --- a/mbc/attack-pattern/attack-pattern--18377be7-e46d-48a0-ac85-b6af8f777b78.json +++ b/mbc/attack-pattern/attack-pattern--18377be7-e46d-48a0-ac85-b6af8f777b78.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/registry.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/registry.md", "external_id": "C0036.006" } ], diff --git a/mbc/attack-pattern/attack-pattern--187b4cd8-132e-4514-9ad2-e0b20abc2b70.json b/mbc/attack-pattern/attack-pattern--187b4cd8-132e-4514-9ad2-e0b20abc2b70.json index 6f84d1ce..4cb277ef 100644 --- a/mbc/attack-pattern/attack-pattern--187b4cd8-132e-4514-9ad2-e0b20abc2b70.json +++ b/mbc/attack-pattern/attack-pattern--187b4cd8-132e-4514-9ad2-e0b20abc2b70.json @@ -8,7 +8,7 @@ "id": "attack-pattern--187b4cd8-132e-4514-9ad2-e0b20abc2b70", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.479261Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.324366Z", "name": "Emulator Detection", "description": "Detects whether the malware instance is being executed inside an emulator. If so, conditional execution selects a benign execution path.", "kill_chain_phases": [ @@ -20,12 +20,16 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-emulator.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-detection.md", "external_id": "B0004" }, { "source_name": "external_source", "url": "https://search.unprotect.it/map/sandbox-evasion/" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--195e17be-fac3-4ffe-a961-631e2af205bb.json b/mbc/attack-pattern/attack-pattern--195e17be-fac3-4ffe-a961-631e2af205bb.json index 2a012e5f..386275de 100644 --- a/mbc/attack-pattern/attack-pattern--195e17be-fac3-4ffe-a961-631e2af205bb.json +++ b/mbc/attack-pattern/attack-pattern--195e17be-fac3-4ffe-a961-631e2af205bb.json @@ -8,7 +8,7 @@ "id": "attack-pattern--195e17be-fac3-4ffe-a961-631e2af205bb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.720618Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.30486Z", "name": "Guard Pages", "description": "Encrypt blocks of code individually and decrypt temporarily only upon execution.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.008" } ], diff --git a/mbc/attack-pattern/attack-pattern--1a424274-077f-4c21-bc63-ef2d8e574ed0.json b/mbc/attack-pattern/attack-pattern--1a424274-077f-4c21-bc63-ef2d8e574ed0.json index d1a6037b..d06813f7 100644 --- a/mbc/attack-pattern/attack-pattern--1a424274-077f-4c21-bc63-ef2d8e574ed0.json +++ b/mbc/attack-pattern/attack-pattern--1a424274-077f-4c21-bc63-ef2d8e574ed0.json @@ -8,9 +8,9 @@ "id": "attack-pattern--1a424274-077f-4c21-bc63-ef2d8e574ed0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.019478Z", - "modified": "2022-02-05T00:37:22.804261Z", + "modified": "2022-09-08T18:26:13.34592Z", "name": "Writes File", - "description": "Malware writes to a file.", + "description": "Malware writes to a file. Writing to a file enables file modification.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/write-file.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/write-file.md", "external_id": "C0052" } ], diff --git a/mbc/attack-pattern/attack-pattern--1a89f398-f3ef-484a-8735-024823241a11.json b/mbc/attack-pattern/attack-pattern--1a89f398-f3ef-484a-8735-024823241a11.json index 31b33319..2950f8cc 100644 --- a/mbc/attack-pattern/attack-pattern--1a89f398-f3ef-484a-8735-024823241a11.json +++ b/mbc/attack-pattern/attack-pattern--1a89f398-f3ef-484a-8735-024823241a11.json @@ -8,7 +8,7 @@ "id": "attack-pattern--1a89f398-f3ef-484a-8735-024823241a11", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.871658Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.210662Z", "name": "Code Discovery", "description": "Malware may inspect code or enumerate aspects.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/code-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/code-discovery.md", "external_id": "B0046" } ], diff --git a/mbc/attack-pattern/attack-pattern--1adddaa3-6164-4adf-b910-6b8a78fb3111.json b/mbc/attack-pattern/attack-pattern--1adddaa3-6164-4adf-b910-6b8a78fb3111.json index f26fd222..a6544f6b 100644 --- a/mbc/attack-pattern/attack-pattern--1adddaa3-6164-4adf-b910-6b8a78fb3111.json +++ b/mbc/attack-pattern/attack-pattern--1adddaa3-6164-4adf-b910-6b8a78fb3111.json @@ -8,7 +8,7 @@ "id": "attack-pattern--1adddaa3-6164-4adf-b910-6b8a78fb3111", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.811259Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.362735Z", "name": "Client::HTTP Communication", "description": "General HTTP client behavior.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", "external_id": "C0002.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--1afb242c-883b-40c2-8a37-fc5064dd7d2b.json b/mbc/attack-pattern/attack-pattern--1afb242c-883b-40c2-8a37-fc5064dd7d2b.json index ebbe68a5..62f18578 100644 --- a/mbc/attack-pattern/attack-pattern--1afb242c-883b-40c2-8a37-fc5064dd7d2b.json +++ b/mbc/attack-pattern/attack-pattern--1afb242c-883b-40c2-8a37-fc5064dd7d2b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--1afb242c-883b-40c2-8a37-fc5064dd7d2b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.819261Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.3778Z", "name": "Generate Traffic::ICMP Communication", "description": "Generate ICMP traffic.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/icmp-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/icmp-communication.md", "external_id": "C0014.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--1b5c05fd-3785-4710-8ee2-efadad6ef437.json b/mbc/attack-pattern/attack-pattern--1b5c05fd-3785-4710-8ee2-efadad6ef437.json index e6a746b1..b2bfef14 100644 --- a/mbc/attack-pattern/attack-pattern--1b5c05fd-3785-4710-8ee2-efadad6ef437.json +++ b/mbc/attack-pattern/attack-pattern--1b5c05fd-3785-4710-8ee2-efadad6ef437.json @@ -8,7 +8,7 @@ "id": "attack-pattern--1b5c05fd-3785-4710-8ee2-efadad6ef437", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.491263Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.283506Z", "name": "Check Running Services", "description": "VMwareService.exe runs the VMware Tools Service as a child of services.exe. It can be identified by listing services.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.006" }, { diff --git a/mbc/attack-pattern/attack-pattern--1bfa0256-c28e-4dcc-82f6-8fa6880328f6.json b/mbc/attack-pattern/attack-pattern--1bfa0256-c28e-4dcc-82f6-8fa6880328f6.json index c52c6d5e..9c802db9 100644 --- a/mbc/attack-pattern/attack-pattern--1bfa0256-c28e-4dcc-82f6-8fa6880328f6.json +++ b/mbc/attack-pattern/attack-pattern--1bfa0256-c28e-4dcc-82f6-8fa6880328f6.json @@ -8,7 +8,7 @@ "id": "attack-pattern--1bfa0256-c28e-4dcc-82f6-8fa6880328f6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.982483Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.374821Z", "name": "Receive UDP Data::Socket Communication", "description": "Receive UDP data.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", "external_id": "C0001.017" } ], diff --git a/mbc/attack-pattern/attack-pattern--1c9f410c-8e61-4d75-80be-e80461c54971.json b/mbc/attack-pattern/attack-pattern--1c9f410c-8e61-4d75-80be-e80461c54971.json index 23a02039..e907d1b6 100644 --- a/mbc/attack-pattern/attack-pattern--1c9f410c-8e61-4d75-80be-e80461c54971.json +++ b/mbc/attack-pattern/attack-pattern--1c9f410c-8e61-4d75-80be-e80461c54971.json @@ -8,10 +8,22 @@ "id": "attack-pattern--1c9f410c-8e61-4d75-80be-e80461c54971", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", + "modified": "2022-09-08T18:26:13.418864Z", "name": "Import Address Table (IAT) Hooking", "description": "Malware (e.g. rootkit) modifies a process's import address table (IAT), which stores pointers to imported API functions.", "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + }, { "kill_chain_name": "mitre-mbc", "phase_name": "defense-evasion" @@ -28,7 +40,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hijack-execution-flow.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hijack-execution-flow.md", "external_id": "F0015.003" }, { diff --git a/mbc/attack-pattern/attack-pattern--1cca12fe-f5c4-4c35-979b-5c6962dd9484.json b/mbc/attack-pattern/attack-pattern--1cca12fe-f5c4-4c35-979b-5c6962dd9484.json index 73f219ca..2da1aec2 100644 --- a/mbc/attack-pattern/attack-pattern--1cca12fe-f5c4-4c35-979b-5c6962dd9484.json +++ b/mbc/attack-pattern/attack-pattern--1cca12fe-f5c4-4c35-979b-5c6962dd9484.json @@ -8,7 +8,7 @@ "id": "attack-pattern--1cca12fe-f5c4-4c35-979b-5c6962dd9484", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.986482Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.382259Z", "name": "Cryptographic Hash", "description": "Malware may use a cryptographic hash.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/crypto-hash.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/cryptographic-hash.md", "external_id": "C0029" } ], diff --git a/mbc/attack-pattern/attack-pattern--1d1b8b46-c3d7-49e5-8856-367b48272f5e.json b/mbc/attack-pattern/attack-pattern--1d1b8b46-c3d7-49e5-8856-367b48272f5e.json index 21efb8fe..316122ac 100644 --- a/mbc/attack-pattern/attack-pattern--1d1b8b46-c3d7-49e5-8856-367b48272f5e.json +++ b/mbc/attack-pattern/attack-pattern--1d1b8b46-c3d7-49e5-8856-367b48272f5e.json @@ -8,7 +8,7 @@ "id": "attack-pattern--1d1b8b46-c3d7-49e5-8856-367b48272f5e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.594264Z", - "modified": "2022-02-05T00:37:22.585511Z", + "modified": "2022-09-08T18:26:13.220424Z", "name": "Input Capture", "description": "Malware captures user input.", "kill_chain_phases": [ @@ -24,13 +24,24 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/input-capture.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/input-capture.md", "external_id": "E1056" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1056", - "external_id": "T1056" + "source_name": "external_source", + "url": "https://blogs.cisco.com/security/talos/rombertik" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--1d9b88e8-2bab-44ac-b1ae-26faf8f07f48.json b/mbc/attack-pattern/attack-pattern--1d9b88e8-2bab-44ac-b1ae-26faf8f07f48.json index 53effc76..f2bc13f8 100644 --- a/mbc/attack-pattern/attack-pattern--1d9b88e8-2bab-44ac-b1ae-26faf8f07f48.json +++ b/mbc/attack-pattern/attack-pattern--1d9b88e8-2bab-44ac-b1ae-26faf8f07f48.json @@ -8,7 +8,7 @@ "id": "attack-pattern--1d9b88e8-2bab-44ac-b1ae-26faf8f07f48", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.512264Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.306093Z", "name": "Malloc Use", "description": "Instead of unpacking into a pre-defined section/segment (ex: .text) of the binary, use malloc() / VirtualAlloc() to create a new segment. This makes keeping track of memory locations across different runs more difficult, as there is no guarantee that malloc/VirtualAlloc will assign the same address range each time.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.013" } ], diff --git a/mbc/attack-pattern/attack-pattern--1dd62131-bc8e-4de7-b68a-1ea4c6b44c03.json b/mbc/attack-pattern/attack-pattern--1dd62131-bc8e-4de7-b68a-1ea4c6b44c03.json index 4e9533c1..f9d1f2f5 100644 --- a/mbc/attack-pattern/attack-pattern--1dd62131-bc8e-4de7-b68a-1ea4c6b44c03.json +++ b/mbc/attack-pattern/attack-pattern--1dd62131-bc8e-4de7-b68a-1ea4c6b44c03.json @@ -8,7 +8,7 @@ "id": "attack-pattern--1dd62131-bc8e-4de7-b68a-1ea4c6b44c03", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.005479Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.335818Z", "name": "Base64::Encode Data", "description": "Malware may encode data using Base64.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/encode.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/encode-data.md", "external_id": "C0026.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--1df0593b-0f35-41c8-b7d8-41d6a3e9cf8c.json b/mbc/attack-pattern/attack-pattern--1df0593b-0f35-41c8-b7d8-41d6a3e9cf8c.json deleted file mode 100644 index 350e4879..00000000 --- a/mbc/attack-pattern/attack-pattern--1df0593b-0f35-41c8-b7d8-41d6a3e9cf8c.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--7712d3fe-5a71-45d3-9ba6-2d16f6be7350", - "objects": [ - { - "type": "attack-pattern", - "spec_version": "2.1", - "id": "attack-pattern--1df0593b-0f35-41c8-b7d8-41d6a3e9cf8c", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.798698Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Export Address Table (EAT) Hooking", - "description": "Hooks the export address table (EAT).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/credential-access/hooking.md", - "external_id": "F0003.006" - } - ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true - } - ] -} \ No newline at end of file diff --git a/mbc/attack-pattern/attack-pattern--1e4a21a9-2d09-48fc-bcea-13d1359f2bbd.json b/mbc/attack-pattern/attack-pattern--1e4a21a9-2d09-48fc-bcea-13d1359f2bbd.json index bc0a4a99..5f76f36a 100644 --- a/mbc/attack-pattern/attack-pattern--1e4a21a9-2d09-48fc-bcea-13d1359f2bbd.json +++ b/mbc/attack-pattern/attack-pattern--1e4a21a9-2d09-48fc-bcea-13d1359f2bbd.json @@ -8,7 +8,7 @@ "id": "attack-pattern--1e4a21a9-2d09-48fc-bcea-13d1359f2bbd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.500263Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.289535Z", "name": "Modern Specs Check - Drive size", "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment. Most modern machines have at least 80 GB disks. May use DeviceloControl (IOCTL_DISK_GET_LENGTH_INFO) or GetDiskFreeSpaceEx (TotalNumberOfBytes) .", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.015" }, { diff --git a/mbc/attack-pattern/attack-pattern--1e5a85a2-73fc-467c-a94b-ec867885b4c3.json b/mbc/attack-pattern/attack-pattern--1e5a85a2-73fc-467c-a94b-ec867885b4c3.json index 6b04fb7a..8c198f31 100644 --- a/mbc/attack-pattern/attack-pattern--1e5a85a2-73fc-467c-a94b-ec867885b4c3.json +++ b/mbc/attack-pattern/attack-pattern--1e5a85a2-73fc-467c-a94b-ec867885b4c3.json @@ -8,7 +8,7 @@ "id": "attack-pattern--1e5a85a2-73fc-467c-a94b-ec867885b4c3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.467265Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.316782Z", "name": "Page Exception Breakpoint Detection", "kill_chain_phases": [ { @@ -19,7 +19,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.017" }, { diff --git a/mbc/attack-pattern/attack-pattern--1ef444d5-6292-4701-be04-7d8bbd677b95.json b/mbc/attack-pattern/attack-pattern--1ef444d5-6292-4701-be04-7d8bbd677b95.json index fd2a930c..1aca45dc 100644 --- a/mbc/attack-pattern/attack-pattern--1ef444d5-6292-4701-be04-7d8bbd677b95.json +++ b/mbc/attack-pattern/attack-pattern--1ef444d5-6292-4701-be04-7d8bbd677b95.json @@ -8,7 +8,7 @@ "id": "attack-pattern--1ef444d5-6292-4701-be04-7d8bbd677b95", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.993484Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.390211Z", "name": "RC6::Encrypt Data", "description": "Malware encrypts with the RC6 algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", "external_id": "C0027.010" } ], diff --git a/mbc/attack-pattern/attack-pattern--200ecf0e-33a7-4a9c-af4a-a3033b64e238.json b/mbc/attack-pattern/attack-pattern--200ecf0e-33a7-4a9c-af4a-a3033b64e238.json index 48db0589..91d7aaf1 100644 --- a/mbc/attack-pattern/attack-pattern--200ecf0e-33a7-4a9c-af4a-a3033b64e238.json +++ b/mbc/attack-pattern/attack-pattern--200ecf0e-33a7-4a9c-af4a-a3033b64e238.json @@ -8,7 +8,7 @@ "id": "attack-pattern--200ecf0e-33a7-4a9c-af4a-a3033b64e238", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.490263Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.282665Z", "name": "Check Processes", "description": "The VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. Malware can list the process and searches for the VMware string. Process related to Virtualbox can be detected by malware by query the process list.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.004" }, { diff --git a/mbc/attack-pattern/attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439.json b/mbc/attack-pattern/attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439.json index 8b649775..ed38d0aa 100644 --- a/mbc/attack-pattern/attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439.json +++ b/mbc/attack-pattern/attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439.json @@ -8,9 +8,9 @@ "id": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.609265Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.231605Z", "name": "C2 Communication", - "description": "All command and control malware use implant/controller communication. The methods listed below can be used to capture explicit communication details. Remote file copy behavior is captured separately, as is done in ATT&CK - see [Remote File Copy](https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/remote-file-copy.md).", + "description": "All command and control malware use implant/controller communication. The methods listed below can be used to capture explicit communication details. Remote file copy behavior is captured separately, as is done in ATT&CK - see **Ingress Tool Transfer ([E1105](https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/ingress-tool-transfer.md))**.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -20,8 +20,36 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", "external_id": "B0030" + }, + { + "source_name": "external_source", + "url": "https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/resources/hot-knives-through-butter-evading-file-based-sandboxes" + }, + { + "source_name": "external_source", + "url": "https://citizenlab.ca/2016/04/between-hong-kong-and-burma/" + }, + { + "source_name": "external_source", + "url": "http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + }, + { + "source_name": "external_source", + "url": "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" + }, + { + "source_name": "external_source", + "url": "https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--2080b6b4-a74c-43da-97db-1a2ca33ca589.json b/mbc/attack-pattern/attack-pattern--2080b6b4-a74c-43da-97db-1a2ca33ca589.json index 7d45b684..23f87d64 100644 --- a/mbc/attack-pattern/attack-pattern--2080b6b4-a74c-43da-97db-1a2ca33ca589.json +++ b/mbc/attack-pattern/attack-pattern--2080b6b4-a74c-43da-97db-1a2ca33ca589.json @@ -8,7 +8,7 @@ "id": "attack-pattern--2080b6b4-a74c-43da-97db-1a2ca33ca589", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.464262Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.315334Z", "name": "NtQueryInformationProcess", "description": "Calling NtQueryInformationProcess with its ProcessInformationClass parameter set to 0x07 (ProcessDebugPort constant) will cause the system to set ProcessInformation to -1 if the process is being debugged. Calling with ProcessInformationClass set to 0x0E (ProcessDebugFlags) or 0x11 (ProcessDebugObject) are used similarly. Testing \"ProcessDebugPort\" is equivalent to using the kernel32!CheckRemoteDebuggerPresent API call (see next method).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.012" } ], diff --git a/mbc/attack-pattern/attack-pattern--20bb8954-7d15-4f3f-b015-6de301407391.json b/mbc/attack-pattern/attack-pattern--20bb8954-7d15-4f3f-b015-6de301407391.json index eb4785a0..9e134096 100644 --- a/mbc/attack-pattern/attack-pattern--20bb8954-7d15-4f3f-b015-6de301407391.json +++ b/mbc/attack-pattern/attack-pattern--20bb8954-7d15-4f3f-b015-6de301407391.json @@ -8,7 +8,7 @@ "id": "attack-pattern--20bb8954-7d15-4f3f-b015-6de301407391", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.003478Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.33511Z", "name": "XOR::Decode Data", "description": "Malware may use xor to decode data.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/decode.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/decode-data.md", "external_id": "C0053.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--21399f14-f429-48f6-be04-d971783ba531.json b/mbc/attack-pattern/attack-pattern--21399f14-f429-48f6-be04-d971783ba531.json index 7599d0ea..2cb9b5fb 100644 --- a/mbc/attack-pattern/attack-pattern--21399f14-f429-48f6-be04-d971783ba531.json +++ b/mbc/attack-pattern/attack-pattern--21399f14-f429-48f6-be04-d971783ba531.json @@ -8,7 +8,7 @@ "id": "attack-pattern--21399f14-f429-48f6-be04-d971783ba531", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.870658Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.209889Z", "name": "Enumerate PE Sections", "description": "Malware enumerates virtual offsets of code sections.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/code-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/code-discovery.md", "external_id": "B0046.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--225f1311-c972-428d-be5e-f99a9edb705c.json b/mbc/attack-pattern/attack-pattern--225f1311-c972-428d-be5e-f99a9edb705c.json index c00e5140..13da835f 100644 --- a/mbc/attack-pattern/attack-pattern--225f1311-c972-428d-be5e-f99a9edb705c.json +++ b/mbc/attack-pattern/attack-pattern--225f1311-c972-428d-be5e-f99a9edb705c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--225f1311-c972-428d-be5e-f99a9edb705c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.517264Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.310135Z", "name": "Thread Timeout", "description": "Setting dwMilliseconds in WaitForSingleObject to a small number will timeout the thread before the analyst can step through and analyze the code executing in the thread. Modifying this via patch, register, or stack to the value `0xFFFFFFFF`, the **INFINITE** constant circumvents this anti-debugging technique.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.029" } ], diff --git a/mbc/attack-pattern/attack-pattern--23949fea-4e13-41e3-b8c7-b25efd93f346.json b/mbc/attack-pattern/attack-pattern--23949fea-4e13-41e3-b8c7-b25efd93f346.json index 1a99e6a5..8a287976 100644 --- a/mbc/attack-pattern/attack-pattern--23949fea-4e13-41e3-b8c7-b25efd93f346.json +++ b/mbc/attack-pattern/attack-pattern--23949fea-4e13-41e3-b8c7-b25efd93f346.json @@ -8,7 +8,7 @@ "id": "attack-pattern--23949fea-4e13-41e3-b8c7-b25efd93f346", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.506259Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.278785Z", "name": "Memory-only Payload", "description": "Malware is never written to disk (e.g., RAT plugins received from the controller are never written to disk).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-capture.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/capture-evasion.md", "external_id": "B0036.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--23cc9528-7b14-4f75-9daf-0afb8d9c24fa.json b/mbc/attack-pattern/attack-pattern--23cc9528-7b14-4f75-9daf-0afb8d9c24fa.json deleted file mode 100644 index 14446c8f..00000000 --- a/mbc/attack-pattern/attack-pattern--23cc9528-7b14-4f75-9daf-0afb8d9c24fa.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--a96cff7b-0adb-4739-9ff4-32dcca494d4f", - "objects": [ - { - "type": "attack-pattern", - "spec_version": "2.1", - "id": "attack-pattern--23cc9528-7b14-4f75-9daf-0afb8d9c24fa", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.798698Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Import Address Table (IAT) Hooking", - "description": "Modifies a process's import address table (IAT), which stores pointers to imported API functions.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/credential-access/hooking.md", - "external_id": "F0003.001" - } - ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true - } - ] -} \ No newline at end of file diff --git a/mbc/attack-pattern/attack-pattern--243d3475-704e-4bc1-b8a6-42ca4bda02fc.json b/mbc/attack-pattern/attack-pattern--243d3475-704e-4bc1-b8a6-42ca4bda02fc.json index cce651cc..5f26e125 100644 --- a/mbc/attack-pattern/attack-pattern--243d3475-704e-4bc1-b8a6-42ca4bda02fc.json +++ b/mbc/attack-pattern/attack-pattern--243d3475-704e-4bc1-b8a6-42ca4bda02fc.json @@ -8,7 +8,7 @@ "id": "attack-pattern--243d3475-704e-4bc1-b8a6-42ca4bda02fc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.507263Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.279541Z", "name": "Capture Evasion", "description": "Malware has characteristics enabling it to evade capture from the infected system.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-capture.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/capture-evasion.md", "external_id": "B0036" } ], diff --git a/mbc/attack-pattern/attack-pattern--24464dee-85e0-4fbf-b604-130f783c3689.json b/mbc/attack-pattern/attack-pattern--24464dee-85e0-4fbf-b604-130f783c3689.json index 7df61faf..65f56ef9 100644 --- a/mbc/attack-pattern/attack-pattern--24464dee-85e0-4fbf-b604-130f783c3689.json +++ b/mbc/attack-pattern/attack-pattern--24464dee-85e0-4fbf-b604-130f783c3689.json @@ -8,7 +8,7 @@ "id": "attack-pattern--24464dee-85e0-4fbf-b604-130f783c3689", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.720618Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.309893Z", "name": "Tampering", "description": "Erase or corrupt specific file parts to prevent rebuilding (header, packer stub, etc.).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.028" } ], diff --git a/mbc/attack-pattern/attack-pattern--245f1add-7e00-4b25-9f57-a88febbd9359.json b/mbc/attack-pattern/attack-pattern--245f1add-7e00-4b25-9f57-a88febbd9359.json index 818bd69e..ec46c12a 100644 --- a/mbc/attack-pattern/attack-pattern--245f1add-7e00-4b25-9f57-a88febbd9359.json +++ b/mbc/attack-pattern/attack-pattern--245f1add-7e00-4b25-9f57-a88febbd9359.json @@ -8,7 +8,7 @@ "id": "attack-pattern--245f1add-7e00-4b25-9f57-a88febbd9359", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.915483Z", - "modified": "2022-02-05T00:37:22.616726Z", + "modified": "2022-09-08T18:26:13.429518Z", "name": "Heavens Gate", "description": "Malware evades endpoint security products by invoking 64-bit code in 32-bit processes, effectively bypassing user-mode hooks.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", "external_id": "F0004.008" }, { diff --git a/mbc/attack-pattern/attack-pattern--2494ac41-5d2b-4112-903a-fdc2a09d376b.json b/mbc/attack-pattern/attack-pattern--2494ac41-5d2b-4112-903a-fdc2a09d376b.json index da8fdc5b..f6de833e 100644 --- a/mbc/attack-pattern/attack-pattern--2494ac41-5d2b-4112-903a-fdc2a09d376b.json +++ b/mbc/attack-pattern/attack-pattern--2494ac41-5d2b-4112-903a-fdc2a09d376b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--2494ac41-5d2b-4112-903a-fdc2a09d376b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.783046Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.228453Z", "name": "File search", "description": "Controller requests the implant to search for a given filename pattern, often a [glob](https://en.wikipedia.org/wiki/Glob_(programming)).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", "external_id": "B0030.015" } ], diff --git a/mbc/attack-pattern/attack-pattern--24d2552e-d0ee-4ab5-8e75-743b233379e1.json b/mbc/attack-pattern/attack-pattern--24d2552e-d0ee-4ab5-8e75-743b233379e1.json index f78e6174..da68a7c3 100644 --- a/mbc/attack-pattern/attack-pattern--24d2552e-d0ee-4ab5-8e75-743b233379e1.json +++ b/mbc/attack-pattern/attack-pattern--24d2552e-d0ee-4ab5-8e75-743b233379e1.json @@ -8,7 +8,7 @@ "id": "attack-pattern--24d2552e-d0ee-4ab5-8e75-743b233379e1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.530265Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.301599Z", "name": "Extra Loops/Time Locks", "description": "Add extra loops to make time-constraint emulators give up.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-emulator.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-evasion.md", "external_id": "B0005.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--24ed02f2-afad-49c8-a3c4-8ab1c418443e.json b/mbc/attack-pattern/attack-pattern--24ed02f2-afad-49c8-a3c4-8ab1c418443e.json index ebc4db1d..3e6e6012 100644 --- a/mbc/attack-pattern/attack-pattern--24ed02f2-afad-49c8-a3c4-8ab1c418443e.json +++ b/mbc/attack-pattern/attack-pattern--24ed02f2-afad-49c8-a3c4-8ab1c418443e.json @@ -8,7 +8,7 @@ "id": "attack-pattern--24ed02f2-afad-49c8-a3c4-8ab1c418443e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.743261Z", - "modified": "2022-02-05T00:37:22.694887Z", + "modified": "2022-09-08T18:26:13.236841Z", "name": "Send Email", "description": "Sends an email message from the system on which the malware is executing to one or more recipients, mostly commonly for the purpose of spamming or for distributing a malicious attachment or URL (malspamming).", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/send-email.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/send-email.md", "external_id": "B0020" }, { @@ -36,9 +36,8 @@ "url": "https://en.wikipedia.org/wiki/Bagle_(computer_worm)" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1566/", - "external_id": "T1566" + "source_name": "external_source", + "url": "https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--2514d117-a906-491c-bdef-fdc0ca4ab49b.json b/mbc/attack-pattern/attack-pattern--2514d117-a906-491c-bdef-fdc0ca4ab49b.json index 196dbab4..3c24246c 100644 --- a/mbc/attack-pattern/attack-pattern--2514d117-a906-491c-bdef-fdc0ca4ab49b.json +++ b/mbc/attack-pattern/attack-pattern--2514d117-a906-491c-bdef-fdc0ca4ab49b.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/terminate-process.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/terminate-process.md", "external_id": "C0018" } ], diff --git a/mbc/attack-pattern/attack-pattern--25dbb3ef-6301-4f8c-a8d2-a03b5c23dafd.json b/mbc/attack-pattern/attack-pattern--25dbb3ef-6301-4f8c-a8d2-a03b5c23dafd.json index 58f8ae59..9f27d998 100644 --- a/mbc/attack-pattern/attack-pattern--25dbb3ef-6301-4f8c-a8d2-a03b5c23dafd.json +++ b/mbc/attack-pattern/attack-pattern--25dbb3ef-6301-4f8c-a8d2-a03b5c23dafd.json @@ -8,7 +8,7 @@ "id": "attack-pattern--25dbb3ef-6301-4f8c-a8d2-a03b5c23dafd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.016478Z", - "modified": "2022-02-05T00:37:22.804261Z", + "modified": "2022-09-08T18:26:13.348991Z", "name": "Get File Attributes", "description": "Malware gets the attributes of a file.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/get-file-attr.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/get-file-attributes.md", "external_id": "C0049" } ], diff --git a/mbc/attack-pattern/attack-pattern--2620e845-cb45-43b5-91a4-dd72dcf3339d.json b/mbc/attack-pattern/attack-pattern--2620e845-cb45-43b5-91a4-dd72dcf3339d.json index 247f2b81..fabf072b 100644 --- a/mbc/attack-pattern/attack-pattern--2620e845-cb45-43b5-91a4-dd72dcf3339d.json +++ b/mbc/attack-pattern/attack-pattern--2620e845-cb45-43b5-91a4-dd72dcf3339d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--2620e845-cb45-43b5-91a4-dd72dcf3339d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.492261Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.284407Z", "name": "Check Windows", "description": "Malware may check windows for VM-related characteristics.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.009" } ], diff --git a/mbc/attack-pattern/attack-pattern--26a24fc4-3488-408f-ae36-9e5e881f4b9e.json b/mbc/attack-pattern/attack-pattern--26a24fc4-3488-408f-ae36-9e5e881f4b9e.json index c46fc849..717b672d 100644 --- a/mbc/attack-pattern/attack-pattern--26a24fc4-3488-408f-ae36-9e5e881f4b9e.json +++ b/mbc/attack-pattern/attack-pattern--26a24fc4-3488-408f-ae36-9e5e881f4b9e.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/suspend-thread.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/suspend-thread.md", "external_id": "C0055" } ], diff --git a/mbc/attack-pattern/attack-pattern--26d8815b-c8d1-4fc9-a6f6-218c0436b7a1.json b/mbc/attack-pattern/attack-pattern--26d8815b-c8d1-4fc9-a6f6-218c0436b7a1.json index 4414f656..6cd71d56 100644 --- a/mbc/attack-pattern/attack-pattern--26d8815b-c8d1-4fc9-a6f6-218c0436b7a1.json +++ b/mbc/attack-pattern/attack-pattern--26d8815b-c8d1-4fc9-a6f6-218c0436b7a1.json @@ -8,7 +8,7 @@ "id": "attack-pattern--26d8815b-c8d1-4fc9-a6f6-218c0436b7a1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.562264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.195174Z", "name": "Thunk Code Insertion", "description": "Variation on Jump Insertion. Used by some compilers for user-generated functions.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", "external_id": "B0032.006" } ], diff --git a/mbc/attack-pattern/attack-pattern--276108d0-bfef-45d8-9e20-0e6f5c107f6f.json b/mbc/attack-pattern/attack-pattern--276108d0-bfef-45d8-9e20-0e6f5c107f6f.json index 3d1b52e3..1f70039f 100644 --- a/mbc/attack-pattern/attack-pattern--276108d0-bfef-45d8-9e20-0e6f5c107f6f.json +++ b/mbc/attack-pattern/attack-pattern--276108d0-bfef-45d8-9e20-0e6f5c107f6f.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/covert-location.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/covert-location.md", "external_id": "B0040.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--27a1c173-3d93-430b-9544-8dd2db602b87.json b/mbc/attack-pattern/attack-pattern--27a1c173-3d93-430b-9544-8dd2db602b87.json index c1975204..d8aa15a8 100644 --- a/mbc/attack-pattern/attack-pattern--27a1c173-3d93-430b-9544-8dd2db602b87.json +++ b/mbc/attack-pattern/attack-pattern--27a1c173-3d93-430b-9544-8dd2db602b87.json @@ -8,7 +8,7 @@ "id": "attack-pattern--27a1c173-3d93-430b-9544-8dd2db602b87", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.662262Z", - "modified": "2022-02-05T00:37:22.632387Z", + "modified": "2022-09-08T18:26:13.416183Z", "name": "Hidden Files and Directories", "description": "Malware may hide files and folders to avoid detection and/or to persist on the system. See potential methods below.", "kill_chain_phases": [ @@ -24,8 +24,16 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hidden-files.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hidden-files-and-directories.md", "external_id": "F0005" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--2847e96e-8080-4f95-96df-b2194e42ac25.json b/mbc/attack-pattern/attack-pattern--2847e96e-8080-4f95-96df-b2194e42ac25.json index 80c3ee14..36a12c32 100644 --- a/mbc/attack-pattern/attack-pattern--2847e96e-8080-4f95-96df-b2194e42ac25.json +++ b/mbc/attack-pattern/attack-pattern--2847e96e-8080-4f95-96df-b2194e42ac25.json @@ -8,7 +8,7 @@ "id": "attack-pattern--2847e96e-8080-4f95-96df-b2194e42ac25", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.973483Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.365016Z", "name": "Receive Request::HTTP Communication", "description": "HTTP server receives request.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", "external_id": "C0002.015" } ], diff --git a/mbc/attack-pattern/attack-pattern--28715d14-8b3f-4be9-95f6-e306de73f53f.json b/mbc/attack-pattern/attack-pattern--28715d14-8b3f-4be9-95f6-e306de73f53f.json deleted file mode 100644 index b142f786..00000000 --- a/mbc/attack-pattern/attack-pattern--28715d14-8b3f-4be9-95f6-e306de73f53f.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--ebde3b51-9052-4b6f-9fd4-6d3604c89bc4", - "objects": [ - { - "type": "attack-pattern", - "spec_version": "2.1", - "id": "attack-pattern--28715d14-8b3f-4be9-95f6-e306de73f53f", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.798698Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Shadow SDT Hooking", - "description": "Hooks the Shadow SSDT similarly to how the SSDT and IAT are hooked. The target of the hooking with the Shadow SSDT is the Windows subsystem (win32k.sys).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/credential-access/hooking.md", - "external_id": "F0003.005" - } - ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true - } - ] -} \ No newline at end of file diff --git a/mbc/attack-pattern/attack-pattern--28c6f55a-126f-436b-ab2e-af77f91d0cec.json b/mbc/attack-pattern/attack-pattern--28c6f55a-126f-436b-ab2e-af77f91d0cec.json index 8fdd0de7..93050dbc 100644 --- a/mbc/attack-pattern/attack-pattern--28c6f55a-126f-436b-ab2e-af77f91d0cec.json +++ b/mbc/attack-pattern/attack-pattern--28c6f55a-126f-436b-ab2e-af77f91d0cec.json @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/keylogging.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/keylogging.md", "external_id": "F0002.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739.json b/mbc/attack-pattern/attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739.json index 789bc1ae..538d510e 100644 --- a/mbc/attack-pattern/attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739.json +++ b/mbc/attack-pattern/attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739.json @@ -8,7 +8,7 @@ "id": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.486264Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.300328Z", "name": "Sandbox Detection", "description": "Detects whether the malware instance is being executed inside an instrumented sandbox environment (e.g., Cuckoo Sandbox). If so, conditional execution selects a benign execution path.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", "external_id": "B0007" }, { @@ -29,7 +29,7 @@ }, { "source_name": "external_source", - "url": "http://labs.lastline.com/exposing-rombertik-turning-the-tables-on-evasive-malware" + "url": "https://blogs.cisco.com/security/talos/rombertik" }, { "source_name": "external_source", @@ -38,6 +38,14 @@ { "source_name": "external_source", "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://blogs.cisco.com/security/talos/rombertik" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754.json b/mbc/attack-pattern/attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754.json index dbeb3f5e..bd498eb6 100644 --- a/mbc/attack-pattern/attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754.json +++ b/mbc/attack-pattern/attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754.json @@ -8,7 +8,7 @@ "id": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.689263Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.411258Z", "name": "Process Injection", "description": "Malware may execute code in the address space of a separate process.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/process-inject.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/process-injection.md", "external_id": "E1055" }, { @@ -44,9 +44,20 @@ "url": "https://www.ired.team/offensive-security/code-injection-process-injection/executing-shellcode-with-createfiber" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1055", - "external_id": "T1055" + "source_name": "external_source", + "url": "https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/" + }, + { + "source_name": "external_source", + "url": "https://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml" + }, + { + "source_name": "external_source", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--2b01bf8e-63cf-495c-8e2f-d18a8c286ad5.json b/mbc/attack-pattern/attack-pattern--2b01bf8e-63cf-495c-8e2f-d18a8c286ad5.json index aa1f1780..c63f4324 100644 --- a/mbc/attack-pattern/attack-pattern--2b01bf8e-63cf-495c-8e2f-d18a8c286ad5.json +++ b/mbc/attack-pattern/attack-pattern--2b01bf8e-63cf-495c-8e2f-d18a8c286ad5.json @@ -8,7 +8,7 @@ "id": "attack-pattern--2b01bf8e-63cf-495c-8e2f-d18a8c286ad5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.499265Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.288631Z", "name": "Instruction Testing - VMCPUID", "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.037" }, { diff --git a/mbc/attack-pattern/attack-pattern--2b4653a5-2865-4768-ae75-e1f7cb84b39a.json b/mbc/attack-pattern/attack-pattern--2b4653a5-2865-4768-ae75-e1f7cb84b39a.json index 889334c3..f07ba335 100644 --- a/mbc/attack-pattern/attack-pattern--2b4653a5-2865-4768-ae75-e1f7cb84b39a.json +++ b/mbc/attack-pattern/attack-pattern--2b4653a5-2865-4768-ae75-e1f7cb84b39a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--2b4653a5-2865-4768-ae75-e1f7cb84b39a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.535262Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.275394Z", "name": "Flow Opcode Obstruction", "description": "Flow opcodes (e.g., jumps, loops) are removed and emulated (or decrypted) by the packer during execution, resulting in incorrect dumps. .", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", "external_id": "B0006.009" }, { diff --git a/mbc/attack-pattern/attack-pattern--2baec974-fab4-4fe3-92a6-c477893f132d.json b/mbc/attack-pattern/attack-pattern--2baec974-fab4-4fe3-92a6-c477893f132d.json index ecb78bf6..89a759df 100644 --- a/mbc/attack-pattern/attack-pattern--2baec974-fab4-4fe3-92a6-c477893f132d.json +++ b/mbc/attack-pattern/attack-pattern--2baec974-fab4-4fe3-92a6-c477893f132d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--2baec974-fab4-4fe3-92a6-c477893f132d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.509262Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.303076Z", "name": "Block Interrupts", "description": "Block interrupt (via hooking) 1 and/or 3 to prevent debuggers from working.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--2bef87a4-e803-4bb7-8f8f-fac4f63a02e1.json b/mbc/attack-pattern/attack-pattern--2bef87a4-e803-4bb7-8f8f-fac4f63a02e1.json index da67e328..32779343 100644 --- a/mbc/attack-pattern/attack-pattern--2bef87a4-e803-4bb7-8f8f-fac4f63a02e1.json +++ b/mbc/attack-pattern/attack-pattern--2bef87a4-e803-4bb7-8f8f-fac4f63a02e1.json @@ -8,7 +8,7 @@ "id": "attack-pattern--2bef87a4-e803-4bb7-8f8f-fac4f63a02e1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.534261Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.274836Z", "name": "Erase the PE header", "description": "Erase PE header from memory.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", "external_id": "B0006.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--2bf1a1a6-82ff-4e52-b11c-bd2d0495e830.json b/mbc/attack-pattern/attack-pattern--2bf1a1a6-82ff-4e52-b11c-bd2d0495e830.json index 24430831..3a0f8db0 100644 --- a/mbc/attack-pattern/attack-pattern--2bf1a1a6-82ff-4e52-b11c-bd2d0495e830.json +++ b/mbc/attack-pattern/attack-pattern--2bf1a1a6-82ff-4e52-b11c-bd2d0495e830.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/wallpaper.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/wallpaper.md", "external_id": "C0035" } ], diff --git a/mbc/attack-pattern/attack-pattern--2c55e74c-c066-43e0-bdaa-8d74959b7694.json b/mbc/attack-pattern/attack-pattern--2c55e74c-c066-43e0-bdaa-8d74959b7694.json index fba874df..b1bcd23b 100644 --- a/mbc/attack-pattern/attack-pattern--2c55e74c-c066-43e0-bdaa-8d74959b7694.json +++ b/mbc/attack-pattern/attack-pattern--2c55e74c-c066-43e0-bdaa-8d74959b7694.json @@ -8,10 +8,22 @@ "id": "attack-pattern--2c55e74c-c066-43e0-bdaa-8d74959b7694", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", + "modified": "2022-09-08T18:26:13.418468Z", "name": "Export Address Table (EAT) Hooking", "description": "Malware (e.g. rootkit) hooks the export address table (EAT).", "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + }, { "kill_chain_name": "mitre-mbc", "phase_name": "defense-evasion" @@ -28,7 +40,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hijack-execution-flow.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hijack-execution-flow.md", "external_id": "F0015.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--2c90706d-0b4a-45e1-b9f0-0292ebb69edf.json b/mbc/attack-pattern/attack-pattern--2c90706d-0b4a-45e1-b9f0-0292ebb69edf.json index 24a8179c..6ecfa0a7 100644 --- a/mbc/attack-pattern/attack-pattern--2c90706d-0b4a-45e1-b9f0-0292ebb69edf.json +++ b/mbc/attack-pattern/attack-pattern--2c90706d-0b4a-45e1-b9f0-0292ebb69edf.json @@ -8,7 +8,7 @@ "id": "attack-pattern--2c90706d-0b4a-45e1-b9f0-0292ebb69edf", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.496265Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.286517Z", "name": "Instruction Testing - CPUID", "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM. Checking the CPU ID found within the registry can provide information to system type.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.034" }, { diff --git a/mbc/attack-pattern/attack-pattern--2cab79e4-750b-43e3-9486-0d7801d8fdd8.json b/mbc/attack-pattern/attack-pattern--2cab79e4-750b-43e3-9486-0d7801d8fdd8.json index 2e37c29d..5dcd55cf 100644 --- a/mbc/attack-pattern/attack-pattern--2cab79e4-750b-43e3-9486-0d7801d8fdd8.json +++ b/mbc/attack-pattern/attack-pattern--2cab79e4-750b-43e3-9486-0d7801d8fdd8.json @@ -19,7 +19,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/remote-commands.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/remote-commands.md", "external_id": "B0011.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--2e82d33e-a804-42a2-9931-57f7b7af78f9.json b/mbc/attack-pattern/attack-pattern--2e82d33e-a804-42a2-9931-57f7b7af78f9.json index aa47de0b..6959e98f 100644 --- a/mbc/attack-pattern/attack-pattern--2e82d33e-a804-42a2-9931-57f7b7af78f9.json +++ b/mbc/attack-pattern/attack-pattern--2e82d33e-a804-42a2-9931-57f7b7af78f9.json @@ -8,7 +8,7 @@ "id": "attack-pattern--2e82d33e-a804-42a2-9931-57f7b7af78f9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.991483Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.388134Z", "name": "AES::Encrypt Data", "description": "Malware encrypts with the AES algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", "external_id": "C0027.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--2ed5189e-8701-45ab-b222-b4b23f2bbb0e.json b/mbc/attack-pattern/attack-pattern--2ed5189e-8701-45ab-b222-b4b23f2bbb0e.json index 0be847a4..cdd9d4d3 100644 --- a/mbc/attack-pattern/attack-pattern--2ed5189e-8701-45ab-b222-b4b23f2bbb0e.json +++ b/mbc/attack-pattern/attack-pattern--2ed5189e-8701-45ab-b222-b4b23f2bbb0e.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/use-constant.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/use-constant.md", "external_id": "C0020" } ], diff --git a/mbc/attack-pattern/attack-pattern--2f16f65d-4fba-4574-882d-97d54392f5bb.json b/mbc/attack-pattern/attack-pattern--2f16f65d-4fba-4574-882d-97d54392f5bb.json index dee5731c..15218be1 100644 --- a/mbc/attack-pattern/attack-pattern--2f16f65d-4fba-4574-882d-97d54392f5bb.json +++ b/mbc/attack-pattern/attack-pattern--2f16f65d-4fba-4574-882d-97d54392f5bb.json @@ -8,7 +8,7 @@ "id": "attack-pattern--2f16f65d-4fba-4574-882d-97d54392f5bb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.806261Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.379974Z", "name": "DNS Communication", "description": "The DNS Communication micro-behavior focuses on DNS communication.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/dns-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/dns-communication.md", "external_id": "C0011" } ], diff --git a/mbc/attack-pattern/attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9.json b/mbc/attack-pattern/attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9.json index 9892e6dd..1634b755 100644 --- a/mbc/attack-pattern/attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9.json +++ b/mbc/attack-pattern/attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9.json @@ -8,7 +8,7 @@ "id": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.52526Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.328554Z", "name": "Dynamic Analysis Evasion", "description": "Malware may obstruct dynamic analysis in a sandbox, emulator, or virtual machine.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", "external_id": "B0003" }, { @@ -40,9 +40,12 @@ "url": "https://research.checkpoint.com/2019-resurgence-of-smokeloader/" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1497/", - "external_id": "T1497" + "source_name": "external_source", + "url": "https://blogs.cisco.com/security/talos/rombertik" + }, + { + "source_name": "external_source", + "url": "https://www.joesecurity.org/blog/498839998833561473" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--2f605aaf-790b-4ba1-9603-3b14cf2f1c52.json b/mbc/attack-pattern/attack-pattern--2f605aaf-790b-4ba1-9603-3b14cf2f1c52.json index 3f03ca47..0354be42 100644 --- a/mbc/attack-pattern/attack-pattern--2f605aaf-790b-4ba1-9603-3b14cf2f1c52.json +++ b/mbc/attack-pattern/attack-pattern--2f605aaf-790b-4ba1-9603-3b14cf2f1c52.json @@ -8,7 +8,7 @@ "id": "attack-pattern--2f605aaf-790b-4ba1-9603-3b14cf2f1c52", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.850262Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.397009Z", "name": "Generate Pseudo-random Sequence", "description": "The Generate Pseudo-random Sequence microbehavior can be used for a number of purposes. The methods below include specific functions, as well as pseudorandom number generators (PRNG).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/gen-random.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/generate-pseudorandom-sequence.md", "external_id": "C0021" } ], diff --git a/mbc/attack-pattern/attack-pattern--2f82d3b5-c6f8-4f4b-89e1-8605ea457749.json b/mbc/attack-pattern/attack-pattern--2f82d3b5-c6f8-4f4b-89e1-8605ea457749.json index 1f68f760..e0bd63fe 100644 --- a/mbc/attack-pattern/attack-pattern--2f82d3b5-c6f8-4f4b-89e1-8605ea457749.json +++ b/mbc/attack-pattern/attack-pattern--2f82d3b5-c6f8-4f4b-89e1-8605ea457749.json @@ -8,7 +8,7 @@ "id": "attack-pattern--2f82d3b5-c6f8-4f4b-89e1-8605ea457749", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.939481Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.218485Z", "name": "Taskbar Discovery", "description": "Malware may find the taskbar.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/taskbar-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/taskbar-discovery.md", "external_id": "B0043" } ], diff --git a/mbc/attack-pattern/attack-pattern--2fdbb4b2-a02a-42de-a6de-2263b48392f1.json b/mbc/attack-pattern/attack-pattern--2fdbb4b2-a02a-42de-a6de-2263b48392f1.json index e544e5bc..8fe7f6ad 100644 --- a/mbc/attack-pattern/attack-pattern--2fdbb4b2-a02a-42de-a6de-2263b48392f1.json +++ b/mbc/attack-pattern/attack-pattern--2fdbb4b2-a02a-42de-a6de-2263b48392f1.json @@ -8,7 +8,7 @@ "id": "attack-pattern--2fdbb4b2-a02a-42de-a6de-2263b48392f1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.975482Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.366806Z", "name": "WinHTTP::HTTP Communication", "description": "An HTTP request is made via the Windows HTTP Services (WinHTTP) application programming interface (API).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", "external_id": "C0002.008" } ], diff --git a/mbc/attack-pattern/attack-pattern--2ff4ce39-a726-471a-92d9-21a5c51a0bc3.json b/mbc/attack-pattern/attack-pattern--2ff4ce39-a726-471a-92d9-21a5c51a0bc3.json index e48d4fff..946f705a 100644 --- a/mbc/attack-pattern/attack-pattern--2ff4ce39-a726-471a-92d9-21a5c51a0bc3.json +++ b/mbc/attack-pattern/attack-pattern--2ff4ce39-a726-471a-92d9-21a5c51a0bc3.json @@ -8,7 +8,7 @@ "id": "attack-pattern--2ff4ce39-a726-471a-92d9-21a5c51a0bc3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.769263Z", - "modified": "2022-02-05T00:37:22.71051Z", + "modified": "2022-09-08T18:26:13.259774Z", "name": "Data Destruction", "description": "Data, system files, or other files are destroyed. Individual files are selected, as opposed to wiping an entire sector.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/data-destruction.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/data-destruction.md", "external_id": "E1485" }, { @@ -28,14 +28,20 @@ "url": "http://www.darkreading.com/attacks-breaches/disk-wiping-shamoon-malware-resurfaces-with-file-erasing-malware-in-tow/d/d-id/1333509" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1485/", - "external_id": "T1485" + "source_name": "external_source", + "url": "https://blogs.cisco.com/security/talos/rombertik" + }, + { + "source_name": "external_source", + "url": "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1447/", - "external_id": "T1447" + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Conficker" + }, + { + "source_name": "external_source", + "url": "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--3018beac-a047-4b14-9c72-3340866b4c67.json b/mbc/attack-pattern/attack-pattern--3018beac-a047-4b14-9c72-3340866b4c67.json index a5344d56..c65ccce8 100644 --- a/mbc/attack-pattern/attack-pattern--3018beac-a047-4b14-9c72-3340866b4c67.json +++ b/mbc/attack-pattern/attack-pattern--3018beac-a047-4b14-9c72-3340866b4c67.json @@ -8,7 +8,7 @@ "id": "attack-pattern--3018beac-a047-4b14-9c72-3340866b4c67", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.845581Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.410914Z", "name": "Patch Process Command Line", "description": "Malware patches the PEB of a process to spoof the arguments.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/process-inject.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/process-injection.md", "external_id": "E1055.m04" } ], diff --git a/mbc/attack-pattern/attack-pattern--30b37187-7b90-4271-b554-e0a5265fc977.json b/mbc/attack-pattern/attack-pattern--30b37187-7b90-4271-b554-e0a5265fc977.json new file mode 100644 index 00000000..e7b65544 --- /dev/null +++ b/mbc/attack-pattern/attack-pattern--30b37187-7b90-4271-b554-e0a5265fc977.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--0fcfdd13-bcca-4cb5-aa56-fb68d6b516e4", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--30b37187-7b90-4271-b554-e0a5265fc977", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2022-09-08T18:26:13.219183Z", + "modified": "2022-09-08T18:26:13.219183Z", + "name": "Install Certificate", + "description": "Malware may install a certificate to gain access to https traffic.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/privilege-escalation/install-certificate.md", + "external_id": "E1608" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/mbc/attack-pattern/attack-pattern--3110ab37-847b-4f50-be91-9748cee0f4a0.json b/mbc/attack-pattern/attack-pattern--3110ab37-847b-4f50-be91-9748cee0f4a0.json index 72549caa..7c7cca38 100644 --- a/mbc/attack-pattern/attack-pattern--3110ab37-847b-4f50-be91-9748cee0f4a0.json +++ b/mbc/attack-pattern/attack-pattern--3110ab37-847b-4f50-be91-9748cee0f4a0.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/polymorphic-code.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/polymorphic-code.md", "external_id": "B0029.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--31c2f227-2583-4f36-a24f-0f2610f1e055.json b/mbc/attack-pattern/attack-pattern--31c2f227-2583-4f36-a24f-0f2610f1e055.json index 7f0eb4c4..b8ec46d4 100644 --- a/mbc/attack-pattern/attack-pattern--31c2f227-2583-4f36-a24f-0f2610f1e055.json +++ b/mbc/attack-pattern/attack-pattern--31c2f227-2583-4f36-a24f-0f2610f1e055.json @@ -8,7 +8,7 @@ "id": "attack-pattern--31c2f227-2583-4f36-a24f-0f2610f1e055", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.007478Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.337492Z", "name": "Fast-Hash::Non-Cryptographic Hash", "description": "Malware uses the Fast-Hash hash function.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/noncrypto-hash.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/noncryptographic-hash.md", "external_id": "C0030.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--333a4ca2-d8a5-4829-abcb-c42736a41f0d.json b/mbc/attack-pattern/attack-pattern--333a4ca2-d8a5-4829-abcb-c42736a41f0d.json index 7071e727..fa2a8701 100644 --- a/mbc/attack-pattern/attack-pattern--333a4ca2-d8a5-4829-abcb-c42736a41f0d.json +++ b/mbc/attack-pattern/attack-pattern--333a4ca2-d8a5-4829-abcb-c42736a41f0d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--333a4ca2-d8a5-4829-abcb-c42736a41f0d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.002478Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.329942Z", "name": "IEncodingFilterFactory::Compress Data", "description": "Malware compresses data using IEncodingFilterFactory.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/compress.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/compress-data.md", "external_id": "C0024.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--33ac3946-4bd9-4904-b02e-45e2d17dbfdd.json b/mbc/attack-pattern/attack-pattern--33ac3946-4bd9-4904-b02e-45e2d17dbfdd.json index 9f88b8b4..fb991a49 100644 --- a/mbc/attack-pattern/attack-pattern--33ac3946-4bd9-4904-b02e-45e2d17dbfdd.json +++ b/mbc/attack-pattern/attack-pattern--33ac3946-4bd9-4904-b02e-45e2d17dbfdd.json @@ -8,7 +8,7 @@ "id": "attack-pattern--33ac3946-4bd9-4904-b02e-45e2d17dbfdd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.77826Z", - "modified": "2022-02-05T00:37:22.71051Z", + "modified": "2022-09-08T18:26:13.270562Z", "name": "Data Encrypted for Impact", "description": "Malware may encrypt files stored on the system to prevent user access until a ransom is paid and/or to interrupt system availability. The encryption process usually iterates over all letter drives in the system (except for CD drives) and then recursively encrypts all files with specific suffixes.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/encrypt-impact.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/data-encrypted-for-impact.md", "external_id": "E1486" }, { diff --git a/mbc/attack-pattern/attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f.json b/mbc/attack-pattern/attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f.json index 8cbce33d..d4fc4ba7 100644 --- a/mbc/attack-pattern/attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f.json +++ b/mbc/attack-pattern/attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f.json @@ -8,7 +8,7 @@ "id": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.994484Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.392651Z", "name": "Encrypt Data", "description": "Malware may encrypt data.", "kill_chain_phases": [ @@ -20,8 +20,24 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", "external_id": "C0027" + }, + { + "source_name": "external_source", + "url": "https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" + }, + { + "source_name": "external_source", + "url": "https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" + }, + { + "source_name": "external_source", + "url": "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--35284c4d-652f-40bd-b49b-7d625914bc75.json b/mbc/attack-pattern/attack-pattern--35284c4d-652f-40bd-b49b-7d625914bc75.json index 99ca965f..e27ef7d4 100644 --- a/mbc/attack-pattern/attack-pattern--35284c4d-652f-40bd-b49b-7d625914bc75.json +++ b/mbc/attack-pattern/attack-pattern--35284c4d-652f-40bd-b49b-7d625914bc75.json @@ -8,7 +8,7 @@ "id": "attack-pattern--35284c4d-652f-40bd-b49b-7d625914bc75", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.483264Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.295463Z", "name": "Check Clipboard Data", "description": "Checks clipboard data which can be used to detect whether execution is inside a sandbox.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", "external_id": "B0007.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--352fc821-2bbf-4d2a-a9a2-3a69b3bac30c.json b/mbc/attack-pattern/attack-pattern--352fc821-2bbf-4d2a-a9a2-3a69b3bac30c.json index 5241fa64..b29a656f 100644 --- a/mbc/attack-pattern/attack-pattern--352fc821-2bbf-4d2a-a9a2-3a69b3bac30c.json +++ b/mbc/attack-pattern/attack-pattern--352fc821-2bbf-4d2a-a9a2-3a69b3bac30c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--352fc821-2bbf-4d2a-a9a2-3a69b3bac30c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.974485Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.365787Z", "name": "Start Server::HTTP Communication", "description": "HTTP server is started.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", "external_id": "C0002.018" } ], diff --git a/mbc/attack-pattern/attack-pattern--35365158-0007-49fa-bc45-da311d3c6246.json b/mbc/attack-pattern/attack-pattern--35365158-0007-49fa-bc45-da311d3c6246.json index 9caae5df..6d70afc2 100644 --- a/mbc/attack-pattern/attack-pattern--35365158-0007-49fa-bc45-da311d3c6246.json +++ b/mbc/attack-pattern/attack-pattern--35365158-0007-49fa-bc45-da311d3c6246.json @@ -8,7 +8,7 @@ "id": "attack-pattern--35365158-0007-49fa-bc45-da311d3c6246", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.973483Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.36383Z", "name": "Extract Body::HTTP Communication", "description": "HTTP client extracts HTTP body.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", "external_id": "C0002.011" } ], diff --git a/mbc/attack-pattern/attack-pattern--35a8f2ce-05e2-4a25-a469-e07a6360eee3.json b/mbc/attack-pattern/attack-pattern--35a8f2ce-05e2-4a25-a469-e07a6360eee3.json index 1c0bbcce..d362354d 100644 --- a/mbc/attack-pattern/attack-pattern--35a8f2ce-05e2-4a25-a469-e07a6360eee3.json +++ b/mbc/attack-pattern/attack-pattern--35a8f2ce-05e2-4a25-a469-e07a6360eee3.json @@ -8,7 +8,7 @@ "id": "attack-pattern--35a8f2ce-05e2-4a25-a469-e07a6360eee3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.469264Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.317913Z", "name": "Process Environment Block IsDebugged", "description": "The IsDebugged field is tested to determine whether the process is being debugged.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.037" } ], diff --git a/mbc/attack-pattern/attack-pattern--35d551ab-014b-4fab-8ba8-b91fb42a3985.json b/mbc/attack-pattern/attack-pattern--35d551ab-014b-4fab-8ba8-b91fb42a3985.json index 37aa8bf0..8b2d2d63 100644 --- a/mbc/attack-pattern/attack-pattern--35d551ab-014b-4fab-8ba8-b91fb42a3985.json +++ b/mbc/attack-pattern/attack-pattern--35d551ab-014b-4fab-8ba8-b91fb42a3985.json @@ -8,7 +8,7 @@ "id": "attack-pattern--35d551ab-014b-4fab-8ba8-b91fb42a3985", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.533262Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.27455Z", "name": "Code Encryption in Memory", "description": "Encrypt the executing malware instance code in memory.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", "external_id": "B0006.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--36074f02-7b9b-4052-998f-cb6c56447031.json b/mbc/attack-pattern/attack-pattern--36074f02-7b9b-4052-998f-cb6c56447031.json index 4d97ef93..550cc975 100644 --- a/mbc/attack-pattern/attack-pattern--36074f02-7b9b-4052-998f-cb6c56447031.json +++ b/mbc/attack-pattern/attack-pattern--36074f02-7b9b-4052-998f-cb6c56447031.json @@ -8,7 +8,7 @@ "id": "attack-pattern--36074f02-7b9b-4052-998f-cb6c56447031", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.555263Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.191016Z", "name": "Code Insertion", "description": "Insert code to impede disassembly.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", "external_id": "B0032.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--373415cb-bc3b-4602-8032-584b7cf758c5.json b/mbc/attack-pattern/attack-pattern--373415cb-bc3b-4602-8032-584b7cf758c5.json index e7f6849e..7b9f44b4 100644 --- a/mbc/attack-pattern/attack-pattern--373415cb-bc3b-4602-8032-584b7cf758c5.json +++ b/mbc/attack-pattern/attack-pattern--373415cb-bc3b-4602-8032-584b7cf758c5.json @@ -19,7 +19,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/remote-commands.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/remote-commands.md", "external_id": "B0011.007" } ], diff --git a/mbc/attack-pattern/attack-pattern--373bb770-4890-4e13-a0d6-94459bed37aa.json b/mbc/attack-pattern/attack-pattern--373bb770-4890-4e13-a0d6-94459bed37aa.json index db4179ca..0d4e614c 100644 --- a/mbc/attack-pattern/attack-pattern--373bb770-4890-4e13-a0d6-94459bed37aa.json +++ b/mbc/attack-pattern/attack-pattern--373bb770-4890-4e13-a0d6-94459bed37aa.json @@ -8,7 +8,7 @@ "id": "attack-pattern--373bb770-4890-4e13-a0d6-94459bed37aa", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.566267Z", - "modified": "2022-02-05T00:37:22.585511Z", + "modified": "2022-09-08T18:26:13.202744Z", "name": "Minification", "description": "Minification is 'the process of removing all unnecessary characters from source code without changing its functionality.' A simple example is when all the unnecessary whitespace and comments are removed. Minification is distinguished from compression in that it neither adds to nor changes the code seen by the interpreter. Minification is often used for malware written in interpreted languages, such as JavaScript, PHP, or Python. Legitimate code that is transmitted many times a second, such as JavaScript on websites, often uses minification to simply reduce the number of bytes transmitted.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-optimize.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-optimization.md", "external_id": "B0034.002" }, { diff --git a/mbc/attack-pattern/attack-pattern--37487e77-eda2-495c-bf1c-48f05062b2ca.json b/mbc/attack-pattern/attack-pattern--37487e77-eda2-495c-bf1c-48f05062b2ca.json index 1465a372..602f0663 100644 --- a/mbc/attack-pattern/attack-pattern--37487e77-eda2-495c-bf1c-48f05062b2ca.json +++ b/mbc/attack-pattern/attack-pattern--37487e77-eda2-495c-bf1c-48f05062b2ca.json @@ -8,7 +8,7 @@ "id": "attack-pattern--37487e77-eda2-495c-bf1c-48f05062b2ca", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.989483Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.385789Z", "name": "RC4::Decrypt Data", "description": "Malware decrypts data encrypted with the RC4 algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", "external_id": "C0031.008" } ], diff --git a/mbc/attack-pattern/attack-pattern--37eb387f-ecb3-4098-926b-2e1d2c3da16e.json b/mbc/attack-pattern/attack-pattern--37eb387f-ecb3-4098-926b-2e1d2c3da16e.json index 5b2b3d28..baf63dac 100644 --- a/mbc/attack-pattern/attack-pattern--37eb387f-ecb3-4098-926b-2e1d2c3da16e.json +++ b/mbc/attack-pattern/attack-pattern--37eb387f-ecb3-4098-926b-2e1d2c3da16e.json @@ -8,7 +8,7 @@ "id": "attack-pattern--37eb387f-ecb3-4098-926b-2e1d2c3da16e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.828261Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.361519Z", "name": "Server Connect::SMTP Communication", "description": "Connects to an smtp server.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/smtp-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/smtp-communication.md", "external_id": "C0012.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--38dad326-aeb6-4341-9a2b-233fcd5698cd.json b/mbc/attack-pattern/attack-pattern--38dad326-aeb6-4341-9a2b-233fcd5698cd.json index 741df603..77e4015f 100644 --- a/mbc/attack-pattern/attack-pattern--38dad326-aeb6-4341-9a2b-233fcd5698cd.json +++ b/mbc/attack-pattern/attack-pattern--38dad326-aeb6-4341-9a2b-233fcd5698cd.json @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", "external_id": "F0001.011" } ], diff --git a/mbc/attack-pattern/attack-pattern--3955de8e-1ab7-4ab0-b7ca-226822885913.json b/mbc/attack-pattern/attack-pattern--3955de8e-1ab7-4ab0-b7ca-226822885913.json index 85861cc5..e27adc5a 100644 --- a/mbc/attack-pattern/attack-pattern--3955de8e-1ab7-4ab0-b7ca-226822885913.json +++ b/mbc/attack-pattern/attack-pattern--3955de8e-1ab7-4ab0-b7ca-226822885913.json @@ -8,7 +8,7 @@ "id": "attack-pattern--3955de8e-1ab7-4ab0-b7ca-226822885913", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.887261Z", - "modified": "2022-02-05T00:37:22.819853Z", + "modified": "2022-09-08T18:26:13.353448Z", "name": "Create Process", "description": "Malware creates a process.", "kill_chain_phases": [ @@ -20,8 +20,12 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/create-process.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/create-process.md", "external_id": "C0017" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--39d98cff-ebf0-4824-8a7a-55ba1058664b.json b/mbc/attack-pattern/attack-pattern--39d98cff-ebf0-4824-8a7a-55ba1058664b.json index d93d1f0d..2e5bc05c 100644 --- a/mbc/attack-pattern/attack-pattern--39d98cff-ebf0-4824-8a7a-55ba1058664b.json +++ b/mbc/attack-pattern/attack-pattern--39d98cff-ebf0-4824-8a7a-55ba1058664b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--39d98cff-ebf0-4824-8a7a-55ba1058664b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.468265Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.317387Z", "name": "Process Environment Block", "description": "The Process Environment Block (PEB) is a Windows data structure associated with each process that contains several fields, such as \"BeingDebugged,\" \"NtGlobalFlag,\" and \"IsDebugged\". Testing the value of this PEB field of a particular process can indicate whether the process is being debugged. Testing \"BeingDebugged\" is equivalent to using the kernel32!IsDebuggerPresent API call (see separate method).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.019" } ], diff --git a/mbc/attack-pattern/attack-pattern--39df68e5-9065-4b60-8ad1-ff626707b95a.json b/mbc/attack-pattern/attack-pattern--39df68e5-9065-4b60-8ad1-ff626707b95a.json index fa9930a4..7c60c33c 100644 --- a/mbc/attack-pattern/attack-pattern--39df68e5-9065-4b60-8ad1-ff626707b95a.json +++ b/mbc/attack-pattern/attack-pattern--39df68e5-9065-4b60-8ad1-ff626707b95a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--39df68e5-9065-4b60-8ad1-ff626707b95a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.983492Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.375381Z", "name": "TCP Client::Socket Communication", "description": "TCP client behavior.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", "external_id": "C0001.008" } ], diff --git a/mbc/attack-pattern/attack-pattern--3a9b6fab-01af-47ef-9563-69427ed4090c.json b/mbc/attack-pattern/attack-pattern--3a9b6fab-01af-47ef-9563-69427ed4090c.json index 1659d421..271add1a 100644 --- a/mbc/attack-pattern/attack-pattern--3a9b6fab-01af-47ef-9563-69427ed4090c.json +++ b/mbc/attack-pattern/attack-pattern--3a9b6fab-01af-47ef-9563-69427ed4090c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--3a9b6fab-01af-47ef-9563-69427ed4090c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.537265Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.19228Z", "name": "Guard Pages", "description": "Encrypt blocks of code individually and decrypt temporarily only upon execution.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", "external_id": "B0032.010" } ], diff --git a/mbc/attack-pattern/attack-pattern--3aa1c4d4-06c4-4d48-bc44-601b29abded8.json b/mbc/attack-pattern/attack-pattern--3aa1c4d4-06c4-4d48-bc44-601b29abded8.json index d8145015..341ea155 100644 --- a/mbc/attack-pattern/attack-pattern--3aa1c4d4-06c4-4d48-bc44-601b29abded8.json +++ b/mbc/attack-pattern/attack-pattern--3aa1c4d4-06c4-4d48-bc44-601b29abded8.json @@ -8,7 +8,7 @@ "id": "attack-pattern--3aa1c4d4-06c4-4d48-bc44-601b29abded8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.558264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.193094Z", "name": "Instruction Overlap", "description": "Jump after the first byte of an instruction to confuse disassembler.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", "external_id": "B0032.013" } ], diff --git a/mbc/attack-pattern/attack-pattern--3b11e590-980e-4850-a9a1-6189b62f62b1.json b/mbc/attack-pattern/attack-pattern--3b11e590-980e-4850-a9a1-6189b62f62b1.json index 6ba5f92c..26bd0aed 100644 --- a/mbc/attack-pattern/attack-pattern--3b11e590-980e-4850-a9a1-6189b62f62b1.json +++ b/mbc/attack-pattern/attack-pattern--3b11e590-980e-4850-a9a1-6189b62f62b1.json @@ -8,7 +8,7 @@ "id": "attack-pattern--3b11e590-980e-4850-a9a1-6189b62f62b1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.00448Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.331347Z", "name": "IEncodingFilterFactory::Decompress Data", "description": "Malware decompresses data using IEncodingFilterFactory.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/decompress.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/decompress-data.md", "external_id": "C0025.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--3bb917e7-25d9-42de-8b23-d040a51c08e5.json b/mbc/attack-pattern/attack-pattern--3bb917e7-25d9-42de-8b23-d040a51c08e5.json index 0615a2c0..773cd851 100644 --- a/mbc/attack-pattern/attack-pattern--3bb917e7-25d9-42de-8b23-d040a51c08e5.json +++ b/mbc/attack-pattern/attack-pattern--3bb917e7-25d9-42de-8b23-d040a51c08e5.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/checksum.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/checksum.md", "external_id": "C0032.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--3c0f36be-c4c0-4769-9be4-50682bc6a467.json b/mbc/attack-pattern/attack-pattern--3c0f36be-c4c0-4769-9be4-50682bc6a467.json index ed3f431f..4c144149 100644 --- a/mbc/attack-pattern/attack-pattern--3c0f36be-c4c0-4769-9be4-50682bc6a467.json +++ b/mbc/attack-pattern/attack-pattern--3c0f36be-c4c0-4769-9be4-50682bc6a467.json @@ -8,7 +8,7 @@ "id": "attack-pattern--3c0f36be-c4c0-4769-9be4-50682bc6a467", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.516301Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.309137Z", "name": "Self-Unmapping", "description": "UnmapViewOfFile() on itself.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.025" } ], diff --git a/mbc/attack-pattern/attack-pattern--3cb4d50f-649d-4b09-b9a4-151bcc7ebc43.json b/mbc/attack-pattern/attack-pattern--3cb4d50f-649d-4b09-b9a4-151bcc7ebc43.json index dd76f1dd..afe4b516 100644 --- a/mbc/attack-pattern/attack-pattern--3cb4d50f-649d-4b09-b9a4-151bcc7ebc43.json +++ b/mbc/attack-pattern/attack-pattern--3cb4d50f-649d-4b09-b9a4-151bcc7ebc43.json @@ -8,7 +8,7 @@ "id": "attack-pattern--3cb4d50f-649d-4b09-b9a4-151bcc7ebc43", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.560265Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.194111Z", "name": "Merged Code Sections", "description": "Merge all sections resulting in just one entry in the sections table to make readability more difficult. May affect some detection signatures if written to be section dependent.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", "external_id": "B0032.015" } ], diff --git a/mbc/attack-pattern/attack-pattern--3d34b429-1686-44be-8b63-bded4942cee7.json b/mbc/attack-pattern/attack-pattern--3d34b429-1686-44be-8b63-bded4942cee7.json index 72b21470..4b0afe11 100644 --- a/mbc/attack-pattern/attack-pattern--3d34b429-1686-44be-8b63-bded4942cee7.json +++ b/mbc/attack-pattern/attack-pattern--3d34b429-1686-44be-8b63-bded4942cee7.json @@ -8,7 +8,7 @@ "id": "attack-pattern--3d34b429-1686-44be-8b63-bded4942cee7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.514301Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.307383Z", "name": "Pipeline Misdirection", "description": "Take advantage of pipelining in modern processors to misdirect debugging, emulation, or static analysis tools. An unpacker can assume a certain number of opcodes will be cached and then proceed to overwrite them in memory, causing a debugger/emulator/analyzer to follow different code than is normally executed.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.018" } ], diff --git a/mbc/attack-pattern/attack-pattern--3d502650-c707-4d28-b520-f440faa33ade.json b/mbc/attack-pattern/attack-pattern--3d502650-c707-4d28-b520-f440faa33ade.json index 18fbc3c2..b9d2351a 100644 --- a/mbc/attack-pattern/attack-pattern--3d502650-c707-4d28-b520-f440faa33ade.json +++ b/mbc/attack-pattern/attack-pattern--3d502650-c707-4d28-b520-f440faa33ade.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/checksum.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/checksum.md", "external_id": "C0032.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--3dc536c2-fa47-4acd-9043-1b0a0c2b2db6.json b/mbc/attack-pattern/attack-pattern--3dc536c2-fa47-4acd-9043-1b0a0c2b2db6.json index b2fc062e..f7398b41 100644 --- a/mbc/attack-pattern/attack-pattern--3dc536c2-fa47-4acd-9043-1b0a0c2b2db6.json +++ b/mbc/attack-pattern/attack-pattern--3dc536c2-fa47-4acd-9043-1b0a0c2b2db6.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/self-deletion.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/self-deletion.md", "external_id": "F0007.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--3f00f5b3-a3bf-4c9c-8874-f7998c391aa8.json b/mbc/attack-pattern/attack-pattern--3f00f5b3-a3bf-4c9c-8874-f7998c391aa8.json index 8ebec102..a52cc724 100644 --- a/mbc/attack-pattern/attack-pattern--3f00f5b3-a3bf-4c9c-8874-f7998c391aa8.json +++ b/mbc/attack-pattern/attack-pattern--3f00f5b3-a3bf-4c9c-8874-f7998c391aa8.json @@ -8,9 +8,9 @@ "id": "attack-pattern--3f00f5b3-a3bf-4c9c-8874-f7998c391aa8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.80226Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.226424Z", "name": "Supply Chain Compromise", - "description": "The supply chain may be compromised to enable initial malware infection. Malware-related methods are listed below to supplement the information available defined in ATT&CK: [**Supply Chain Compromise**](https://attack.mitre.org/techniques/T1195/).", + "description": "The supply chain may be compromised to enable initial malware infection. MBC objectives don't encompass initial infection, but the malware-related methods are listed below supplement the information available defined in ATT&CK and allow for lateral movement: **Supply Chain Compromise ([T1195](https://attack.mitre.org/techniques/T1195/), [T1474](https://attack.mitre.org/techniques/T1474/))**.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -20,17 +20,12 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/lateral-movement/supply-chain-compromise.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/lateral-movement/supply-chain-compromise.md", "external_id": "E1195" }, { "source_name": "external_source", "url": "http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1195/", - "external_id": "T1195" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--3f907716-eb0f-4fd6-8db6-46f6932ab585.json b/mbc/attack-pattern/attack-pattern--3f907716-eb0f-4fd6-8db6-46f6932ab585.json index 18903190..3d8627a6 100644 --- a/mbc/attack-pattern/attack-pattern--3f907716-eb0f-4fd6-8db6-46f6932ab585.json +++ b/mbc/attack-pattern/attack-pattern--3f907716-eb0f-4fd6-8db6-46f6932ab585.json @@ -8,7 +8,7 @@ "id": "attack-pattern--3f907716-eb0f-4fd6-8db6-46f6932ab585", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.518266Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.310399Z", "name": "Use Interrupts", "description": "The unpacking code relies on use of int 1 or int 3, or it uses the interrupt vector table as part of the decryption \"key\".", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.030" } ], diff --git a/mbc/attack-pattern/attack-pattern--3fe270a3-09a5-4ca9-937f-d2bee9afed96.json b/mbc/attack-pattern/attack-pattern--3fe270a3-09a5-4ca9-937f-d2bee9afed96.json index 76df7514..18087f9a 100644 --- a/mbc/attack-pattern/attack-pattern--3fe270a3-09a5-4ca9-937f-d2bee9afed96.json +++ b/mbc/attack-pattern/attack-pattern--3fe270a3-09a5-4ca9-937f-d2bee9afed96.json @@ -8,7 +8,7 @@ "id": "attack-pattern--3fe270a3-09a5-4ca9-937f-d2bee9afed96", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.516301Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.308619Z", "name": "Section Misalignment", "description": "Some analysis tools cannot handle binaries with misaligned sections.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.023" } ], diff --git a/mbc/attack-pattern/attack-pattern--405c94b9-4f0e-476b-982d-72bb1905daa9.json b/mbc/attack-pattern/attack-pattern--405c94b9-4f0e-476b-982d-72bb1905daa9.json index 09c0bfbd..ed31dbbc 100644 --- a/mbc/attack-pattern/attack-pattern--405c94b9-4f0e-476b-982d-72bb1905daa9.json +++ b/mbc/attack-pattern/attack-pattern--405c94b9-4f0e-476b-982d-72bb1905daa9.json @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", "external_id": "F0001.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--415ff076-0f63-4040-940e-439321695a67.json b/mbc/attack-pattern/attack-pattern--415ff076-0f63-4040-940e-439321695a67.json index 0ec192db..049ce008 100644 --- a/mbc/attack-pattern/attack-pattern--415ff076-0f63-4040-940e-439321695a67.json +++ b/mbc/attack-pattern/attack-pattern--415ff076-0f63-4040-940e-439321695a67.json @@ -8,7 +8,7 @@ "id": "attack-pattern--415ff076-0f63-4040-940e-439321695a67", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.556264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.19154Z", "name": "Dead Code Insertion", "description": "Include \"dead\" code with no real functionality.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", "external_id": "B0032.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--41746d12-dfb1-4e7d-bd7e-81678b93b977.json b/mbc/attack-pattern/attack-pattern--41746d12-dfb1-4e7d-bd7e-81678b93b977.json index bf75e443..134c63fb 100644 --- a/mbc/attack-pattern/attack-pattern--41746d12-dfb1-4e7d-bd7e-81678b93b977.json +++ b/mbc/attack-pattern/attack-pattern--41746d12-dfb1-4e7d-bd7e-81678b93b977.json @@ -8,7 +8,7 @@ "id": "attack-pattern--41746d12-dfb1-4e7d-bd7e-81678b93b977", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.529264Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.301305Z", "name": "Different Opcode Sets", "description": "Use different opcodes sets (ex: FPU, MMX, SSE) to block emulators.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-emulator.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-evasion.md", "external_id": "B0005.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--41c176c1-6258-4bd4-9518-c2dc433c254c.json b/mbc/attack-pattern/attack-pattern--41c176c1-6258-4bd4-9518-c2dc433c254c.json index a35a016a..f7912db8 100644 --- a/mbc/attack-pattern/attack-pattern--41c176c1-6258-4bd4-9518-c2dc433c254c.json +++ b/mbc/attack-pattern/attack-pattern--41c176c1-6258-4bd4-9518-c2dc433c254c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--41c176c1-6258-4bd4-9518-c2dc433c254c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.88026Z", - "modified": "2022-02-05T00:37:22.804261Z", + "modified": "2022-09-08T18:26:13.340536Z", "name": "Overflow Buffer", "description": "Malware may overflow the buffer for various purposes.", "kill_chain_phases": [ @@ -20,8 +20,12 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/memory/overflow-buffer.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/memory/overflow-buffer.md", "external_id": "C0010" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Conficker" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--4283aa07-89f3-40d8-b45f-87ef48c8a86d.json b/mbc/attack-pattern/attack-pattern--4283aa07-89f3-40d8-b45f-87ef48c8a86d.json index 88ed5c29..302cccfb 100644 --- a/mbc/attack-pattern/attack-pattern--4283aa07-89f3-40d8-b45f-87ef48c8a86d.json +++ b/mbc/attack-pattern/attack-pattern--4283aa07-89f3-40d8-b45f-87ef48c8a86d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--4283aa07-89f3-40d8-b45f-87ef48c8a86d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.490263Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.282303Z", "name": "Check Named System Objects", "description": "Virtual machines often include specific named system objects by default, such as Windows device drivers, which can be detected by testing for specific strings, whether found in the Windows registry or other places.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--4294b63a-0b68-473a-8e57-bd5da8d90bf6.json b/mbc/attack-pattern/attack-pattern--4294b63a-0b68-473a-8e57-bd5da8d90bf6.json index 64b515cf..44c38e34 100644 --- a/mbc/attack-pattern/attack-pattern--4294b63a-0b68-473a-8e57-bd5da8d90bf6.json +++ b/mbc/attack-pattern/attack-pattern--4294b63a-0b68-473a-8e57-bd5da8d90bf6.json @@ -8,7 +8,7 @@ "id": "attack-pattern--4294b63a-0b68-473a-8e57-bd5da8d90bf6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.92426Z", - "modified": "2022-02-05T00:37:22.835477Z", + "modified": "2022-09-08T18:26:13.251314Z", "name": "Registry Run Keys / Startup Folder", "description": "Malware may add an entry to the Windows Registry run keys or startup folder to enable persistence.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/persistence/registry-run-startup.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/persistence/registry-run-keys-startup-folder.md", "external_id": "F0012" }, { @@ -38,6 +38,46 @@ { "source_name": "external_source", "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.secureworks.com/research/cryptolocker-ransomware" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/" + }, + { + "source_name": "external_source", + "url": "https://blogs.cisco.com/security/talos/rombertik" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279" + }, + { + "source_name": "external_source", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Conficker" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" + }, + { + "source_name": "external_source", + "url": "https://cofense.com/recent-geodo-malware-campaigns-feature-heavily-obfuscated-macros/" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/WORM_BAGLE.U/" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--42a50e42-61c1-4eb0-a7a2-f7f278feb391.json b/mbc/attack-pattern/attack-pattern--42a50e42-61c1-4eb0-a7a2-f7f278feb391.json index 25cf44a3..d52bd5fc 100644 --- a/mbc/attack-pattern/attack-pattern--42a50e42-61c1-4eb0-a7a2-f7f278feb391.json +++ b/mbc/attack-pattern/attack-pattern--42a50e42-61c1-4eb0-a7a2-f7f278feb391.json @@ -8,7 +8,7 @@ "id": "attack-pattern--42a50e42-61c1-4eb0-a7a2-f7f278feb391", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:36.062232Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.330913Z", "name": "aPLib::Decompress Data", "description": "Malware decompresses data using aPLib.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/decompress.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/decompress-data.md", "external_id": "C0025.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--42c0847a-d4e3-497e-9540-c691ae0364c1.json b/mbc/attack-pattern/attack-pattern--42c0847a-d4e3-497e-9540-c691ae0364c1.json index 1a36185f..2821c8c8 100644 --- a/mbc/attack-pattern/attack-pattern--42c0847a-d4e3-497e-9540-c691ae0364c1.json +++ b/mbc/attack-pattern/attack-pattern--42c0847a-d4e3-497e-9540-c691ae0364c1.json @@ -8,7 +8,7 @@ "id": "attack-pattern--42c0847a-d4e3-497e-9540-c691ae0364c1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.707263Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.216564Z", "name": "Process detection - Sandboxes", "description": "Malware can scan for the process name associated with common analysis tools. Joe Sandbox, etc.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", "external_id": "B0013.007" } ], diff --git a/mbc/attack-pattern/attack-pattern--42cea877-6723-4126-a016-6f2b8954eb6b.json b/mbc/attack-pattern/attack-pattern--42cea877-6723-4126-a016-6f2b8954eb6b.json index ef95e25e..55608fa6 100644 --- a/mbc/attack-pattern/attack-pattern--42cea877-6723-4126-a016-6f2b8954eb6b.json +++ b/mbc/attack-pattern/attack-pattern--42cea877-6723-4126-a016-6f2b8954eb6b.json @@ -8,9 +8,9 @@ "id": "attack-pattern--42cea877-6723-4126-a016-6f2b8954eb6b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.60426Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.227398Z", "name": "Check for Payload", - "description": "Check for payload.", + "description": "An implant may check with the controller for additional payloads or instructions, sometimes at a regular interval. This is also known as beaconing.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", "external_id": "B0030.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--454163a6-b453-449c-88c1-96919f92705a.json b/mbc/attack-pattern/attack-pattern--454163a6-b453-449c-88c1-96919f92705a.json index 4111d8ec..43c1c6a8 100644 --- a/mbc/attack-pattern/attack-pattern--454163a6-b453-449c-88c1-96919f92705a.json +++ b/mbc/attack-pattern/attack-pattern--454163a6-b453-449c-88c1-96919f92705a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--454163a6-b453-449c-88c1-96919f92705a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.91426Z", - "modified": "2022-02-05T00:37:22.835477Z", + "modified": "2022-09-08T18:26:13.255012Z", "name": "Malicious Network Driver", "description": "Malicious network drivers can be installed on several machines on a network via an exploited server with high uptime. Once the drivers are installed on the host machines, they can re-infect the server if it is restarted (persistence), can infect other machines on the network (lateral movement), and can redirect traffic on the network.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/persistence/malicious-network-drv.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/persistence/malicious-network-driver.md", "external_id": "B0026" }, { diff --git a/mbc/attack-pattern/attack-pattern--45c5ccc6-f44e-4b7e-b2af-d5b1a0d01cd2.json b/mbc/attack-pattern/attack-pattern--45c5ccc6-f44e-4b7e-b2af-d5b1a0d01cd2.json index 956ab1a4..5abca2c8 100644 --- a/mbc/attack-pattern/attack-pattern--45c5ccc6-f44e-4b7e-b2af-d5b1a0d01cd2.json +++ b/mbc/attack-pattern/attack-pattern--45c5ccc6-f44e-4b7e-b2af-d5b1a0d01cd2.json @@ -8,7 +8,7 @@ "id": "attack-pattern--45c5ccc6-f44e-4b7e-b2af-d5b1a0d01cd2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.489264Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.281847Z", "name": "Check Memory Artifacts", "description": "VMware leaves many artifacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognizable footprints. Malware can search through physical memory for the strings VMware, commonly used to detect memory artifacts.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.002" }, { diff --git a/mbc/attack-pattern/attack-pattern--45f0c217-fd80-4ce1-a9b1-4a62418162bb.json b/mbc/attack-pattern/attack-pattern--45f0c217-fd80-4ce1-a9b1-4a62418162bb.json index 7eaee2f9..a8fef7af 100644 --- a/mbc/attack-pattern/attack-pattern--45f0c217-fd80-4ce1-a9b1-4a62418162bb.json +++ b/mbc/attack-pattern/attack-pattern--45f0c217-fd80-4ce1-a9b1-4a62418162bb.json @@ -8,7 +8,7 @@ "id": "attack-pattern--45f0c217-fd80-4ce1-a9b1-4a62418162bb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.521266Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.326471Z", "name": "Delayed Execution", "description": "Stalling code is typically executed before any malicious behavior. The malware's aim is to delay the execution of the malicious activity long enough so that an automated dynamic analysis system fails to extract the interesting malicious behavior. This method is very similar to ATT&CK's [Virtualization/Sandbox Evasion: Time Based Evasion](https://attack.mitre.org/techniques/T1497/003/) sub-technique.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", "external_id": "B0003.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--461d88f4-10e9-4db1-b91d-e9a8cd0f8654.json b/mbc/attack-pattern/attack-pattern--461d88f4-10e9-4db1-b91d-e9a8cd0f8654.json index f54c5fb5..0f00646a 100644 --- a/mbc/attack-pattern/attack-pattern--461d88f4-10e9-4db1-b91d-e9a8cd0f8654.json +++ b/mbc/attack-pattern/attack-pattern--461d88f4-10e9-4db1-b91d-e9a8cd0f8654.json @@ -8,7 +8,7 @@ "id": "attack-pattern--461d88f4-10e9-4db1-b91d-e9a8cd0f8654", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.00448Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.3316Z", "name": "QuickLZ::Decompress Data", "description": "Malware decompresses data using QuickLZ.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/decompress.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/decompress-data.md", "external_id": "C0025.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--46c39f69-1900-4558-9c0d-2d9fe322dd41.json b/mbc/attack-pattern/attack-pattern--46c39f69-1900-4558-9c0d-2d9fe322dd41.json index 1437dc33..bc9bd0d2 100644 --- a/mbc/attack-pattern/attack-pattern--46c39f69-1900-4558-9c0d-2d9fe322dd41.json +++ b/mbc/attack-pattern/attack-pattern--46c39f69-1900-4558-9c0d-2d9fe322dd41.json @@ -8,7 +8,7 @@ "id": "attack-pattern--46c39f69-1900-4558-9c0d-2d9fe322dd41", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.972483Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.363326Z", "name": "Open URL::HTTP Communication", "description": "HTTP client connects to a URL.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", "external_id": "C0002.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--46d77a13-9d20-4c9c-9846-cf6f298f6836.json b/mbc/attack-pattern/attack-pattern--46d77a13-9d20-4c9c-9846-cf6f298f6836.json index af22822a..50ddfe5f 100644 --- a/mbc/attack-pattern/attack-pattern--46d77a13-9d20-4c9c-9846-cf6f298f6836.json +++ b/mbc/attack-pattern/attack-pattern--46d77a13-9d20-4c9c-9846-cf6f298f6836.json @@ -8,7 +8,7 @@ "id": "attack-pattern--46d77a13-9d20-4c9c-9846-cf6f298f6836", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.606261Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.229208Z", "name": "Request Command", "description": "Implant requests a command.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", "external_id": "B0030.008" } ], diff --git a/mbc/attack-pattern/attack-pattern--48018d04-fcd1-4e5d-b29f-6ccf841ae65f.json b/mbc/attack-pattern/attack-pattern--48018d04-fcd1-4e5d-b29f-6ccf841ae65f.json index 11b39d73..fce169d9 100644 --- a/mbc/attack-pattern/attack-pattern--48018d04-fcd1-4e5d-b29f-6ccf841ae65f.json +++ b/mbc/attack-pattern/attack-pattern--48018d04-fcd1-4e5d-b29f-6ccf841ae65f.json @@ -8,7 +8,7 @@ "id": "attack-pattern--48018d04-fcd1-4e5d-b29f-6ccf841ae65f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.848263Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.395483Z", "name": "GetTickCount::Generate Pseudo-random Sequence", "description": "Malware generates a pseudo-random sequence using GetTickCount.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/gen-random.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/generate-pseudorandom-sequence.md", "external_id": "C0021.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--48964591-554c-420d-896b-89ad16f17eec.json b/mbc/attack-pattern/attack-pattern--48964591-554c-420d-896b-89ad16f17eec.json index d6282a6d..2a75aa71 100644 --- a/mbc/attack-pattern/attack-pattern--48964591-554c-420d-896b-89ad16f17eec.json +++ b/mbc/attack-pattern/attack-pattern--48964591-554c-420d-896b-89ad16f17eec.json @@ -8,7 +8,7 @@ "id": "attack-pattern--48964591-554c-420d-896b-89ad16f17eec", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.52526Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.32831Z", "name": "Restart", "description": "Restarts or shuts down system to bypass sandboxing.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", "external_id": "B0003.010" } ], diff --git a/mbc/attack-pattern/attack-pattern--489d6e43-968b-432d-b89b-e9e4f974423b.json b/mbc/attack-pattern/attack-pattern--489d6e43-968b-432d-b89b-e9e4f974423b.json index 3405c71a..a23a33d1 100644 --- a/mbc/attack-pattern/attack-pattern--489d6e43-968b-432d-b89b-e9e4f974423b.json +++ b/mbc/attack-pattern/attack-pattern--489d6e43-968b-432d-b89b-e9e4f974423b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--489d6e43-968b-432d-b89b-e9e4f974423b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.727262Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.241251Z", "name": "Remote Desktop Protocols (RDP)", "description": "RDP is used by malware.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/exploit-software.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/exploitation-for-client-execution.md", "external_id": "E1203.m01" } ], diff --git a/mbc/attack-pattern/attack-pattern--4a062538-03cd-44da-a19f-6ed4401a4c36.json b/mbc/attack-pattern/attack-pattern--4a062538-03cd-44da-a19f-6ed4401a4c36.json index 6c658efc..97397d31 100644 --- a/mbc/attack-pattern/attack-pattern--4a062538-03cd-44da-a19f-6ed4401a4c36.json +++ b/mbc/attack-pattern/attack-pattern--4a062538-03cd-44da-a19f-6ed4401a4c36.json @@ -8,7 +8,7 @@ "id": "attack-pattern--4a062538-03cd-44da-a19f-6ed4401a4c36", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.972483Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.363582Z", "name": "Download URL::HTTP Communication", "description": "HTTP client downloads URL to file.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", "external_id": "C0002.006" } ], diff --git a/mbc/attack-pattern/attack-pattern--4b908d8d-dc10-4114-99e6-8a82fe6a5e7f.json b/mbc/attack-pattern/attack-pattern--4b908d8d-dc10-4114-99e6-8a82fe6a5e7f.json index 97709bac..b55647e9 100644 --- a/mbc/attack-pattern/attack-pattern--4b908d8d-dc10-4114-99e6-8a82fe6a5e7f.json +++ b/mbc/attack-pattern/attack-pattern--4b908d8d-dc10-4114-99e6-8a82fe6a5e7f.json @@ -8,7 +8,7 @@ "id": "attack-pattern--4b908d8d-dc10-4114-99e6-8a82fe6a5e7f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.510265Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.303372Z", "name": "Break Point Clearing", "description": "Intentionally clearing software or hardware breakpoints.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--4c1c0aca-7fca-4aae-9d17-6fc99c8d7d0a.json b/mbc/attack-pattern/attack-pattern--4c1c0aca-7fca-4aae-9d17-6fc99c8d7d0a.json index 0e0d69d2..b5a539b1 100644 --- a/mbc/attack-pattern/attack-pattern--4c1c0aca-7fca-4aae-9d17-6fc99c8d7d0a.json +++ b/mbc/attack-pattern/attack-pattern--4c1c0aca-7fca-4aae-9d17-6fc99c8d7d0a.json @@ -8,9 +8,9 @@ "id": "attack-pattern--4c1c0aca-7fca-4aae-9d17-6fc99c8d7d0a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.641261Z", - "modified": "2022-02-05T00:37:22.616726Z", + "modified": "2022-09-08T18:26:13.433182Z", "name": "Bootkit", - "description": "The boot sectors of a hard drive are modified (e.g., Master Boot Record (MBR)). ATT&CK associates bootkits with the Persistence. See ATT&CK: [**Pre-OS Boot: Bootkit**](https://attack.mitre.org/techniques/T1067/).", + "description": "The boot sectors of a hard drive are modified (e.g., Master Boot Record (MBR)). ATT&CK associates bootkits with the Persistence. See ATT&CK: **Pre-OS Boot: Bootkit ([T1067](https://attack.mitre.org/techniques/T1067/))**.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -24,12 +24,16 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/boot-sector-mod.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/bootkit.md", "external_id": "F0013" }, { "source_name": "external_source", "url": "https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/" + }, + { + "source_name": "external_source", + "url": "https://eclypsium.com/wp-content/uploads/2020/12/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--4c1e6e56-1c8d-4bce-b696-68ac83cb33f6.json b/mbc/attack-pattern/attack-pattern--4c1e6e56-1c8d-4bce-b696-68ac83cb33f6.json index 758429de..924e8212 100644 --- a/mbc/attack-pattern/attack-pattern--4c1e6e56-1c8d-4bce-b696-68ac83cb33f6.json +++ b/mbc/attack-pattern/attack-pattern--4c1e6e56-1c8d-4bce-b696-68ac83cb33f6.json @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/input-capture.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/input-capture.md", "external_id": "E1056.m01" } ], diff --git a/mbc/attack-pattern/attack-pattern--4c4a5671-e788-40b8-8fd9-56d94ba32901.json b/mbc/attack-pattern/attack-pattern--4c4a5671-e788-40b8-8fd9-56d94ba32901.json index dad24d1b..6c00204f 100644 --- a/mbc/attack-pattern/attack-pattern--4c4a5671-e788-40b8-8fd9-56d94ba32901.json +++ b/mbc/attack-pattern/attack-pattern--4c4a5671-e788-40b8-8fd9-56d94ba32901.json @@ -8,7 +8,7 @@ "id": "attack-pattern--4c4a5671-e788-40b8-8fd9-56d94ba32901", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.012443Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.348491Z", "name": "Create Directory", "description": "Malware creates a directory.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/create-dir.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/create-directory.md", "external_id": "C0046" } ], diff --git a/mbc/attack-pattern/attack-pattern--4c89f923-0e3e-41ff-b128-2e47acbd80b7.json b/mbc/attack-pattern/attack-pattern--4c89f923-0e3e-41ff-b128-2e47acbd80b7.json index 068f1898..7b01f779 100644 --- a/mbc/attack-pattern/attack-pattern--4c89f923-0e3e-41ff-b128-2e47acbd80b7.json +++ b/mbc/attack-pattern/attack-pattern--4c89f923-0e3e-41ff-b128-2e47acbd80b7.json @@ -8,7 +8,7 @@ "id": "attack-pattern--4c89f923-0e3e-41ff-b128-2e47acbd80b7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.57126Z", - "modified": "2022-02-05T00:37:22.585511Z", + "modified": "2022-09-08T18:26:13.204156Z", "name": "Executable Code Virtualization", "description": "Original executable code is virtualized by translating the code into a special format that only a special virtual machine (VM) can run; the VM uses a customized virtual instruction set. A \"stub\" function calls the VM when the code is run. Virtualized code makes static analysis and reverse engineering more difficult; dumped code won\u2019t run without the VM.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-virtualize.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-virtualization.md", "external_id": "B0008" }, { diff --git a/mbc/attack-pattern/attack-pattern--4ca9173b-10b3-4a35-8507-f6b34fa4fc23.json b/mbc/attack-pattern/attack-pattern--4ca9173b-10b3-4a35-8507-f6b34fa4fc23.json index c138daca..db4be83a 100644 --- a/mbc/attack-pattern/attack-pattern--4ca9173b-10b3-4a35-8507-f6b34fa4fc23.json +++ b/mbc/attack-pattern/attack-pattern--4ca9173b-10b3-4a35-8507-f6b34fa4fc23.json @@ -8,7 +8,7 @@ "id": "attack-pattern--4ca9173b-10b3-4a35-8507-f6b34fa4fc23", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.474262Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.320318Z", "name": "TIB Aware", "description": "Malware may access information in the Thread Information Block (TIB) for debug detection or process obfuscation detection. The TIB can be accessed as an offset of the segment register (e.g., fs:[20h]).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.027" } ], diff --git a/mbc/attack-pattern/attack-pattern--4ce382af-356c-4906-b6f1-e44b4d71ed02.json b/mbc/attack-pattern/attack-pattern--4ce382af-356c-4906-b6f1-e44b4d71ed02.json index 912b22ab..908f1a40 100644 --- a/mbc/attack-pattern/attack-pattern--4ce382af-356c-4906-b6f1-e44b4d71ed02.json +++ b/mbc/attack-pattern/attack-pattern--4ce382af-356c-4906-b6f1-e44b4d71ed02.json @@ -8,7 +8,7 @@ "id": "attack-pattern--4ce382af-356c-4906-b6f1-e44b4d71ed02", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.988483Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.383868Z", "name": "AES::Decrypt Data", "description": "Malware decrypts data encrypted with the AES algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", "external_id": "C0031.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--4d618788-4089-4149-8948-3d3524c766c5.json b/mbc/attack-pattern/attack-pattern--4d618788-4089-4149-8948-3d3524c766c5.json index b587fee8..3cc6269a 100644 --- a/mbc/attack-pattern/attack-pattern--4d618788-4089-4149-8948-3d3524c766c5.json +++ b/mbc/attack-pattern/attack-pattern--4d618788-4089-4149-8948-3d3524c766c5.json @@ -19,7 +19,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/remote-commands.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/remote-commands.md", "external_id": "B0011.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--4e6169c5-7791-4c39-b6c9-d79628a85448.json b/mbc/attack-pattern/attack-pattern--4e6169c5-7791-4c39-b6c9-d79628a85448.json index 8d853dea..77fa83b3 100644 --- a/mbc/attack-pattern/attack-pattern--4e6169c5-7791-4c39-b6c9-d79628a85448.json +++ b/mbc/attack-pattern/attack-pattern--4e6169c5-7791-4c39-b6c9-d79628a85448.json @@ -8,7 +8,7 @@ "id": "attack-pattern--4e6169c5-7791-4c39-b6c9-d79628a85448", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.655262Z", - "modified": "2022-02-05T00:37:22.616726Z", + "modified": "2022-09-08T18:26:13.428121Z", "name": "AMSI Bypass", "description": "Malware bypasses AMSI (Anti-malware Scan Interface).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", "external_id": "F0004.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--4e688c01-10a1-41e9-a909-5442531069ac.json b/mbc/attack-pattern/attack-pattern--4e688c01-10a1-41e9-a909-5442531069ac.json index 6bc9b195..ad2684a1 100644 --- a/mbc/attack-pattern/attack-pattern--4e688c01-10a1-41e9-a909-5442531069ac.json +++ b/mbc/attack-pattern/attack-pattern--4e688c01-10a1-41e9-a909-5442531069ac.json @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", "external_id": "F0001.007" } ], diff --git a/mbc/attack-pattern/attack-pattern--4ec39934-4cf3-4e7a-96fb-425ea2f56d15.json b/mbc/attack-pattern/attack-pattern--4ec39934-4cf3-4e7a-96fb-425ea2f56d15.json index 1577e94d..541db7d1 100644 --- a/mbc/attack-pattern/attack-pattern--4ec39934-4cf3-4e7a-96fb-425ea2f56d15.json +++ b/mbc/attack-pattern/attack-pattern--4ec39934-4cf3-4e7a-96fb-425ea2f56d15.json @@ -8,7 +8,7 @@ "id": "attack-pattern--4ec39934-4cf3-4e7a-96fb-425ea2f56d15", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.861259Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.346847Z", "name": "Alter File Extension", "description": "Malware alters a file extension. This could be done for many reasons, including to hide the file or as part of a ransomware's encryption process.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/alter-extend.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/alter-file-extension.md", "external_id": "C0015" } ], diff --git a/mbc/attack-pattern/attack-pattern--4f3bc817-8162-41b5-b617-5c9a261b66e0.json b/mbc/attack-pattern/attack-pattern--4f3bc817-8162-41b5-b617-5c9a261b66e0.json index 6ae58945..0a5bb4ce 100644 --- a/mbc/attack-pattern/attack-pattern--4f3bc817-8162-41b5-b617-5c9a261b66e0.json +++ b/mbc/attack-pattern/attack-pattern--4f3bc817-8162-41b5-b617-5c9a261b66e0.json @@ -8,7 +8,7 @@ "id": "attack-pattern--4f3bc817-8162-41b5-b617-5c9a261b66e0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.460262Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.313417Z", "name": "Debugger Artifacts", "description": "Malware may detect a debugger by its artifact (window title, device driver, exports, etc.).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--4f786f90-7679-427a-932b-2d212faffa37.json b/mbc/attack-pattern/attack-pattern--4f786f90-7679-427a-932b-2d212faffa37.json index 948b57a9..956a073b 100644 --- a/mbc/attack-pattern/attack-pattern--4f786f90-7679-427a-932b-2d212faffa37.json +++ b/mbc/attack-pattern/attack-pattern--4f786f90-7679-427a-932b-2d212faffa37.json @@ -8,7 +8,7 @@ "id": "attack-pattern--4f786f90-7679-427a-932b-2d212faffa37", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.997443Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.394445Z", "name": "Import Public Key::Encryption Key", "description": "Malware imports a public key.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/key.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encryption-key.md", "external_id": "C0028.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--4f994303-c449-4d22-8ead-5c531a36ecf5.json b/mbc/attack-pattern/attack-pattern--4f994303-c449-4d22-8ead-5c531a36ecf5.json index d1dcdb7c..5eb7ec0e 100644 --- a/mbc/attack-pattern/attack-pattern--4f994303-c449-4d22-8ead-5c531a36ecf5.json +++ b/mbc/attack-pattern/attack-pattern--4f994303-c449-4d22-8ead-5c531a36ecf5.json @@ -8,7 +8,7 @@ "id": "attack-pattern--4f994303-c449-4d22-8ead-5c531a36ecf5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.498264Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.287427Z", "name": "Instruction Testing - SGDT/SLDT (no pill)", "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM. The No Pill technique relies on the fact that the LDT structure is assigned to a processor not an Operating System. The LDT location on a host machine will be zero and on a virtual machine will be non-zero.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.031" }, { diff --git a/mbc/attack-pattern/attack-pattern--50e612f9-3481-42fc-aa7f-a468ce59a556.json b/mbc/attack-pattern/attack-pattern--50e612f9-3481-42fc-aa7f-a468ce59a556.json index bd80eab8..8e660d2a 100644 --- a/mbc/attack-pattern/attack-pattern--50e612f9-3481-42fc-aa7f-a468ce59a556.json +++ b/mbc/attack-pattern/attack-pattern--50e612f9-3481-42fc-aa7f-a468ce59a556.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/manipulate-network-traffic.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/manipulate-network-traffic.md", "external_id": "B0019" }, { diff --git a/mbc/attack-pattern/attack-pattern--51147afe-363a-4b8f-8bdd-2f3601c785f1.json b/mbc/attack-pattern/attack-pattern--51147afe-363a-4b8f-8bdd-2f3601c785f1.json index 3b517a65..322a222f 100644 --- a/mbc/attack-pattern/attack-pattern--51147afe-363a-4b8f-8bdd-2f3601c785f1.json +++ b/mbc/attack-pattern/attack-pattern--51147afe-363a-4b8f-8bdd-2f3601c785f1.json @@ -8,7 +8,7 @@ "id": "attack-pattern--51147afe-363a-4b8f-8bdd-2f3601c785f1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.748262Z", - "modified": "2022-02-05T00:37:22.694887Z", + "modified": "2022-09-08T18:26:13.250407Z", "name": "Send Poisoned Text Message", "description": "A malicious attachment is sent via spam SMS or MMS messages. When the user clicks the link, malware is installed.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/send-poison-text-msg.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/send-poisoned-text-message.md", "external_id": "B0021" }, { diff --git a/mbc/attack-pattern/attack-pattern--5146900f-415f-4817-9153-a9a3f857b3cd.json b/mbc/attack-pattern/attack-pattern--5146900f-415f-4817-9153-a9a3f857b3cd.json index 8f5876ce..71b7354d 100644 --- a/mbc/attack-pattern/attack-pattern--5146900f-415f-4817-9153-a9a3f857b3cd.json +++ b/mbc/attack-pattern/attack-pattern--5146900f-415f-4817-9153-a9a3f857b3cd.json @@ -8,7 +8,7 @@ "id": "attack-pattern--5146900f-415f-4817-9153-a9a3f857b3cd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.552264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.207636Z", "name": "Disassembler Evasion", "description": "Malware code evades disassembly in a recursive or linear disassembler. Some methods apply to both types of disassemblers; others apply to one type and not the other.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-disassembler.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/disassembler-evasion.md", "external_id": "B0012" }, { diff --git a/mbc/attack-pattern/attack-pattern--5280b393-729d-43d5-b9e7-81da3d31b450.json b/mbc/attack-pattern/attack-pattern--5280b393-729d-43d5-b9e7-81da3d31b450.json index f80d89e5..854d676c 100644 --- a/mbc/attack-pattern/attack-pattern--5280b393-729d-43d5-b9e7-81da3d31b450.json +++ b/mbc/attack-pattern/attack-pattern--5280b393-729d-43d5-b9e7-81da3d31b450.json @@ -19,7 +19,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/polymorphic-code.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/polymorphic-code.md", "external_id": "B0029.002" }, { diff --git a/mbc/attack-pattern/attack-pattern--531f2659-2119-40c0-b3a6-d921feabb3ce.json b/mbc/attack-pattern/attack-pattern--531f2659-2119-40c0-b3a6-d921feabb3ce.json index 8b5bafba..b1eae472 100644 --- a/mbc/attack-pattern/attack-pattern--531f2659-2119-40c0-b3a6-d921feabb3ce.json +++ b/mbc/attack-pattern/attack-pattern--531f2659-2119-40c0-b3a6-d921feabb3ce.json @@ -8,7 +8,7 @@ "id": "attack-pattern--531f2659-2119-40c0-b3a6-d921feabb3ce", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.878261Z", - "modified": "2022-02-05T00:37:22.804261Z", + "modified": "2022-09-08T18:26:13.339979Z", "name": "Change Memory Protection", "description": "Malware may change memory protection. For example, read-write memory may be changed to read-execute. Changing memory protection may exploits (e.g., bypass Data Execution Prevention).", "kill_chain_phases": [ @@ -20,8 +20,16 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/memory/memory-protect.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/memory/change-memory-protection.md", "external_id": "C0008" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/resources/synful-knock-acis" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--53354aca-b791-4d12-875c-730f75d9be91.json b/mbc/attack-pattern/attack-pattern--53354aca-b791-4d12-875c-730f75d9be91.json index 12469c82..c8e0793d 100644 --- a/mbc/attack-pattern/attack-pattern--53354aca-b791-4d12-875c-730f75d9be91.json +++ b/mbc/attack-pattern/attack-pattern--53354aca-b791-4d12-875c-730f75d9be91.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/move-file.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/move-file.md", "external_id": "C0063" } ], diff --git a/mbc/attack-pattern/attack-pattern--5389958e-188f-453f-ba90-e886291f200e.json b/mbc/attack-pattern/attack-pattern--5389958e-188f-453f-ba90-e886291f200e.json index 8cbf8959..3b82173a 100644 --- a/mbc/attack-pattern/attack-pattern--5389958e-188f-453f-ba90-e886291f200e.json +++ b/mbc/attack-pattern/attack-pattern--5389958e-188f-453f-ba90-e886291f200e.json @@ -8,7 +8,7 @@ "id": "attack-pattern--5389958e-188f-453f-ba90-e886291f200e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.705262Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.215097Z", "name": "Process detection", "description": "Malware can scan for the process name associated with common analysis tools.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", "external_id": "B0013.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--541b3b19-6e67-4c06-9f03-1b3f5a4395c4.json b/mbc/attack-pattern/attack-pattern--541b3b19-6e67-4c06-9f03-1b3f5a4395c4.json index 2f4dba5c..ac7e493f 100644 --- a/mbc/attack-pattern/attack-pattern--541b3b19-6e67-4c06-9f03-1b3f5a4395c4.json +++ b/mbc/attack-pattern/attack-pattern--541b3b19-6e67-4c06-9f03-1b3f5a4395c4.json @@ -8,7 +8,7 @@ "id": "attack-pattern--541b3b19-6e67-4c06-9f03-1b3f5a4395c4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.828261Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.361771Z", "name": "SMTP Communication", "description": "This micro-behavior focuses on SMTP communication.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/smtp-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/smtp-communication.md", "external_id": "C0012" } ], diff --git a/mbc/attack-pattern/attack-pattern--54782583-3e1e-4e43-a038-882e989e0c0f.json b/mbc/attack-pattern/attack-pattern--54782583-3e1e-4e43-a038-882e989e0c0f.json new file mode 100644 index 00000000..09f63249 --- /dev/null +++ b/mbc/attack-pattern/attack-pattern--54782583-3e1e-4e43-a038-882e989e0c0f.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--7d4d9f29-6098-4b28-99fe-6ec9dfbe0956", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--54782583-3e1e-4e43-a038-882e989e0c0f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2022-09-08T18:26:13.382764Z", + "modified": "2022-09-08T18:26:13.382764Z", + "name": "Crypto Constant", + "description": "The malware contains a known crypto constant.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/crypto-constant.md", + "external_id": "C0069" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/mbc/attack-pattern/attack-pattern--54c7f1ed-7132-4022-8f3e-3fd4e5b88169.json b/mbc/attack-pattern/attack-pattern--54c7f1ed-7132-4022-8f3e-3fd4e5b88169.json index e9d5e89a..f42568e8 100644 --- a/mbc/attack-pattern/attack-pattern--54c7f1ed-7132-4022-8f3e-3fd4e5b88169.json +++ b/mbc/attack-pattern/attack-pattern--54c7f1ed-7132-4022-8f3e-3fd4e5b88169.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/enumerate-threads.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/enumerate-threads.md", "external_id": "C0064" } ], diff --git a/mbc/attack-pattern/attack-pattern--55040e64-313d-4656-8e1c-1146ff2f47d7.json b/mbc/attack-pattern/attack-pattern--55040e64-313d-4656-8e1c-1146ff2f47d7.json index 3bde688f..864503a7 100644 --- a/mbc/attack-pattern/attack-pattern--55040e64-313d-4656-8e1c-1146ff2f47d7.json +++ b/mbc/attack-pattern/attack-pattern--55040e64-313d-4656-8e1c-1146ff2f47d7.json @@ -8,7 +8,7 @@ "id": "attack-pattern--55040e64-313d-4656-8e1c-1146ff2f47d7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.547264Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.188687Z", "name": "Invoke NTDLL System Calls via Encoded Table", "description": "Invokes ntdll.dll functions without using an export table; an encoded translation table on the stack is used instead.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-call-graph.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/call-graph-generation-evasion.md", "external_id": "B0010.002" }, { diff --git a/mbc/attack-pattern/attack-pattern--5543a067-b312-42fa-8943-f58e3f709332.json b/mbc/attack-pattern/attack-pattern--5543a067-b312-42fa-8943-f58e3f709332.json index 20b4f249..961a8c6b 100644 --- a/mbc/attack-pattern/attack-pattern--5543a067-b312-42fa-8943-f58e3f709332.json +++ b/mbc/attack-pattern/attack-pattern--5543a067-b312-42fa-8943-f58e3f709332.json @@ -8,7 +8,7 @@ "id": "attack-pattern--5543a067-b312-42fa-8943-f58e3f709332", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.506259Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.278463Z", "name": "Encrypted Payloads", "description": "Decryption key is stored external to the executable or never touches the disk.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-capture.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/capture-evasion.md", "external_id": "B0036.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--5625baf5-d4bd-4920-b541-abc2e8466405.json b/mbc/attack-pattern/attack-pattern--5625baf5-d4bd-4920-b541-abc2e8466405.json index 8e2f4158..bdc6e5e2 100644 --- a/mbc/attack-pattern/attack-pattern--5625baf5-d4bd-4920-b541-abc2e8466405.json +++ b/mbc/attack-pattern/attack-pattern--5625baf5-d4bd-4920-b541-abc2e8466405.json @@ -8,7 +8,7 @@ "id": "attack-pattern--5625baf5-d4bd-4920-b541-abc2e8466405", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.845581Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.40463Z", "name": "Memory Rootkit", "description": "A memory rootkit hids in RAM. Behaviors may include methods to prevent memory access. The lifespan of a memory rootkit is short because it disappears after a system reboot.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/rootkit-behavior.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/rootkit.md", "external_id": "E1014.m17" } ], diff --git a/mbc/attack-pattern/attack-pattern--56e26c80-e09f-4a51-8947-3c5a07dd3bf9.json b/mbc/attack-pattern/attack-pattern--56e26c80-e09f-4a51-8947-3c5a07dd3bf9.json index ad16fd55..41b6b833 100644 --- a/mbc/attack-pattern/attack-pattern--56e26c80-e09f-4a51-8947-3c5a07dd3bf9.json +++ b/mbc/attack-pattern/attack-pattern--56e26c80-e09f-4a51-8947-3c5a07dd3bf9.json @@ -8,7 +8,7 @@ "id": "attack-pattern--56e26c80-e09f-4a51-8947-3c5a07dd3bf9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.72626Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.240648Z", "name": "Java-based Web Servers", "kill_chain_phases": [ { @@ -23,7 +23,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/exploit-software.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/exploitation-for-client-execution.md", "external_id": "E1203.m02" } ], diff --git a/mbc/attack-pattern/attack-pattern--56e97c05-06ca-49f9-bf50-d663993dee22.json b/mbc/attack-pattern/attack-pattern--56e97c05-06ca-49f9-bf50-d663993dee22.json index cdf73e24..e61e29c7 100644 --- a/mbc/attack-pattern/attack-pattern--56e97c05-06ca-49f9-bf50-d663993dee22.json +++ b/mbc/attack-pattern/attack-pattern--56e97c05-06ca-49f9-bf50-d663993dee22.json @@ -8,7 +8,7 @@ "id": "attack-pattern--56e97c05-06ca-49f9-bf50-d663993dee22", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.001445Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.329457Z", "name": "Compression Library", "description": "Malware uses a compression library.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/compress-lib.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/compression-library.md", "external_id": "C0060" } ], diff --git a/mbc/attack-pattern/attack-pattern--5706671b-371d-40dd-95ae-d9574ba49291.json b/mbc/attack-pattern/attack-pattern--5706671b-371d-40dd-95ae-d9574ba49291.json index 2f57ac05..3a987b72 100644 --- a/mbc/attack-pattern/attack-pattern--5706671b-371d-40dd-95ae-d9574ba49291.json +++ b/mbc/attack-pattern/attack-pattern--5706671b-371d-40dd-95ae-d9574ba49291.json @@ -8,7 +8,7 @@ "id": "attack-pattern--5706671b-371d-40dd-95ae-d9574ba49291", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.871658Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.210426Z", "name": "Parse PE Header", "description": "Malware parses the PE header.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/code-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/code-discovery.md", "external_id": "B0046.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--574e1bad-081e-43d5-a6e5-665cdc815b8d.json b/mbc/attack-pattern/attack-pattern--574e1bad-081e-43d5-a6e5-665cdc815b8d.json index 3746eeb5..99a6fd79 100644 --- a/mbc/attack-pattern/attack-pattern--574e1bad-081e-43d5-a6e5-665cdc815b8d.json +++ b/mbc/attack-pattern/attack-pattern--574e1bad-081e-43d5-a6e5-665cdc815b8d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--574e1bad-081e-43d5-a6e5-665cdc815b8d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.474262Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.320868Z", "name": "Timing/Delay Check", "description": "Malware may compare time between two points to detect unusual execution, such as the (relative) massive delays introduced by debugging.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.028" } ], diff --git a/mbc/attack-pattern/attack-pattern--58245c62-d50e-40d4-b31e-63902657709f.json b/mbc/attack-pattern/attack-pattern--58245c62-d50e-40d4-b31e-63902657709f.json index cb06855e..bfd72ff8 100644 --- a/mbc/attack-pattern/attack-pattern--58245c62-d50e-40d4-b31e-63902657709f.json +++ b/mbc/attack-pattern/attack-pattern--58245c62-d50e-40d4-b31e-63902657709f.json @@ -8,7 +8,7 @@ "id": "attack-pattern--58245c62-d50e-40d4-b31e-63902657709f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.029444Z", - "modified": "2022-02-05T00:37:22.819853Z", + "modified": "2022-09-08T18:26:13.401331Z", "name": "Set Variable::Environment Variable", "description": "Malware sets an environment variable.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/enviro-var.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/environment-variable.md", "external_id": "C0034.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--598efe94-7195-42ad-9af8-d1d9c39433ba.json b/mbc/attack-pattern/attack-pattern--598efe94-7195-42ad-9af8-d1d9c39433ba.json index 83a6305f..9e3de0b8 100644 --- a/mbc/attack-pattern/attack-pattern--598efe94-7195-42ad-9af8-d1d9c39433ba.json +++ b/mbc/attack-pattern/attack-pattern--598efe94-7195-42ad-9af8-d1d9c39433ba.json @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/cryptocurrency.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/cryptocurrency.md", "external_id": "B0028.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--5a28507d-35d5-4a9c-83e0-4ecb9774c23c.json b/mbc/attack-pattern/attack-pattern--5a28507d-35d5-4a9c-83e0-4ecb9774c23c.json index 4617efb1..c3531c5f 100644 --- a/mbc/attack-pattern/attack-pattern--5a28507d-35d5-4a9c-83e0-4ecb9774c23c.json +++ b/mbc/attack-pattern/attack-pattern--5a28507d-35d5-4a9c-83e0-4ecb9774c23c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--5a28507d-35d5-4a9c-83e0-4ecb9774c23c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.992483Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.38894Z", "name": "Camellia::Encrypt Data", "description": "Malware encrypts with the Camellia algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", "external_id": "C0027.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--5a3611aa-4253-4302-b09e-02fe53a1af9d.json b/mbc/attack-pattern/attack-pattern--5a3611aa-4253-4302-b09e-02fe53a1af9d.json index 03c93add..102821ce 100644 --- a/mbc/attack-pattern/attack-pattern--5a3611aa-4253-4302-b09e-02fe53a1af9d.json +++ b/mbc/attack-pattern/attack-pattern--5a3611aa-4253-4302-b09e-02fe53a1af9d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--5a3611aa-4253-4302-b09e-02fe53a1af9d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.611265Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.234033Z", "name": "Domain Name Generation", "description": "Malware generates the domain name of the controller to which it connects. Access to on the fly domains enables C2 to operate as domains and IP addresses are blocked. The algorithm can be complicated in more advanced implants; understanding the details so that names can be predicted can be useful in mitigation and response.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/domain-name-generate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/domain-name-generation.md", "external_id": "B0031" }, { @@ -34,6 +34,14 @@ { "source_name": "external_source", "url": "https://en.wikipedia.org/wiki/Conficker" + }, + { + "source_name": "external_source", + "url": "https://www.secureworks.com/research/cryptolocker-ransomware" + }, + { + "source_name": "external_source", + "url": "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--5a895abc-11b8-4f33-a05d-47daa38002af.json b/mbc/attack-pattern/attack-pattern--5a895abc-11b8-4f33-a05d-47daa38002af.json index 2690f52a..5c4948de 100644 --- a/mbc/attack-pattern/attack-pattern--5a895abc-11b8-4f33-a05d-47daa38002af.json +++ b/mbc/attack-pattern/attack-pattern--5a895abc-11b8-4f33-a05d-47daa38002af.json @@ -8,7 +8,7 @@ "id": "attack-pattern--5a895abc-11b8-4f33-a05d-47daa38002af", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.550264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.206546Z", "name": "Conditional Misdirection", "description": "Conditional jumps are sometimes used to confuse disassembly engines, resulting in the wrong instruction boundaries and thus wrong mnemonic and operands; identified by instructions *jmp/jcc to a label+#* (e.g., JNE loc_401345fe+2).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-disassembler.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/disassembler-evasion.md", "external_id": "B0012.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--5aed60b2-8feb-4d3a-a585-b399a41bbc6f.json b/mbc/attack-pattern/attack-pattern--5aed60b2-8feb-4d3a-a585-b399a41bbc6f.json index d3cd8ab2..382dd8bd 100644 --- a/mbc/attack-pattern/attack-pattern--5aed60b2-8feb-4d3a-a585-b399a41bbc6f.json +++ b/mbc/attack-pattern/attack-pattern--5aed60b2-8feb-4d3a-a585-b399a41bbc6f.json @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", "external_id": "F0001.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--5b65a982-2a1d-4b32-ad40-b9e05b4d0284.json b/mbc/attack-pattern/attack-pattern--5b65a982-2a1d-4b32-ad40-b9e05b4d0284.json index 2dfa6f8c..d0564c56 100644 --- a/mbc/attack-pattern/attack-pattern--5b65a982-2a1d-4b32-ad40-b9e05b4d0284.json +++ b/mbc/attack-pattern/attack-pattern--5b65a982-2a1d-4b32-ad40-b9e05b4d0284.json @@ -8,7 +8,7 @@ "id": "attack-pattern--5b65a982-2a1d-4b32-ad40-b9e05b4d0284", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.460262Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.313669Z", "name": "Hardware Breakpoints", "description": "(SEH/GetThreadContext); Debug registers will indicate the presence of a debugger. See for details.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.005" }, { diff --git a/mbc/attack-pattern/attack-pattern--5b93eef5-683e-44cb-b737-0e80feb890d2.json b/mbc/attack-pattern/attack-pattern--5b93eef5-683e-44cb-b737-0e80feb890d2.json index 9cd6ea02..5d4c3b73 100644 --- a/mbc/attack-pattern/attack-pattern--5b93eef5-683e-44cb-b737-0e80feb890d2.json +++ b/mbc/attack-pattern/attack-pattern--5b93eef5-683e-44cb-b737-0e80feb890d2.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/create-process.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/create-process.md", "external_id": "C0017.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--5c5601b2-b0ce-4732-a2b2-d45c30efef8c.json b/mbc/attack-pattern/attack-pattern--5c5601b2-b0ce-4732-a2b2-d45c30efef8c.json index 91ee2348..84c67a9c 100644 --- a/mbc/attack-pattern/attack-pattern--5c5601b2-b0ce-4732-a2b2-d45c30efef8c.json +++ b/mbc/attack-pattern/attack-pattern--5c5601b2-b0ce-4732-a2b2-d45c30efef8c.json @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", "external_id": "F0001.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--5c965b91-a0fd-4a85-b688-9be91a7a5aa8.json b/mbc/attack-pattern/attack-pattern--5c965b91-a0fd-4a85-b688-9be91a7a5aa8.json deleted file mode 100644 index 3d818180..00000000 --- a/mbc/attack-pattern/attack-pattern--5c965b91-a0fd-4a85-b688-9be91a7a5aa8.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--d2f3c668-7812-49f0-a8f7-6f83860c05ba", - "objects": [ - { - "type": "attack-pattern", - "spec_version": "2.1", - "id": "attack-pattern--5c965b91-a0fd-4a85-b688-9be91a7a5aa8", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.798698Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Inline Patching", - "description": "Overwrites the first bytes in an API function to redirect code flow.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/credential-access/hooking.md", - "external_id": "F0003.002" - } - ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true - } - ] -} \ No newline at end of file diff --git a/mbc/attack-pattern/attack-pattern--5cd1a1ce-0012-4e78-9449-24a8e3b0f4e2.json b/mbc/attack-pattern/attack-pattern--5cd1a1ce-0012-4e78-9449-24a8e3b0f4e2.json index 694bff72..24ba0508 100644 --- a/mbc/attack-pattern/attack-pattern--5cd1a1ce-0012-4e78-9449-24a8e3b0f4e2.json +++ b/mbc/attack-pattern/attack-pattern--5cd1a1ce-0012-4e78-9449-24a8e3b0f4e2.json @@ -8,7 +8,7 @@ "id": "attack-pattern--5cd1a1ce-0012-4e78-9449-24a8e3b0f4e2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.806261Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.379736Z", "name": "Server Connect::DNS Communication", "description": "Connects to DNS server.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/dns-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/dns-communication.md", "external_id": "C0011.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--5d116564-0ef7-4791-9a34-e86d81840b49.json b/mbc/attack-pattern/attack-pattern--5d116564-0ef7-4791-9a34-e86d81840b49.json index f375b350..b9027046 100644 --- a/mbc/attack-pattern/attack-pattern--5d116564-0ef7-4791-9a34-e86d81840b49.json +++ b/mbc/attack-pattern/attack-pattern--5d116564-0ef7-4791-9a34-e86d81840b49.json @@ -8,7 +8,7 @@ "id": "attack-pattern--5d116564-0ef7-4791-9a34-e86d81840b49", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.920259Z", - "modified": "2022-02-05T00:37:22.835477Z", + "modified": "2022-09-08T18:26:13.252689Z", "name": "Modify Existing Service", "description": "Malware may modify an existing service to gain persistence. Modification may include disabling a service.", "kill_chain_phases": [ @@ -24,12 +24,28 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/persistence/modify-service.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/persistence/modify-existing-service.md", "external_id": "F0011" }, { "source_name": "external_source", "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "external_source", + "url": "http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + }, + { + "source_name": "external_source", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Conficker" + }, + { + "source_name": "external_source", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--5eef016e-6366-41e1-a33d-d85727dd5d65.json b/mbc/attack-pattern/attack-pattern--5eef016e-6366-41e1-a33d-d85727dd5d65.json index 55dec250..00fec5a7 100644 --- a/mbc/attack-pattern/attack-pattern--5eef016e-6366-41e1-a33d-d85727dd5d65.json +++ b/mbc/attack-pattern/attack-pattern--5eef016e-6366-41e1-a33d-d85727dd5d65.json @@ -8,7 +8,7 @@ "id": "attack-pattern--5eef016e-6366-41e1-a33d-d85727dd5d65", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.511265Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.304619Z", "name": "Get Base Indirectly", "description": "CALL to a POP; finds base of code or data, often the packed version of the code; also used often in obfuscated/packed shellcode.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.007" } ], diff --git a/mbc/attack-pattern/attack-pattern--5ef50fb5-9da5-4926-85a6-8049dc0be9b3.json b/mbc/attack-pattern/attack-pattern--5ef50fb5-9da5-4926-85a6-8049dc0be9b3.json index d71b3a36..956dd31b 100644 --- a/mbc/attack-pattern/attack-pattern--5ef50fb5-9da5-4926-85a6-8049dc0be9b3.json +++ b/mbc/attack-pattern/attack-pattern--5ef50fb5-9da5-4926-85a6-8049dc0be9b3.json @@ -8,7 +8,7 @@ "id": "attack-pattern--5ef50fb5-9da5-4926-85a6-8049dc0be9b3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.981483Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.373675Z", "name": "Send TCP Data::Socket Communication", "description": "Send TCP data.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", "external_id": "C0001.014" } ], diff --git a/mbc/attack-pattern/attack-pattern--5f35c276-1599-47f2-b4df-468ccfa1e08b.json b/mbc/attack-pattern/attack-pattern--5f35c276-1599-47f2-b4df-468ccfa1e08b.json index 0324a065..52d9c260 100644 --- a/mbc/attack-pattern/attack-pattern--5f35c276-1599-47f2-b4df-468ccfa1e08b.json +++ b/mbc/attack-pattern/attack-pattern--5f35c276-1599-47f2-b4df-468ccfa1e08b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--5f35c276-1599-47f2-b4df-468ccfa1e08b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.972483Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.362991Z", "name": "Connect to Server::HTTP Communication", "description": "HTTP client connects to HTTP server.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", "external_id": "C0002.009" } ], diff --git a/mbc/attack-pattern/attack-pattern--5f9d93b4-1083-440c-a170-eb181041fc56.json b/mbc/attack-pattern/attack-pattern--5f9d93b4-1083-440c-a170-eb181041fc56.json index 610661d8..f356fbeb 100644 --- a/mbc/attack-pattern/attack-pattern--5f9d93b4-1083-440c-a170-eb181041fc56.json +++ b/mbc/attack-pattern/attack-pattern--5f9d93b4-1083-440c-a170-eb181041fc56.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/wininet.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/wininet.md", "external_id": "C0005.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--603e1968-92e1-41ec-86f1-c2ea0d28b7bf.json b/mbc/attack-pattern/attack-pattern--603e1968-92e1-41ec-86f1-c2ea0d28b7bf.json index ebfac9f9..78be96b1 100644 --- a/mbc/attack-pattern/attack-pattern--603e1968-92e1-41ec-86f1-c2ea0d28b7bf.json +++ b/mbc/attack-pattern/attack-pattern--603e1968-92e1-41ec-86f1-c2ea0d28b7bf.json @@ -8,7 +8,7 @@ "id": "attack-pattern--603e1968-92e1-41ec-86f1-c2ea0d28b7bf", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.986482Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.38087Z", "name": "SHA1::Cryptographic Hash", "description": "Malware uses a SHA-1 hash.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/crypto-hash.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/cryptographic-hash.md", "external_id": "C0029.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--6069021d-57ec-403e-b6fc-013b995aa2f0.json b/mbc/attack-pattern/attack-pattern--6069021d-57ec-403e-b6fc-013b995aa2f0.json index d957aea8..0f74df2c 100644 --- a/mbc/attack-pattern/attack-pattern--6069021d-57ec-403e-b6fc-013b995aa2f0.json +++ b/mbc/attack-pattern/attack-pattern--6069021d-57ec-403e-b6fc-013b995aa2f0.json @@ -8,7 +8,7 @@ "id": "attack-pattern--6069021d-57ec-403e-b6fc-013b995aa2f0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.734261Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.234751Z", "name": "Prevent Concurrent Execution", "description": "To avoid running multiple instances of itself, malware may check a system to see if it is already running.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/prevent-concurrent-exe.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/prevent-concurrent-execution.md", "external_id": "B0024" }, { diff --git a/mbc/attack-pattern/attack-pattern--608a4855-fe3a-4bff-a7a2-46db2ffd360b.json b/mbc/attack-pattern/attack-pattern--608a4855-fe3a-4bff-a7a2-46db2ffd360b.json index 519c7a5c..1d043d1b 100644 --- a/mbc/attack-pattern/attack-pattern--608a4855-fe3a-4bff-a7a2-46db2ffd360b.json +++ b/mbc/attack-pattern/attack-pattern--608a4855-fe3a-4bff-a7a2-46db2ffd360b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--608a4855-fe3a-4bff-a7a2-46db2ffd360b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.997443Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.394742Z", "name": "RC4 KSA::Encryption Key", "description": "Malware uses the RC4 Key Scheduling Algorithm (KSA).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/key.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encryption-key.md", "external_id": "C0028.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--6168e69c-f827-4f92-8404-cd24fff9802c.json b/mbc/attack-pattern/attack-pattern--6168e69c-f827-4f92-8404-cd24fff9802c.json index dacc499a..e26ee217 100644 --- a/mbc/attack-pattern/attack-pattern--6168e69c-f827-4f92-8404-cd24fff9802c.json +++ b/mbc/attack-pattern/attack-pattern--6168e69c-f827-4f92-8404-cd24fff9802c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--6168e69c-f827-4f92-8404-cd24fff9802c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.760262Z", - "modified": "2022-02-05T00:37:22.694887Z", + "modified": "2022-09-08T18:26:13.272846Z", "name": "Archive Collected Data", "description": "Malware may obfuscate data via encryption or encoding before exfiltration.", "kill_chain_phases": [ @@ -20,13 +20,16 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/data-encrypted.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/archive-collected-data.md", "external_id": "E1560" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1560/", - "external_id": "T1560" + "source_name": "external_source", + "url": "https://www.bitdefender.com/blog/labs/trickbot-is-dead-long-live-trickbot/" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d.json b/mbc/attack-pattern/attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d.json index 9a03fd0c..9bf83930 100644 --- a/mbc/attack-pattern/attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d.json +++ b/mbc/attack-pattern/attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.504264Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.29353Z", "name": "Virtual Machine Detection", "description": "Detects whether the malware instance is being executed in a virtual machine (VM), such as VMWare. If so, conditional execution selects a benign execution path.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009" }, { @@ -48,9 +48,8 @@ "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1497/", - "external_id": "T1497" + "source_name": "external_source", + "url": "https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--623daf49-2a74-4fd8-a7f0-e11a8475999f.json b/mbc/attack-pattern/attack-pattern--623daf49-2a74-4fd8-a7f0-e11a8475999f.json index 86b67616..8a87ad46 100644 --- a/mbc/attack-pattern/attack-pattern--623daf49-2a74-4fd8-a7f0-e11a8475999f.json +++ b/mbc/attack-pattern/attack-pattern--623daf49-2a74-4fd8-a7f0-e11a8475999f.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/data-destruction.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/data-destruction.md", "external_id": "E1485.m03" } ], diff --git a/mbc/attack-pattern/attack-pattern--62792aba-aba0-4623-b7b7-479bae7d314b.json b/mbc/attack-pattern/attack-pattern--62792aba-aba0-4623-b7b7-479bae7d314b.json index 27331702..317be478 100644 --- a/mbc/attack-pattern/attack-pattern--62792aba-aba0-4623-b7b7-479bae7d314b.json +++ b/mbc/attack-pattern/attack-pattern--62792aba-aba0-4623-b7b7-479bae7d314b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--62792aba-aba0-4623-b7b7-479bae7d314b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.705262Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.214539Z", "name": "Known Window", "description": "Malware may detect an analysis tool via the presence of a known window.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", "external_id": "B0013.009" } ], diff --git a/mbc/attack-pattern/attack-pattern--6287eb18-a197-4822-b0f5-99b4237fe18a.json b/mbc/attack-pattern/attack-pattern--6287eb18-a197-4822-b0f5-99b4237fe18a.json index d50e1fdd..a749876e 100644 --- a/mbc/attack-pattern/attack-pattern--6287eb18-a197-4822-b0f5-99b4237fe18a.json +++ b/mbc/attack-pattern/attack-pattern--6287eb18-a197-4822-b0f5-99b4237fe18a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--6287eb18-a197-4822-b0f5-99b4237fe18a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.708261Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.217002Z", "name": "Process detection - SysInternals Suite Tools", "description": "Malware can scan for the process name associated with common analysis tools. Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", "external_id": "B0013.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--62e27cc8-6e08-4d62-af86-2eb0e42fc530.json b/mbc/attack-pattern/attack-pattern--62e27cc8-6e08-4d62-af86-2eb0e42fc530.json index 06d7eaf1..2c2909c4 100644 --- a/mbc/attack-pattern/attack-pattern--62e27cc8-6e08-4d62-af86-2eb0e42fc530.json +++ b/mbc/attack-pattern/attack-pattern--62e27cc8-6e08-4d62-af86-2eb0e42fc530.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/hardware/simulate-hardware.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/hardware/simulate-hardware.md", "external_id": "C0057" } ], diff --git a/mbc/attack-pattern/attack-pattern--641e7321-439b-4888-8624-f3ceace8465e.json b/mbc/attack-pattern/attack-pattern--641e7321-439b-4888-8624-f3ceace8465e.json index 39f32c25..02e3b3de 100644 --- a/mbc/attack-pattern/attack-pattern--641e7321-439b-4888-8624-f3ceace8465e.json +++ b/mbc/attack-pattern/attack-pattern--641e7321-439b-4888-8624-f3ceace8465e.json @@ -8,7 +8,7 @@ "id": "attack-pattern--641e7321-439b-4888-8624-f3ceace8465e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.845581Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.404385Z", "name": "Kernel Mode Rootkit", "description": "Rootkit operates by adding or replacing code in OS, device drivers, loadable kernel modules (LKM). Related to ATT&CK: [Kernel Modules and Extensions](https://attack.mitre.org/techniques/T1547/006/)", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/rootkit-behavior.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/rootkit.md", "external_id": "E1014.m16" } ], diff --git a/mbc/attack-pattern/attack-pattern--6479f655-1a26-4a37-96b4-170c5a57a31d.json b/mbc/attack-pattern/attack-pattern--6479f655-1a26-4a37-96b4-170c5a57a31d.json index 45230e72..78da5791 100644 --- a/mbc/attack-pattern/attack-pattern--6479f655-1a26-4a37-96b4-170c5a57a31d.json +++ b/mbc/attack-pattern/attack-pattern--6479f655-1a26-4a37-96b4-170c5a57a31d.json @@ -19,7 +19,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/remote-commands.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/remote-commands.md", "external_id": "B0011.006" } ], diff --git a/mbc/attack-pattern/attack-pattern--648530a1-e16b-45c6-ae10-d3d47fc8bcb7.json b/mbc/attack-pattern/attack-pattern--648530a1-e16b-45c6-ae10-d3d47fc8bcb7.json index a33e5a6f..31398f0c 100644 --- a/mbc/attack-pattern/attack-pattern--648530a1-e16b-45c6-ae10-d3d47fc8bcb7.json +++ b/mbc/attack-pattern/attack-pattern--648530a1-e16b-45c6-ae10-d3d47fc8bcb7.json @@ -8,7 +8,7 @@ "id": "attack-pattern--648530a1-e16b-45c6-ae10-d3d47fc8bcb7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.992483Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.389471Z", "name": "HC-128::Encrypt Data", "description": "Malware encrypts with the HC-128 algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", "external_id": "C0027.006" } ], diff --git a/mbc/attack-pattern/attack-pattern--6495c1d8-c694-4fc0-8063-05f0a42cad27.json b/mbc/attack-pattern/attack-pattern--6495c1d8-c694-4fc0-8063-05f0a42cad27.json index 8011efef..f54508fc 100644 --- a/mbc/attack-pattern/attack-pattern--6495c1d8-c694-4fc0-8063-05f0a42cad27.json +++ b/mbc/attack-pattern/attack-pattern--6495c1d8-c694-4fc0-8063-05f0a42cad27.json @@ -8,7 +8,7 @@ "id": "attack-pattern--6495c1d8-c694-4fc0-8063-05f0a42cad27", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.988483Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.384191Z", "name": "Block Cipher::Decrypt Data", "description": "Malware decrypts data encrypted with a block cipher.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", "external_id": "C0031.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--64b0c35c-a5fc-4410-aff8-0c85f9689f60.json b/mbc/attack-pattern/attack-pattern--64b0c35c-a5fc-4410-aff8-0c85f9689f60.json index 4b4e44bc..c7a4c413 100644 --- a/mbc/attack-pattern/attack-pattern--64b0c35c-a5fc-4410-aff8-0c85f9689f60.json +++ b/mbc/attack-pattern/attack-pattern--64b0c35c-a5fc-4410-aff8-0c85f9689f60.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/checksum.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/checksum.md", "external_id": "C0032" } ], diff --git a/mbc/attack-pattern/attack-pattern--64ec233c-8762-4e4a-af40-475ebd3aa127.json b/mbc/attack-pattern/attack-pattern--64ec233c-8762-4e4a-af40-475ebd3aa127.json index 68e66406..5d9706e1 100644 --- a/mbc/attack-pattern/attack-pattern--64ec233c-8762-4e4a-af40-475ebd3aa127.json +++ b/mbc/attack-pattern/attack-pattern--64ec233c-8762-4e4a-af40-475ebd3aa127.json @@ -8,7 +8,7 @@ "id": "attack-pattern--64ec233c-8762-4e4a-af40-475ebd3aa127", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.530265Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.302403Z", "name": "Emulator Evasion", "description": "Behaviors that obstruct analysis in an emulator.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-emulator.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-evasion.md", "external_id": "B0005" } ], diff --git a/mbc/attack-pattern/attack-pattern--656e96ac-b245-4c79-8b28-81423fd5d3cf.json b/mbc/attack-pattern/attack-pattern--656e96ac-b245-4c79-8b28-81423fd5d3cf.json index 1519b2e6..1badb305 100644 --- a/mbc/attack-pattern/attack-pattern--656e96ac-b245-4c79-8b28-81423fd5d3cf.json +++ b/mbc/attack-pattern/attack-pattern--656e96ac-b245-4c79-8b28-81423fd5d3cf.json @@ -8,7 +8,7 @@ "id": "attack-pattern--656e96ac-b245-4c79-8b28-81423fd5d3cf", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.002478Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.330215Z", "name": "QuickLZ::Compress Data", "description": "Malware compresses data using QuickLZ.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/compress.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/compress-data.md", "external_id": "C0024.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--65ac0031-387e-41f5-8c05-4a7484fa460d.json b/mbc/attack-pattern/attack-pattern--65ac0031-387e-41f5-8c05-4a7484fa460d.json index b45a5830..7cf1ead8 100644 --- a/mbc/attack-pattern/attack-pattern--65ac0031-387e-41f5-8c05-4a7484fa460d.json +++ b/mbc/attack-pattern/attack-pattern--65ac0031-387e-41f5-8c05-4a7484fa460d.json @@ -19,7 +19,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/remote-commands.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/remote-commands.md", "external_id": "B0011.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--6636c8bd-41a4-4a1e-965d-642c08be68db.json b/mbc/attack-pattern/attack-pattern--6636c8bd-41a4-4a1e-965d-642c08be68db.json index 38e4546d..63e6dea5 100644 --- a/mbc/attack-pattern/attack-pattern--6636c8bd-41a4-4a1e-965d-642c08be68db.json +++ b/mbc/attack-pattern/attack-pattern--6636c8bd-41a4-4a1e-965d-642c08be68db.json @@ -8,9 +8,9 @@ "id": "attack-pattern--6636c8bd-41a4-4a1e-965d-642c08be68db", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.651264Z", - "modified": "2022-02-05T00:37:22.616726Z", + "modified": "2022-09-08T18:26:13.424712Z", "name": "Steganography", - "description": "Malware may store information in an image.", + "description": "Malware may store information in an image. See related ATT&CK techniques: Data Obfuscation: Steganography [T1001.002](https://attack.mitre.org/techniques/T1001/002), Obfuscated Files or Information: Steganography ([T1027.003](https://attack.mitre.org/techniques/T1027/003), [T1406.001](https://attack.mitre.org/techniques/T1406/001)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/covert-location.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/covert-location.md", "external_id": "B0040.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--664457b6-7f76-4745-a92d-6acbfe3ee384.json b/mbc/attack-pattern/attack-pattern--664457b6-7f76-4745-a92d-6acbfe3ee384.json index f498fbd4..883a0e26 100644 --- a/mbc/attack-pattern/attack-pattern--664457b6-7f76-4745-a92d-6acbfe3ee384.json +++ b/mbc/attack-pattern/attack-pattern--664457b6-7f76-4745-a92d-6acbfe3ee384.json @@ -8,7 +8,7 @@ "id": "attack-pattern--664457b6-7f76-4745-a92d-6acbfe3ee384", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.521266Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.32605Z", "name": "Data Flood", "description": "Overloads a sandbox by generating a flood of meaningless behavioral data.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", "external_id": "B0003.002" }, { diff --git a/mbc/attack-pattern/attack-pattern--665d234f-6c97-4ae2-b43f-18ea89336220.json b/mbc/attack-pattern/attack-pattern--665d234f-6c97-4ae2-b43f-18ea89336220.json index 76236fc6..27acca2a 100644 --- a/mbc/attack-pattern/attack-pattern--665d234f-6c97-4ae2-b43f-18ea89336220.json +++ b/mbc/attack-pattern/attack-pattern--665d234f-6c97-4ae2-b43f-18ea89336220.json @@ -8,7 +8,7 @@ "id": "attack-pattern--665d234f-6c97-4ae2-b43f-18ea89336220", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.973483Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.364475Z", "name": "Send Request::HTTP Communication", "description": "HTTP client sends request (GET).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", "external_id": "C0002.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--66639ad1-1214-46af-9ce6-31b526ef6d9c.json b/mbc/attack-pattern/attack-pattern--66639ad1-1214-46af-9ce6-31b526ef6d9c.json index 66ec701f..178cd9c8 100644 --- a/mbc/attack-pattern/attack-pattern--66639ad1-1214-46af-9ce6-31b526ef6d9c.json +++ b/mbc/attack-pattern/attack-pattern--66639ad1-1214-46af-9ce6-31b526ef6d9c.json @@ -8,9 +8,9 @@ "id": "attack-pattern--66639ad1-1214-46af-9ce6-31b526ef6d9c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.90326Z", - "modified": "2022-02-05T00:37:22.835477Z", + "modified": "2022-09-08T18:26:13.254202Z", "name": "Component Firmware", - "description": "Malware may overwrite the flash memory contents of system BIOS or other firmware. [[1]](#1). Methods related to malware (extending ATT&CK's definitions) are below.", + "description": "Malware may overwrite the flash memory of firmware outside of the main system firmware or BIOS. [[1]](#1). Methods related to malware (extending ATT&CK's definitions) are below.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/persistence/component-firmware.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/persistence/component-firmware.md", "external_id": "F0009" }, { @@ -38,6 +38,14 @@ { "source_name": "external_source", "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html" + }, + { + "source_name": "external_source", + "url": "http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/resources/synful-knock-acis" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--66995783-bfea-4c72-8fcb-4bdb015dc98f.json b/mbc/attack-pattern/attack-pattern--66995783-bfea-4c72-8fcb-4bdb015dc98f.json index dc4790bf..cea84cd2 100644 --- a/mbc/attack-pattern/attack-pattern--66995783-bfea-4c72-8fcb-4bdb015dc98f.json +++ b/mbc/attack-pattern/attack-pattern--66995783-bfea-4c72-8fcb-4bdb015dc98f.json @@ -8,10 +8,22 @@ "id": "attack-pattern--66995783-bfea-4c72-8fcb-4bdb015dc98f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", + "modified": "2022-09-08T18:26:13.420656Z", "name": "System Service Dispatch Table Hooking", "description": "Malware (e.g. rootkit, malicious drivers) may hook the system service dispatch table (SSDT), also called the system service descriptor table. The SSDT contains information about the service tables used by the operating system for dispatching system calls. Hooking the SSDT enables malware to hide files, registry keys, and network connections.", "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + }, { "kill_chain_name": "mitre-mbc", "phase_name": "defense-evasion" @@ -28,7 +40,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hijack-execution-flow.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hijack-execution-flow.md", "external_id": "F0015.005" }, { diff --git a/mbc/attack-pattern/attack-pattern--66f0b43c-19fd-40b8-ae4f-de356df77371.json b/mbc/attack-pattern/attack-pattern--66f0b43c-19fd-40b8-ae4f-de356df77371.json index 48c0214a..04dae0a3 100644 --- a/mbc/attack-pattern/attack-pattern--66f0b43c-19fd-40b8-ae4f-de356df77371.json +++ b/mbc/attack-pattern/attack-pattern--66f0b43c-19fd-40b8-ae4f-de356df77371.json @@ -8,7 +8,7 @@ "id": "attack-pattern--66f0b43c-19fd-40b8-ae4f-de356df77371", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.994484Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.391868Z", "name": "Sosemanuk::Encrypt Data", "description": "Malware encrypts with the Sosemanuk stream cipher.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", "external_id": "C0027.008" } ], diff --git a/mbc/attack-pattern/attack-pattern--673cfd52-f67e-4fad-80b2-64465de4f7b0.json b/mbc/attack-pattern/attack-pattern--673cfd52-f67e-4fad-80b2-64465de4f7b0.json index 3cb7646b..e868aa32 100644 --- a/mbc/attack-pattern/attack-pattern--673cfd52-f67e-4fad-80b2-64465de4f7b0.json +++ b/mbc/attack-pattern/attack-pattern--673cfd52-f67e-4fad-80b2-64465de4f7b0.json @@ -8,7 +8,7 @@ "id": "attack-pattern--673cfd52-f67e-4fad-80b2-64465de4f7b0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.973483Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.364749Z", "name": "Send Data::HTTP Communication", "description": "HTTP clients sends data to a server (POST/PUT).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", "external_id": "C0002.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--677563ae-beb5-47f2-b85c-ece6d7c7dc7e.json b/mbc/attack-pattern/attack-pattern--677563ae-beb5-47f2-b85c-ece6d7c7dc7e.json index 2cd1fb19..4164843c 100644 --- a/mbc/attack-pattern/attack-pattern--677563ae-beb5-47f2-b85c-ece6d7c7dc7e.json +++ b/mbc/attack-pattern/attack-pattern--677563ae-beb5-47f2-b85c-ece6d7c7dc7e.json @@ -8,7 +8,7 @@ "id": "attack-pattern--677563ae-beb5-47f2-b85c-ece6d7c7dc7e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.560265Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.193867Z", "name": "Junk Code Insertion", "description": "Insert dummy code between relevant opcodes. Can make signature writing more complex.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", "external_id": "B0032.007" } ], diff --git a/mbc/attack-pattern/attack-pattern--683507af-37f1-4db4-a922-d41cceaa8789.json b/mbc/attack-pattern/attack-pattern--683507af-37f1-4db4-a922-d41cceaa8789.json index 51462cf0..5ea32b7d 100644 --- a/mbc/attack-pattern/attack-pattern--683507af-37f1-4db4-a922-d41cceaa8789.json +++ b/mbc/attack-pattern/attack-pattern--683507af-37f1-4db4-a922-d41cceaa8789.json @@ -8,7 +8,7 @@ "id": "attack-pattern--683507af-37f1-4db4-a922-d41cceaa8789", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.472261Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.319233Z", "name": "SeDebugPrivilege", "description": "(Csrss.exe); Using the OpenProcess function on the csrss.exe process can detect a debugger.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.023" }, { diff --git a/mbc/attack-pattern/attack-pattern--68791849-d1ec-436a-983a-b6ca41bea52c.json b/mbc/attack-pattern/attack-pattern--68791849-d1ec-436a-983a-b6ca41bea52c.json index 078ffcb8..17473b23 100644 --- a/mbc/attack-pattern/attack-pattern--68791849-d1ec-436a-983a-b6ca41bea52c.json +++ b/mbc/attack-pattern/attack-pattern--68791849-d1ec-436a-983a-b6ca41bea52c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--68791849-d1ec-436a-983a-b6ca41bea52c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.514301Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.306849Z", "name": "Obfuscate Library Use", "description": "LoadLibrary API calls or direct access of kernel32 via PEB (fs[0]) pointers, used to rebuild IAT or just obfuscate library use.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.016" } ], diff --git a/mbc/attack-pattern/attack-pattern--68d12b85-7712-4572-a801-222a375b7033.json b/mbc/attack-pattern/attack-pattern--68d12b85-7712-4572-a801-222a375b7033.json index b9be54b9..421f46c9 100644 --- a/mbc/attack-pattern/attack-pattern--68d12b85-7712-4572-a801-222a375b7033.json +++ b/mbc/attack-pattern/attack-pattern--68d12b85-7712-4572-a801-222a375b7033.json @@ -8,7 +8,7 @@ "id": "attack-pattern--68d12b85-7712-4572-a801-222a375b7033", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.75826Z", - "modified": "2022-02-05T00:37:22.694887Z", + "modified": "2022-09-08T18:26:13.271576Z", "name": "Encoding - Custom Encoding", "description": "Data is encoded. A custom algorithm is used to encode the exfiltrated data.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/data-encrypted.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/archive-collected-data.md", "external_id": "E1560.m04" } ], diff --git a/mbc/attack-pattern/attack-pattern--69154c09-d2ee-4328-9543-1d0c1233df31.json b/mbc/attack-pattern/attack-pattern--69154c09-d2ee-4328-9543-1d0c1233df31.json index e5bf6b8a..085c3899 100644 --- a/mbc/attack-pattern/attack-pattern--69154c09-d2ee-4328-9543-1d0c1233df31.json +++ b/mbc/attack-pattern/attack-pattern--69154c09-d2ee-4328-9543-1d0c1233df31.json @@ -8,7 +8,7 @@ "id": "attack-pattern--69154c09-d2ee-4328-9543-1d0c1233df31", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.555263Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.191282Z", "name": "Data Value Obfuscation", "description": "Obfuscate data values through indirection of local or global variables. For example, the instruction *if (a == 0) do x* can be obfuscated by setting a global variable, *Z*, to zero and using it in the instruction: *if (a==Z) do x*. [NEEDS REVIEW]", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", "external_id": "B0032.008" } ], diff --git a/mbc/attack-pattern/attack-pattern--69401771-6ed2-45b5-bc81-68444a3dc4c9.json b/mbc/attack-pattern/attack-pattern--69401771-6ed2-45b5-bc81-68444a3dc4c9.json index e73960bd..92da882b 100644 --- a/mbc/attack-pattern/attack-pattern--69401771-6ed2-45b5-bc81-68444a3dc4c9.json +++ b/mbc/attack-pattern/attack-pattern--69401771-6ed2-45b5-bc81-68444a3dc4c9.json @@ -8,7 +8,7 @@ "id": "attack-pattern--69401771-6ed2-45b5-bc81-68444a3dc4c9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.005479Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.336083Z", "name": "XOR::Encode Data", "description": "Malware may use xor to encode data.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/encode.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/encode-data.md", "external_id": "C0026.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--69af89da-bf40-4b9e-93c5-baa8fb937099.json b/mbc/attack-pattern/attack-pattern--69af89da-bf40-4b9e-93c5-baa8fb937099.json index c8f8f268..7def7981 100644 --- a/mbc/attack-pattern/attack-pattern--69af89da-bf40-4b9e-93c5-baa8fb937099.json +++ b/mbc/attack-pattern/attack-pattern--69af89da-bf40-4b9e-93c5-baa8fb937099.json @@ -8,7 +8,7 @@ "id": "attack-pattern--69af89da-bf40-4b9e-93c5-baa8fb937099", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.605266Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.228965Z", "name": "Receive Data", "description": "Receive data or command from a controller.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", "external_id": "B0030.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--69d4e839-b6ce-4299-b242-83192d6b62c2.json b/mbc/attack-pattern/attack-pattern--69d4e839-b6ce-4299-b242-83192d6b62c2.json index 1b53c844..f992e7df 100644 --- a/mbc/attack-pattern/attack-pattern--69d4e839-b6ce-4299-b242-83192d6b62c2.json +++ b/mbc/attack-pattern/attack-pattern--69d4e839-b6ce-4299-b242-83192d6b62c2.json @@ -8,7 +8,7 @@ "id": "attack-pattern--69d4e839-b6ce-4299-b242-83192d6b62c2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.485265Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.298083Z", "name": "Screen Resolution Testing", "description": "Sandboxes aren't used in the same manner as a typical user environment, so most of the time the screen resolution stays at the minimum 800x600 or lower. No one is actually working on a such small screen. Malware could potentially detect the screen resolution to determine if it's a user machine or a sandbox.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", "external_id": "B0007.006" } ], diff --git a/mbc/attack-pattern/attack-pattern--69df421d-b8ea-49d2-9bd2-9df44aa3ced6.json b/mbc/attack-pattern/attack-pattern--69df421d-b8ea-49d2-9bd2-9df44aa3ced6.json index b2e630d4..a639cfa2 100644 --- a/mbc/attack-pattern/attack-pattern--69df421d-b8ea-49d2-9bd2-9df44aa3ced6.json +++ b/mbc/attack-pattern/attack-pattern--69df421d-b8ea-49d2-9bd2-9df44aa3ced6.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/registry.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/registry.md", "external_id": "C0036.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--69f9ba6a-eb9e-4486-ae5e-fb7de1012c90.json b/mbc/attack-pattern/attack-pattern--69f9ba6a-eb9e-4486-ae5e-fb7de1012c90.json index 3652f526..591d3287 100644 --- a/mbc/attack-pattern/attack-pattern--69f9ba6a-eb9e-4486-ae5e-fb7de1012c90.json +++ b/mbc/attack-pattern/attack-pattern--69f9ba6a-eb9e-4486-ae5e-fb7de1012c90.json @@ -8,7 +8,7 @@ "id": "attack-pattern--69f9ba6a-eb9e-4486-ae5e-fb7de1012c90", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.72626Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.240318Z", "name": "File Transfer Protocol (FTP) Servers", "description": "Malware leverages an FTP server.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/exploit-software.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/exploitation-for-client-execution.md", "external_id": "E1203.m03" } ], diff --git a/mbc/attack-pattern/attack-pattern--6a54a038-71b7-4b4c-87c2-2e5b433404af.json b/mbc/attack-pattern/attack-pattern--6a54a038-71b7-4b4c-87c2-2e5b433404af.json index 9bde5450..42588323 100644 --- a/mbc/attack-pattern/attack-pattern--6a54a038-71b7-4b4c-87c2-2e5b433404af.json +++ b/mbc/attack-pattern/attack-pattern--6a54a038-71b7-4b4c-87c2-2e5b433404af.json @@ -8,7 +8,7 @@ "id": "attack-pattern--6a54a038-71b7-4b4c-87c2-2e5b433404af", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.551264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.207132Z", "name": "Value Dependent Jumps", "description": "Explicit use of computed values for control flow, often many times in the same basic block or function.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-disassembler.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/disassembler-evasion.md", "external_id": "B0012.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--6a958b33-6517-459c-afda-7f4f490ac15d.json b/mbc/attack-pattern/attack-pattern--6a958b33-6517-459c-afda-7f4f490ac15d.json index b650b274..88e332e3 100644 --- a/mbc/attack-pattern/attack-pattern--6a958b33-6517-459c-afda-7f4f490ac15d.json +++ b/mbc/attack-pattern/attack-pattern--6a958b33-6517-459c-afda-7f4f490ac15d.json @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hide-artifacts.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hide-artifacts.md", "external_id": "E1564.m04" } ], diff --git a/mbc/attack-pattern/attack-pattern--6ac62da2-e142-4fca-afba-bc0a0722cefc.json b/mbc/attack-pattern/attack-pattern--6ac62da2-e142-4fca-afba-bc0a0722cefc.json index 57342c86..01d27b04 100644 --- a/mbc/attack-pattern/attack-pattern--6ac62da2-e142-4fca-afba-bc0a0722cefc.json +++ b/mbc/attack-pattern/attack-pattern--6ac62da2-e142-4fca-afba-bc0a0722cefc.json @@ -8,7 +8,7 @@ "id": "attack-pattern--6ac62da2-e142-4fca-afba-bc0a0722cefc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.87426Z", - "modified": "2022-02-05T00:37:22.804261Z", + "modified": "2022-09-08T18:26:13.340987Z", "name": "Heap Spray", "description": "Malware may use heap spraying to write a sequence of bytes on the heap section of a process.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/memory/heapspray.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/memory/heap-spray.md", "external_id": "C0006" } ], diff --git a/mbc/attack-pattern/attack-pattern--6bb4c9f7-d08e-42c0-bb01-5df9d5ea632d.json b/mbc/attack-pattern/attack-pattern--6bb4c9f7-d08e-42c0-bb01-5df9d5ea632d.json index e322c1e8..bdde2dff 100644 --- a/mbc/attack-pattern/attack-pattern--6bb4c9f7-d08e-42c0-bb01-5df9d5ea632d.json +++ b/mbc/attack-pattern/attack-pattern--6bb4c9f7-d08e-42c0-bb01-5df9d5ea632d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--6bb4c9f7-d08e-42c0-bb01-5df9d5ea632d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.638268Z", - "modified": "2022-02-05T00:37:22.616726Z", + "modified": "2022-09-08T18:26:13.434125Z", "name": "Registry Install", "description": "Stores itself in the Windows registry.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/alter-install-location.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/alternative-installation-location.md", "external_id": "B0027.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--6dfa5d14-e016-4572-a2c9-ca4f697c7a14.json b/mbc/attack-pattern/attack-pattern--6dfa5d14-e016-4572-a2c9-ca4f697c7a14.json index 7ab47c25..f3dd9cfb 100644 --- a/mbc/attack-pattern/attack-pattern--6dfa5d14-e016-4572-a2c9-ca4f697c7a14.json +++ b/mbc/attack-pattern/attack-pattern--6dfa5d14-e016-4572-a2c9-ca4f697c7a14.json @@ -19,7 +19,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/remote-commands.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/remote-commands.md", "external_id": "B0011.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--6dfe201d-34d6-4474-9210-e0364cca9de0.json b/mbc/attack-pattern/attack-pattern--6dfe201d-34d6-4474-9210-e0364cca9de0.json index e4a525fd..b372bd87 100644 --- a/mbc/attack-pattern/attack-pattern--6dfe201d-34d6-4474-9210-e0364cca9de0.json +++ b/mbc/attack-pattern/attack-pattern--6dfe201d-34d6-4474-9210-e0364cca9de0.json @@ -8,7 +8,7 @@ "id": "attack-pattern--6dfe201d-34d6-4474-9210-e0364cca9de0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.997443Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.394983Z", "name": "Encryption Key", "description": "Malware may import, generate, or otherwise use an encryption key.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/key.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encryption-key.md", "external_id": "C0028" } ], diff --git a/mbc/attack-pattern/attack-pattern--6e6d534f-57ae-49cd-be41-0b6a77fbb6fb.json b/mbc/attack-pattern/attack-pattern--6e6d534f-57ae-49cd-be41-0b6a77fbb6fb.json index 42b3e518..d6926682 100644 --- a/mbc/attack-pattern/attack-pattern--6e6d534f-57ae-49cd-be41-0b6a77fbb6fb.json +++ b/mbc/attack-pattern/attack-pattern--6e6d534f-57ae-49cd-be41-0b6a77fbb6fb.json @@ -8,9 +8,9 @@ "id": "attack-pattern--6e6d534f-57ae-49cd-be41-0b6a77fbb6fb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.783046Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.227923Z", "name": "Execute File", - "description": "Execute/run/open the file using default operating system functionality, optionally with provided command-line arguments. The file may or may not already exist on the victim.", + "description": "Execute/run/open the file using default operating system functionality, optionally with provided command-and-scripting-interpreter arguments. The file may or may not already exist on the victim.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", "external_id": "B0030.013" } ], diff --git a/mbc/attack-pattern/attack-pattern--6e892e5f-0d39-4e58-9a69-1ff8cc479291.json b/mbc/attack-pattern/attack-pattern--6e892e5f-0d39-4e58-9a69-1ff8cc479291.json index c1d1cb25..6fcd90ad 100644 --- a/mbc/attack-pattern/attack-pattern--6e892e5f-0d39-4e58-9a69-1ff8cc479291.json +++ b/mbc/attack-pattern/attack-pattern--6e892e5f-0d39-4e58-9a69-1ff8cc479291.json @@ -8,7 +8,7 @@ "id": "attack-pattern--6e892e5f-0d39-4e58-9a69-1ff8cc479291", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.497264Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.287106Z", "name": "Instruction Testing - RDTSC", "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.036" }, { diff --git a/mbc/attack-pattern/attack-pattern--6f4c9cb2-1417-4f3e-a907-bce53e3a68a3.json b/mbc/attack-pattern/attack-pattern--6f4c9cb2-1417-4f3e-a907-bce53e3a68a3.json index d9eb7fde..fdf08bef 100644 --- a/mbc/attack-pattern/attack-pattern--6f4c9cb2-1417-4f3e-a907-bce53e3a68a3.json +++ b/mbc/attack-pattern/attack-pattern--6f4c9cb2-1417-4f3e-a907-bce53e3a68a3.json @@ -8,7 +8,7 @@ "id": "attack-pattern--6f4c9cb2-1417-4f3e-a907-bce53e3a68a3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.809259Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.376956Z", "name": "FTP Communication", "description": "The FTP Communication micro-behavior focuses on FTP communication.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/ftp-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/ftp-communication.md", "external_id": "C0004" } ], diff --git a/mbc/attack-pattern/attack-pattern--6c07f7cb-fd9d-4acf-9b99-b15ecafc8dca.json b/mbc/attack-pattern/attack-pattern--6f73f473-5fb0-4777-a951-6de90d9ea01f.json similarity index 76% rename from mbc/attack-pattern/attack-pattern--6c07f7cb-fd9d-4acf-9b99-b15ecafc8dca.json rename to mbc/attack-pattern/attack-pattern--6f73f473-5fb0-4777-a951-6de90d9ea01f.json index 6e4fbac8..6c515c13 100644 --- a/mbc/attack-pattern/attack-pattern--6c07f7cb-fd9d-4acf-9b99-b15ecafc8dca.json +++ b/mbc/attack-pattern/attack-pattern--6f73f473-5fb0-4777-a951-6de90d9ea01f.json @@ -1,14 +1,14 @@ { "type": "bundle", - "id": "bundle--f2e0a3e1-acf2-423e-a4d7-7049d176588b", + "id": "bundle--c417ae5a-8ed5-44b5-845e-b52550b85a2b", "objects": [ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--6c07f7cb-fd9d-4acf-9b99-b15ecafc8dca", + "id": "attack-pattern--6f73f473-5fb0-4777-a951-6de90d9ea01f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.784263Z", - "modified": "2022-02-05T00:37:22.71051Z", + "created": "2022-09-08T18:26:13.257558Z", + "modified": "2022-09-08T18:26:13.257558Z", "name": "Advertisement Replacement Fraud", "description": "Malware injects ad windows onto websites the user views.", "kill_chain_phases": [ @@ -20,8 +20,8 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/generate-fraud-rev.md", - "external_id": "E1472.m02" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/generate-traffic-from-victim.md", + "external_id": "E1643.m02" }, { "source_name": "external_source", diff --git a/mbc/attack-pattern/attack-pattern--6ffd281c-acc5-4543-9fb5-aa0002339ea8.json b/mbc/attack-pattern/attack-pattern--6ffd281c-acc5-4543-9fb5-aa0002339ea8.json index f2267d58..44f69c3d 100644 --- a/mbc/attack-pattern/attack-pattern--6ffd281c-acc5-4543-9fb5-aa0002339ea8.json +++ b/mbc/attack-pattern/attack-pattern--6ffd281c-acc5-4543-9fb5-aa0002339ea8.json @@ -8,7 +8,7 @@ "id": "attack-pattern--6ffd281c-acc5-4543-9fb5-aa0002339ea8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.981483Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.373159Z", "name": "Get Socket Status::Socket Communication", "description": "Get socket status.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", "external_id": "C0001.012" } ], diff --git a/mbc/attack-pattern/attack-pattern--7069df4d-92ef-4a18-b5a5-bf27dc9ef446.json b/mbc/attack-pattern/attack-pattern--7069df4d-92ef-4a18-b5a5-bf27dc9ef446.json index e061e652..4981da9a 100644 --- a/mbc/attack-pattern/attack-pattern--7069df4d-92ef-4a18-b5a5-bf27dc9ef446.json +++ b/mbc/attack-pattern/attack-pattern--7069df4d-92ef-4a18-b5a5-bf27dc9ef446.json @@ -8,7 +8,7 @@ "id": "attack-pattern--7069df4d-92ef-4a18-b5a5-bf27dc9ef446", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.644261Z", - "modified": "2022-02-05T00:37:22.616726Z", + "modified": "2022-09-08T18:26:13.402654Z", "name": "Bypass Data Execution Prevention", "description": "Malware may bypass Data Execution Prevention (DEP).", "kill_chain_phases": [ @@ -20,12 +20,16 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/bypass-dep.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/bypass-data-execution-prevention.md", "external_id": "B0037" }, { "source_name": "external_source", "url": "https://medium.com/cybersecurityservices/dep-bypass-using-rop-chains-garima-chopra-e8b3361e50ce" + }, + { + "source_name": "external_source", + "url": "https://www.cybereason.com/blog/research/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--70de257e-38ed-4422-864b-3b6d74aa5fab.json b/mbc/attack-pattern/attack-pattern--70de257e-38ed-4422-864b-3b6d74aa5fab.json index 34ac59ec..0164be18 100644 --- a/mbc/attack-pattern/attack-pattern--70de257e-38ed-4422-864b-3b6d74aa5fab.json +++ b/mbc/attack-pattern/attack-pattern--70de257e-38ed-4422-864b-3b6d74aa5fab.json @@ -8,7 +8,7 @@ "id": "attack-pattern--70de257e-38ed-4422-864b-3b6d74aa5fab", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.986482Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.381177Z", "name": "SHA224::Cryptographic Hash", "description": "Malware uses a SHA-224 hash.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/crypto-hash.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/cryptographic-hash.md", "external_id": "C0029.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--71d88456-13b6-48de-b779-e6ff71aa3b5e.json b/mbc/attack-pattern/attack-pattern--71d88456-13b6-48de-b779-e6ff71aa3b5e.json index fb97f950..c2f0452c 100644 --- a/mbc/attack-pattern/attack-pattern--71d88456-13b6-48de-b779-e6ff71aa3b5e.json +++ b/mbc/attack-pattern/attack-pattern--71d88456-13b6-48de-b779-e6ff71aa3b5e.json @@ -8,7 +8,7 @@ "id": "attack-pattern--71d88456-13b6-48de-b779-e6ff71aa3b5e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.538265Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.276528Z", "name": "SizeOfImage", "description": "Set the SizeOfImage field of PEB.LoaderData to be huge.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", "external_id": "B0006.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--73478759-d9de-4bbd-a687-081c5f00c935.json b/mbc/attack-pattern/attack-pattern--73478759-d9de-4bbd-a687-081c5f00c935.json index 25f48312..9684f28c 100644 --- a/mbc/attack-pattern/attack-pattern--73478759-d9de-4bbd-a687-081c5f00c935.json +++ b/mbc/attack-pattern/attack-pattern--73478759-d9de-4bbd-a687-081c5f00c935.json @@ -8,7 +8,7 @@ "id": "attack-pattern--73478759-d9de-4bbd-a687-081c5f00c935", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.550264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.206796Z", "name": "VBA Stomping", "description": "Typically, VBA source code is compiled into p-code, which is stored with compressed sourced code in the OLE file with VBA macros. VBA Stomping - when the VBA source code is removed and only the p-code remains - makes analysis much harder. See for an analysis of a VBA-Stomped malicious VBA Office document. See for information on Evil Clippy, a tool that creates malicious MS Office documents.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-disassembler.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/disassembler-evasion.md", "external_id": "B0012.005" }, { diff --git a/mbc/attack-pattern/attack-pattern--73482bd3-d3d1-4f57-a5ac-59bf22866f16.json b/mbc/attack-pattern/attack-pattern--73482bd3-d3d1-4f57-a5ac-59bf22866f16.json index 1ffa3496..1bf1b26a 100644 --- a/mbc/attack-pattern/attack-pattern--73482bd3-d3d1-4f57-a5ac-59bf22866f16.json +++ b/mbc/attack-pattern/attack-pattern--73482bd3-d3d1-4f57-a5ac-59bf22866f16.json @@ -8,9 +8,9 @@ "id": "attack-pattern--73482bd3-d3d1-4f57-a5ac-59bf22866f16", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.928367Z", - "modified": "2022-02-05T00:37:22.71051Z", + "modified": "2022-09-08T18:26:13.269346Z", "name": "Disk Wipe", - "description": "Malware may erase the content of storage devices. This behavior is different than [Data Destruction](https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/data-destruction.md) because sections of the disk are erased rather than individual files.", + "description": "Malware may erase the content of storage devices. This behavior is different than **Data Destruction ([E1485](https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/data-destruction.md))** because sections of the disk are erased rather than individual files.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -20,8 +20,12 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/disk-wipe.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/disk-wipe.md", "external_id": "F0014" + }, + { + "source_name": "external_source", + "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=281521ea-2d18-4bf9-9e88-8b1dc41cfdb6&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200.json b/mbc/attack-pattern/attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200.json index 6279c233..72539871 100644 --- a/mbc/attack-pattern/attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200.json +++ b/mbc/attack-pattern/attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200.json @@ -8,9 +8,9 @@ "id": "attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.739261Z", - "modified": "2022-02-05T00:37:22.694887Z", + "modified": "2022-09-08T18:26:13.239557Z", "name": "Remote Commands", - "description": "Malware may provide an attacker with explicit commands. This behavior differs from the [Remote Access](https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/remote-access.md) behavior under the [Impact](https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact) objective in that *Impact: Remote Access* is potentially much broader and may include full remote access.", + "description": "Malware may provide an attacker with explicit commands. This behavior differs from the **Remote Access ([B0022](https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/remote-access.md))** behavior under the [Impact](https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact) objective in that *Impact: Remote Access* is potentially much broader and may include full remote access.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -20,8 +20,20 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/remote-commands.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/remote-commands.md", "external_id": "B0011" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" + }, + { + "source_name": "external_source", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.cybereason.com/blog/research/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--741edcac-607c-4ebf-a8d0-928e02fe1461.json b/mbc/attack-pattern/attack-pattern--741edcac-607c-4ebf-a8d0-928e02fe1461.json index 9ba7db2b..a492a188 100644 --- a/mbc/attack-pattern/attack-pattern--741edcac-607c-4ebf-a8d0-928e02fe1461.json +++ b/mbc/attack-pattern/attack-pattern--741edcac-607c-4ebf-a8d0-928e02fe1461.json @@ -8,7 +8,7 @@ "id": "attack-pattern--741edcac-607c-4ebf-a8d0-928e02fe1461", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.974485Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.365539Z", "name": "Get Response::HTTP Communication", "description": "HTTP client receives response.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", "external_id": "C0002.017" } ], diff --git a/mbc/attack-pattern/attack-pattern--74d536e7-5fb3-4633-8f42-ca413aa2beea.json b/mbc/attack-pattern/attack-pattern--74d536e7-5fb3-4633-8f42-ca413aa2beea.json index bb5c4978..66ce6f86 100644 --- a/mbc/attack-pattern/attack-pattern--74d536e7-5fb3-4633-8f42-ca413aa2beea.json +++ b/mbc/attack-pattern/attack-pattern--74d536e7-5fb3-4633-8f42-ca413aa2beea.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/data-destruction.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/data-destruction.md", "external_id": "E1485.m04" } ], diff --git a/mbc/attack-pattern/attack-pattern--74f89ee2-f4c0-4221-8951-e3a8f1fc449b.json b/mbc/attack-pattern/attack-pattern--74f89ee2-f4c0-4221-8951-e3a8f1fc449b.json index 2f162302..837a1f69 100644 --- a/mbc/attack-pattern/attack-pattern--74f89ee2-f4c0-4221-8951-e3a8f1fc449b.json +++ b/mbc/attack-pattern/attack-pattern--74f89ee2-f4c0-4221-8951-e3a8f1fc449b.json @@ -19,7 +19,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/polymorphic-code.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/polymorphic-code.md", "external_id": "B0029.003" }, { diff --git a/mbc/attack-pattern/attack-pattern--75109dae-5db7-4582-be8b-edcea907659d.json b/mbc/attack-pattern/attack-pattern--75109dae-5db7-4582-be8b-edcea907659d.json index 4a952164..b67c6cfa 100644 --- a/mbc/attack-pattern/attack-pattern--75109dae-5db7-4582-be8b-edcea907659d.json +++ b/mbc/attack-pattern/attack-pattern--75109dae-5db7-4582-be8b-edcea907659d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--75109dae-5db7-4582-be8b-edcea907659d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.522264Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.326984Z", "name": "Drop Code", "description": "Original file is written to disk then executed. May confuse some sandboxes, especially if the dropped executable must be provided specific arguments and the original dropper is not associated with the drop file(s).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", "external_id": "B0003.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--f5f2f408-2c67-40aa-9937-8fe582501e0a.json b/mbc/attack-pattern/attack-pattern--7533526d-569f-460b-9e00-5ef2d6eff9e2.json similarity index 63% rename from mbc/attack-pattern/attack-pattern--f5f2f408-2c67-40aa-9937-8fe582501e0a.json rename to mbc/attack-pattern/attack-pattern--7533526d-569f-460b-9e00-5ef2d6eff9e2.json index 3693ec56..845a8c1d 100644 --- a/mbc/attack-pattern/attack-pattern--f5f2f408-2c67-40aa-9937-8fe582501e0a.json +++ b/mbc/attack-pattern/attack-pattern--7533526d-569f-460b-9e00-5ef2d6eff9e2.json @@ -1,16 +1,16 @@ { "type": "bundle", - "id": "bundle--9267b774-9ab8-4cb3-be9e-df0eb6650595", + "id": "bundle--ab609f96-54da-40a9-9437-ab131165c27c", "objects": [ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f5f2f408-2c67-40aa-9937-8fe582501e0a", + "id": "attack-pattern--7533526d-569f-460b-9e00-5ef2d6eff9e2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.785261Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Generate Fraudulent Advertising Revenue", - "description": "Malware may generate advertising revenue by generating clicks of advertising links. The ATT&CK technique, [Generate Fraudulent Advertising Revenue](https://attack.mitre.org/techniques/T1472/), pertains only to mobile platform, but the behavior is applicable to other platforms as well.", + "created": "2022-09-08T18:26:13.258158Z", + "modified": "2022-09-08T18:26:13.258158Z", + "name": "Generate Traffic from Victim", + "description": "Malware may generate traffic from the victim system such as clicks of advertising links that generate fraudulent ad revenue. The ATT&CK technique, **Generate Traffic from Victim ([T1643](https://attack.mitre.org/techniques/T1643/))**, is only associated with the mobile platform, but the behavior is applicable to other platforms as well.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -20,8 +20,8 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/generate-fraud-rev.md", - "external_id": "E1472" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/generate-traffic-from-victim.md", + "external_id": "E1643" }, { "source_name": "external_source", @@ -38,11 +38,6 @@ { "source_name": "external_source", "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1472/", - "external_id": "T1472" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--758df510-b765-4172-94ad-70561cd0ef62.json b/mbc/attack-pattern/attack-pattern--758df510-b765-4172-94ad-70561cd0ef62.json index 09d8db56..c520edd5 100644 --- a/mbc/attack-pattern/attack-pattern--758df510-b765-4172-94ad-70561cd0ef62.json +++ b/mbc/attack-pattern/attack-pattern--758df510-b765-4172-94ad-70561cd0ef62.json @@ -8,7 +8,7 @@ "id": "attack-pattern--758df510-b765-4172-94ad-70561cd0ef62", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.534261Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.275085Z", "name": "Feed Misinformation", "description": "API behavior can be altered to prevent memory dumps. For example, inaccurate data can be reported when the contents of the physical memory of the system on which the malware instance is executing is retrieved. See [Hooking](../credential-access/hooking.md).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", "external_id": "B0006.008" } ], diff --git a/mbc/attack-pattern/attack-pattern--75f19e70-8d96-4a7b-a3cf-e629c8d5e779.json b/mbc/attack-pattern/attack-pattern--75f19e70-8d96-4a7b-a3cf-e629c8d5e779.json index b56de65d..9c9c7535 100644 --- a/mbc/attack-pattern/attack-pattern--75f19e70-8d96-4a7b-a3cf-e629c8d5e779.json +++ b/mbc/attack-pattern/attack-pattern--75f19e70-8d96-4a7b-a3cf-e629c8d5e779.json @@ -8,7 +8,7 @@ "id": "attack-pattern--75f19e70-8d96-4a7b-a3cf-e629c8d5e779", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.598261Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.224843Z", "name": "Keylogging", "description": "Malware captures user keyboard input.", "kill_chain_phases": [ @@ -24,8 +24,28 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/keylogging.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/keylogging.md", "external_id": "F0002" + }, + { + "source_name": "external_source", + "url": "https://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml" + }, + { + "source_name": "external_source", + "url": "https://citizenlab.ca/2016/04/between-hong-kong-and-burma/" + }, + { + "source_name": "external_source", + "url": "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--76206161-2e14-48a0-9191-998ef774b345.json b/mbc/attack-pattern/attack-pattern--76206161-2e14-48a0-9191-998ef774b345.json index 220e6462..999b62dd 100644 --- a/mbc/attack-pattern/attack-pattern--76206161-2e14-48a0-9191-998ef774b345.json +++ b/mbc/attack-pattern/attack-pattern--76206161-2e14-48a0-9191-998ef774b345.json @@ -8,7 +8,7 @@ "id": "attack-pattern--76206161-2e14-48a0-9191-998ef774b345", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.607265Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.230394Z", "name": "Send Heartbeat", "description": "Heartbeat sent.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", "external_id": "B0030.007" } ], diff --git a/mbc/attack-pattern/attack-pattern--763fa6dd-331c-4c07-bc09-00f40cc958cc.json b/mbc/attack-pattern/attack-pattern--763fa6dd-331c-4c07-bc09-00f40cc958cc.json index dfd25082..f052bd4a 100644 --- a/mbc/attack-pattern/attack-pattern--763fa6dd-331c-4c07-bc09-00f40cc958cc.json +++ b/mbc/attack-pattern/attack-pattern--763fa6dd-331c-4c07-bc09-00f40cc958cc.json @@ -8,7 +8,7 @@ "id": "attack-pattern--763fa6dd-331c-4c07-bc09-00f40cc958cc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.981483Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.372652Z", "name": "Create TCP Socket::Socket Communication", "description": "A TCP socket is created.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", "external_id": "C0001.011" } ], diff --git a/mbc/attack-pattern/attack-pattern--767a1acf-9e83-4181-82cd-2bcb9d8871d9.json b/mbc/attack-pattern/attack-pattern--767a1acf-9e83-4181-82cd-2bcb9d8871d9.json index 1ed2836c..d3b8adfa 100644 --- a/mbc/attack-pattern/attack-pattern--767a1acf-9e83-4181-82cd-2bcb9d8871d9.json +++ b/mbc/attack-pattern/attack-pattern--767a1acf-9e83-4181-82cd-2bcb9d8871d9.json @@ -8,7 +8,7 @@ "id": "attack-pattern--767a1acf-9e83-4181-82cd-2bcb9d8871d9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.729261Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.242142Z", "name": "Exploitation for Client Execution", "description": "Software is exploited - either because of a vulnerability or through its designed features - to gain access for malware. In general, exploitation may be done by a human attacker, but MBC focuses on software exploits implemented in code. Malware-specific details are below.", "kill_chain_phases": [ @@ -24,17 +24,12 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/exploit-software.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/exploitation-for-client-execution.md", "external_id": "E1203" }, { "source_name": "external_source", "url": "https://blog.malwarebytes.com/cybercrime/2018/05/samsam-ransomware-need-know/" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1203", - "external_id": "T1203" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--772c8a08-0dbb-4059-8459-7ac1193840bc.json b/mbc/attack-pattern/attack-pattern--772c8a08-0dbb-4059-8459-7ac1193840bc.json index b8468537..145197ba 100644 --- a/mbc/attack-pattern/attack-pattern--772c8a08-0dbb-4059-8459-7ac1193840bc.json +++ b/mbc/attack-pattern/attack-pattern--772c8a08-0dbb-4059-8459-7ac1193840bc.json @@ -8,7 +8,7 @@ "id": "attack-pattern--772c8a08-0dbb-4059-8459-7ac1193840bc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.550264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.20628Z", "name": "Argument Obfuscation", "description": "Simple number or string arguments to API calls are calculated at runtime, making linear disassembly more difficult.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-disassembler.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/disassembler-evasion.md", "external_id": "B0012.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--7781ebfd-13bd-4a00-9c51-ed98a45f8749.json b/mbc/attack-pattern/attack-pattern--7781ebfd-13bd-4a00-9c51-ed98a45f8749.json new file mode 100644 index 00000000..a9cc73a4 --- /dev/null +++ b/mbc/attack-pattern/attack-pattern--7781ebfd-13bd-4a00-9c51-ed98a45f8749.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--81f82518-0d1d-4080-a08d-6534afcaf3e1", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7781ebfd-13bd-4a00-9c51-ed98a45f8749", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2022-09-08T18:26:13.393654Z", + "modified": "2022-09-08T18:26:13.393654Z", + "name": "Static Public Library::Crypto Library", + "description": "A public crypto library is embedded in the code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/crypto-lib.md", + "external_id": "C0059.002" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_is_subtechnique": true + } + ] +} \ No newline at end of file diff --git a/mbc/attack-pattern/attack-pattern--77932220-efa9-44d5-b3a9-c5d9ed4f3573.json b/mbc/attack-pattern/attack-pattern--77932220-efa9-44d5-b3a9-c5d9ed4f3573.json index 7bc3f6b0..9a2bdef3 100644 --- a/mbc/attack-pattern/attack-pattern--77932220-efa9-44d5-b3a9-c5d9ed4f3573.json +++ b/mbc/attack-pattern/attack-pattern--77932220-efa9-44d5-b3a9-c5d9ed4f3573.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/hardware/simulate-hardware.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/hardware/simulate-hardware.md", "external_id": "C0057.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--77b42d45-8bcf-4d7d-b6d1-4756b6edf272.json b/mbc/attack-pattern/attack-pattern--77b42d45-8bcf-4d7d-b6d1-4756b6edf272.json index c2d78385..48d44ef0 100644 --- a/mbc/attack-pattern/attack-pattern--77b42d45-8bcf-4d7d-b6d1-4756b6edf272.json +++ b/mbc/attack-pattern/attack-pattern--77b42d45-8bcf-4d7d-b6d1-4756b6edf272.json @@ -8,7 +8,7 @@ "id": "attack-pattern--77b42d45-8bcf-4d7d-b6d1-4756b6edf272", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.990485Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.387063Z", "name": "Stream Cipher::Decrypt Data", "description": "Malware decrypts data encrypted with a stream cipher.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", "external_id": "C0031.013" } ], diff --git a/mbc/attack-pattern/attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6.json b/mbc/attack-pattern/attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6.json index 6e04696b..542cfa86 100644 --- a/mbc/attack-pattern/attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6.json +++ b/mbc/attack-pattern/attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6.json @@ -8,7 +8,7 @@ "id": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.983492Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.37587Z", "name": "Socket Communication", "description": "This micro-behavior focuses on socket (TCP, UDP) communication.", "kill_chain_phases": [ @@ -20,8 +20,12 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", "external_id": "C0001" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/resources/synful-knock-acis" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--7850a582-f8c8-4582-a473-1b12e1f45929.json b/mbc/attack-pattern/attack-pattern--7850a582-f8c8-4582-a473-1b12e1f45929.json index 97a2b744..320550ca 100644 --- a/mbc/attack-pattern/attack-pattern--7850a582-f8c8-4582-a473-1b12e1f45929.json +++ b/mbc/attack-pattern/attack-pattern--7850a582-f8c8-4582-a473-1b12e1f45929.json @@ -8,7 +8,7 @@ "id": "attack-pattern--7850a582-f8c8-4582-a473-1b12e1f45929", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.494264Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.285417Z", "name": "Guest Process Testing", "description": "Virtual machines offer guest additions that can be installed to add functionality such as clipboard sharing. Detecting the process responsible for these tasks, via its name or other methods, is a technique employed by malware for detecting whether it is being executed in a virtual machine.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.010" } ], diff --git a/mbc/attack-pattern/attack-pattern--7855768b-8130-4981-8420-6e8a8d2a277a.json b/mbc/attack-pattern/attack-pattern--7855768b-8130-4981-8420-6e8a8d2a277a.json index 9029487b..a2dedb39 100644 --- a/mbc/attack-pattern/attack-pattern--7855768b-8130-4981-8420-6e8a8d2a277a.json +++ b/mbc/attack-pattern/attack-pattern--7855768b-8130-4981-8420-6e8a8d2a277a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--7855768b-8130-4981-8420-6e8a8d2a277a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.008483Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.338526Z", "name": "Non-Cryptographic Hash", "description": "Malware may use a non-cryptographic hash.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/noncrypto-hash.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/noncryptographic-hash.md", "external_id": "C0030" } ], diff --git a/mbc/attack-pattern/attack-pattern--791870bd-2325-4d30-b437-5e90ee997f3c.json b/mbc/attack-pattern/attack-pattern--791870bd-2325-4d30-b437-5e90ee997f3c.json index 8a9140fc..f8fe4f16 100644 --- a/mbc/attack-pattern/attack-pattern--791870bd-2325-4d30-b437-5e90ee997f3c.json +++ b/mbc/attack-pattern/attack-pattern--791870bd-2325-4d30-b437-5e90ee997f3c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--791870bd-2325-4d30-b437-5e90ee997f3c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.706262Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.215899Z", "name": "Process detection - PE Utilities", "description": "Malware can scan for the process name associated with common analysis tools. ImportREC / PETools / LordPE", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", "external_id": "B0013.006" } ], diff --git a/mbc/attack-pattern/attack-pattern--793f4091-8c74-4062-95e0-0b32bccb5777.json b/mbc/attack-pattern/attack-pattern--793f4091-8c74-4062-95e0-0b32bccb5777.json index 2af74394..abac8450 100644 --- a/mbc/attack-pattern/attack-pattern--793f4091-8c74-4062-95e0-0b32bccb5777.json +++ b/mbc/attack-pattern/attack-pattern--793f4091-8c74-4062-95e0-0b32bccb5777.json @@ -8,7 +8,7 @@ "id": "attack-pattern--793f4091-8c74-4062-95e0-0b32bccb5777", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.018479Z", - "modified": "2022-02-05T00:37:22.804261Z", + "modified": "2022-09-08T18:26:13.349481Z", "name": "Set File Attributes", "description": "Malware sets or modifies the attributes of a file.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/set-file-attr.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/set-file-attributes.md", "external_id": "C0050" } ], diff --git a/mbc/attack-pattern/attack-pattern--795aa535-959e-44b7-9f5e-2d5d0ca3cd1c.json b/mbc/attack-pattern/attack-pattern--795aa535-959e-44b7-9f5e-2d5d0ca3cd1c.json index 68dc3319..8ad196d3 100644 --- a/mbc/attack-pattern/attack-pattern--795aa535-959e-44b7-9f5e-2d5d0ca3cd1c.json +++ b/mbc/attack-pattern/attack-pattern--795aa535-959e-44b7-9f5e-2d5d0ca3cd1c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--795aa535-959e-44b7-9f5e-2d5d0ca3cd1c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.515309Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.30787Z", "name": "Relocate API Code", "description": "Relocate API code in separate buffer (calls don\u2019t lead to imported DLLs).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.020" } ], diff --git a/mbc/attack-pattern/attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9.json b/mbc/attack-pattern/attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9.json index 2d85f907..f698537e 100644 --- a/mbc/attack-pattern/attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9.json +++ b/mbc/attack-pattern/attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9.json @@ -8,7 +8,7 @@ "id": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.539263Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.277642Z", "name": "Memory Dump Evasion", "description": "Malware hinders retrieval and/or discovery of the contents of the physical memory of the system on which the malware instance is executing [[1]](#1).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", "external_id": "B0006" }, { diff --git a/mbc/attack-pattern/attack-pattern--79e12011-d4af-449f-b2da-6b4227564808.json b/mbc/attack-pattern/attack-pattern--79e12011-d4af-449f-b2da-6b4227564808.json index de1f72d2..50af8ae9 100644 --- a/mbc/attack-pattern/attack-pattern--79e12011-d4af-449f-b2da-6b4227564808.json +++ b/mbc/attack-pattern/attack-pattern--79e12011-d4af-449f-b2da-6b4227564808.json @@ -8,7 +8,7 @@ "id": "attack-pattern--79e12011-d4af-449f-b2da-6b4227564808", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.466263Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.316488Z", "name": "OutputDebugString", "description": "(GetLastError); The OutputDebugString function will demonstrate different behavior depending whether or not a debugger is present. See for details.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.016" }, { diff --git a/mbc/attack-pattern/attack-pattern--7aa33db8-4800-430a-8068-8b57b85a9b8a.json b/mbc/attack-pattern/attack-pattern--7aa33db8-4800-430a-8068-8b57b85a9b8a.json index 5f7eb2ad..86cbef58 100644 --- a/mbc/attack-pattern/attack-pattern--7aa33db8-4800-430a-8068-8b57b85a9b8a.json +++ b/mbc/attack-pattern/attack-pattern--7aa33db8-4800-430a-8068-8b57b85a9b8a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--7aa33db8-4800-430a-8068-8b57b85a9b8a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.512264Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.305611Z", "name": "Inlining", "description": "Variation of static linking where full API code inserted everywhere it would have been called.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.011" } ], diff --git a/mbc/attack-pattern/attack-pattern--7adc736f-d3ca-438a-8bce-46967e062ea3.json b/mbc/attack-pattern/attack-pattern--7adc736f-d3ca-438a-8bce-46967e062ea3.json index c4e503d3..88475103 100644 --- a/mbc/attack-pattern/attack-pattern--7adc736f-d3ca-438a-8bce-46967e062ea3.json +++ b/mbc/attack-pattern/attack-pattern--7adc736f-d3ca-438a-8bce-46967e062ea3.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/create-process.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/create-process.md", "external_id": "C0017.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--7ae3202c-73b7-4153-a577-4d3084e2675f.json b/mbc/attack-pattern/attack-pattern--7ae3202c-73b7-4153-a577-4d3084e2675f.json index 877c9630..c7b1c80d 100644 --- a/mbc/attack-pattern/attack-pattern--7ae3202c-73b7-4153-a577-4d3084e2675f.json +++ b/mbc/attack-pattern/attack-pattern--7ae3202c-73b7-4153-a577-4d3084e2675f.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/registry.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/registry.md", "external_id": "C0036.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--7c01a0a6-5081-4609-9546-120f0652f1d4.json b/mbc/attack-pattern/attack-pattern--7c01a0a6-5081-4609-9546-120f0652f1d4.json index ee84d54b..f5771962 100644 --- a/mbc/attack-pattern/attack-pattern--7c01a0a6-5081-4609-9546-120f0652f1d4.json +++ b/mbc/attack-pattern/attack-pattern--7c01a0a6-5081-4609-9546-120f0652f1d4.json @@ -8,7 +8,7 @@ "id": "attack-pattern--7c01a0a6-5081-4609-9546-120f0652f1d4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.483264Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.285906Z", "name": "Human User Check", "description": "Detects whether there is any \"user\" activity on the machine, such as the movement of the mouse cursor, non-default wallpaper, or recently opened Office files. Directories or file might be counted. If there is no human activity, the machine is suspected to be a virtualized machine and/or sandbox. Other items used to detect a user: mouse clicks (single/double), DialogBox, scrolling, color of background pixel, change in foreground window . This method is very similar to ATT&CK's [Virtualization/Sandbox Evasion: User Activity Based Checks](https://attack.mitre.org/techniques/T1497/002/) sub-technique.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.012" }, { diff --git a/mbc/attack-pattern/attack-pattern--7c1bb00d-f8cb-4ca8-aa11-b59f5b108996.json b/mbc/attack-pattern/attack-pattern--7c1bb00d-f8cb-4ca8-aa11-b59f5b108996.json index 3ecc3d9a..935c20fd 100644 --- a/mbc/attack-pattern/attack-pattern--7c1bb00d-f8cb-4ca8-aa11-b59f5b108996.json +++ b/mbc/attack-pattern/attack-pattern--7c1bb00d-f8cb-4ca8-aa11-b59f5b108996.json @@ -8,7 +8,7 @@ "id": "attack-pattern--7c1bb00d-f8cb-4ca8-aa11-b59f5b108996", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.754261Z", - "modified": "2022-02-05T00:37:22.694887Z", + "modified": "2022-09-08T18:26:13.27391Z", "name": "Automated Exfiltration", "description": "Malware may exfiltrate data via automated processing or scripting.", "kill_chain_phases": [ @@ -20,13 +20,8 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/auto-exfiltrate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/automated-exfiltration.md", "external_id": "E1020" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1020/", - "external_id": "T1020" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--7c5cb62b-9374-47b1-8a2f-82204b8640b6.json b/mbc/attack-pattern/attack-pattern--7c5cb62b-9374-47b1-8a2f-82204b8640b6.json index 511dd684..b2eb5c56 100644 --- a/mbc/attack-pattern/attack-pattern--7c5cb62b-9374-47b1-8a2f-82204b8640b6.json +++ b/mbc/attack-pattern/attack-pattern--7c5cb62b-9374-47b1-8a2f-82204b8640b6.json @@ -8,7 +8,7 @@ "id": "attack-pattern--7c5cb62b-9374-47b1-8a2f-82204b8640b6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.923443Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.407231Z", "name": "Encryption-Custom Algorithm", "description": "A custom algorithm is used to encrypt a malware sample, file, or other information.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/obfuscate-files.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/obfuscated-files-or-information.md", "external_id": "E1027.m08" } ], diff --git a/mbc/attack-pattern/attack-pattern--7c77b8ac-f548-48ae-813d-028de1a8d9fd.json b/mbc/attack-pattern/attack-pattern--7c77b8ac-f548-48ae-813d-028de1a8d9fd.json index 38b35327..fefc566a 100644 --- a/mbc/attack-pattern/attack-pattern--7c77b8ac-f548-48ae-813d-028de1a8d9fd.json +++ b/mbc/attack-pattern/attack-pattern--7c77b8ac-f548-48ae-813d-028de1a8d9fd.json @@ -8,7 +8,7 @@ "id": "attack-pattern--7c77b8ac-f548-48ae-813d-028de1a8d9fd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.70226Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.423241Z", "name": "Self Deletion", "description": "Malware may uninstall itself to avoid detection.", "kill_chain_phases": [ @@ -20,8 +20,12 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/self-deletion.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/self-deletion.md", "external_id": "F0007" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/resources/hot-knives-through-butter-evading-file-based-sandboxes" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--7c7b98c3-b136-439f-83ce-4dd357e76c89.json b/mbc/attack-pattern/attack-pattern--7c7b98c3-b136-439f-83ce-4dd357e76c89.json index 27f0e436..3d19de70 100644 --- a/mbc/attack-pattern/attack-pattern--7c7b98c3-b136-439f-83ce-4dd357e76c89.json +++ b/mbc/attack-pattern/attack-pattern--7c7b98c3-b136-439f-83ce-4dd357e76c89.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/create-file.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/create-file.md", "external_id": "C0016" } ], diff --git a/mbc/attack-pattern/attack-pattern--7c9e2694-0dce-4dc3-aa06-199d5d002a05.json b/mbc/attack-pattern/attack-pattern--7c9e2694-0dce-4dc3-aa06-199d5d002a05.json index e2f19531..ff33bd97 100644 --- a/mbc/attack-pattern/attack-pattern--7c9e2694-0dce-4dc3-aa06-199d5d002a05.json +++ b/mbc/attack-pattern/attack-pattern--7c9e2694-0dce-4dc3-aa06-199d5d002a05.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/wininet.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/wininet.md", "external_id": "C0005" }, { diff --git a/mbc/attack-pattern/attack-pattern--7d349643-5ab8-4dc6-934f-bf16d0b0ea29.json b/mbc/attack-pattern/attack-pattern--7d349643-5ab8-4dc6-934f-bf16d0b0ea29.json index 7ab542da..fcc1701d 100644 --- a/mbc/attack-pattern/attack-pattern--7d349643-5ab8-4dc6-934f-bf16d0b0ea29.json +++ b/mbc/attack-pattern/attack-pattern--7d349643-5ab8-4dc6-934f-bf16d0b0ea29.json @@ -8,7 +8,7 @@ "id": "attack-pattern--7d349643-5ab8-4dc6-934f-bf16d0b0ea29", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.638268Z", - "modified": "2022-02-05T00:37:22.616726Z", + "modified": "2022-09-08T18:26:13.434399Z", "name": "Alternative Installation Location", "description": "Malware may install itself not as a file on the hard drive.", "kill_chain_phases": [ @@ -20,12 +20,16 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/alter-install-location.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/alternative-installation-location.md", "external_id": "B0027" }, { "source_name": "external_source", "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/resources/synful-knock-acis" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--7f30f323-51eb-42a6-8331-834b0da343cc.json b/mbc/attack-pattern/attack-pattern--7f30f323-51eb-42a6-8331-834b0da343cc.json index 4d010453..81eb1e6b 100644 --- a/mbc/attack-pattern/attack-pattern--7f30f323-51eb-42a6-8331-834b0da343cc.json +++ b/mbc/attack-pattern/attack-pattern--7f30f323-51eb-42a6-8331-834b0da343cc.json @@ -8,7 +8,7 @@ "id": "attack-pattern--7f30f323-51eb-42a6-8331-834b0da343cc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.512264Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.305851Z", "name": "Loop Escapes", "description": "Use SEH or other methods to break out of a loop instead of a conditional jump.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.012" } ], diff --git a/mbc/attack-pattern/attack-pattern--7f779291-853e-4e30-a57c-0b3276b70905.json b/mbc/attack-pattern/attack-pattern--7f779291-853e-4e30-a57c-0b3276b70905.json index ed16b839..ec43ec8a 100644 --- a/mbc/attack-pattern/attack-pattern--7f779291-853e-4e30-a57c-0b3276b70905.json +++ b/mbc/attack-pattern/attack-pattern--7f779291-853e-4e30-a57c-0b3276b70905.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/hardware/install-driver.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/hardware/install-driver.md", "external_id": "C0037.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--7fac651b-a6ae-494c-9386-d75a454776da.json b/mbc/attack-pattern/attack-pattern--7fac651b-a6ae-494c-9386-d75a454776da.json index bc381d79..5b02fad5 100644 --- a/mbc/attack-pattern/attack-pattern--7fac651b-a6ae-494c-9386-d75a454776da.json +++ b/mbc/attack-pattern/attack-pattern--7fac651b-a6ae-494c-9386-d75a454776da.json @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", "external_id": "F0001.013" } ], diff --git a/mbc/attack-pattern/attack-pattern--7fb51daf-9a09-4cab-b202-fec90ad30e03.json b/mbc/attack-pattern/attack-pattern--7fb51daf-9a09-4cab-b202-fec90ad30e03.json index 4e55f35b..56a22606 100644 --- a/mbc/attack-pattern/attack-pattern--7fb51daf-9a09-4cab-b202-fec90ad30e03.json +++ b/mbc/attack-pattern/attack-pattern--7fb51daf-9a09-4cab-b202-fec90ad30e03.json @@ -8,7 +8,7 @@ "id": "attack-pattern--7fb51daf-9a09-4cab-b202-fec90ad30e03", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.798261Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.267442Z", "name": "Spamming", "description": "Malware may use a victim machine to create and send spam.", "kill_chain_phases": [ @@ -20,12 +20,16 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/spamming.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/spamming.md", "external_id": "B0039" }, { "source_name": "external_source", "url": "https://techcrunch.com/2019/07/12/trickbot-spam-millions-emails/" + }, + { + "source_name": "external_source", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--80d3bfbb-e88b-4396-9233-9fc88096a938.json b/mbc/attack-pattern/attack-pattern--80d3bfbb-e88b-4396-9233-9fc88096a938.json index ca878ea2..acb1bcb5 100644 --- a/mbc/attack-pattern/attack-pattern--80d3bfbb-e88b-4396-9233-9fc88096a938.json +++ b/mbc/attack-pattern/attack-pattern--80d3bfbb-e88b-4396-9233-9fc88096a938.json @@ -8,7 +8,7 @@ "id": "attack-pattern--80d3bfbb-e88b-4396-9233-9fc88096a938", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.974485Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.366303Z", "name": "Read Header::HTTP Communication", "description": "HTTP read header.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", "external_id": "C0002.014" } ], diff --git a/mbc/attack-pattern/attack-pattern--80ee5a98-6e25-4cb6-a6d2-3321855e14e2.json b/mbc/attack-pattern/attack-pattern--80ee5a98-6e25-4cb6-a6d2-3321855e14e2.json index 4c242b08..eb5a070a 100644 --- a/mbc/attack-pattern/attack-pattern--80ee5a98-6e25-4cb6-a6d2-3321855e14e2.json +++ b/mbc/attack-pattern/attack-pattern--80ee5a98-6e25-4cb6-a6d2-3321855e14e2.json @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hide-artifacts.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hide-artifacts.md", "external_id": "E1564.m03" } ], diff --git a/mbc/attack-pattern/attack-pattern--81062418-20ac-4df8-86e0-856587b02533.json b/mbc/attack-pattern/attack-pattern--81062418-20ac-4df8-86e0-856587b02533.json index ee5b79aa..3e7241cc 100644 --- a/mbc/attack-pattern/attack-pattern--81062418-20ac-4df8-86e0-856587b02533.json +++ b/mbc/attack-pattern/attack-pattern--81062418-20ac-4df8-86e0-856587b02533.json @@ -8,10 +8,22 @@ "id": "attack-pattern--81062418-20ac-4df8-86e0-856587b02533", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", + "modified": "2022-09-08T18:26:13.419331Z", "name": "Inline Patching", - "description": "Inline patching (inline hooking) is done by modifying the beginning of a function in order to redirect the execution flow to custom code (i.e. redirecting code flow) before jumping back to the original function.", + "description": "Inline patching (inline hooking) is done by modifying the beginning of a function (e.g., first bytes) in order to redirect the execution flow to custom code (i.e. redirecting code flow) before jumping back to the original function.", "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + }, { "kill_chain_name": "mitre-mbc", "phase_name": "defense-evasion" @@ -28,7 +40,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hijack-execution-flow.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hijack-execution-flow.md", "external_id": "F0015.002" }, { diff --git a/mbc/attack-pattern/attack-pattern--81090849-4ac4-4838-9e06-6a027036d936.json b/mbc/attack-pattern/attack-pattern--81090849-4ac4-4838-9e06-6a027036d936.json index 1dd84730..9ec161bb 100644 --- a/mbc/attack-pattern/attack-pattern--81090849-4ac4-4838-9e06-6a027036d936.json +++ b/mbc/attack-pattern/attack-pattern--81090849-4ac4-4838-9e06-6a027036d936.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/registry.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/registry.md", "external_id": "C0036.007" } ], diff --git a/mbc/attack-pattern/attack-pattern--81bed55c-e336-4637-bae0-07d7d4d82ebe.json b/mbc/attack-pattern/attack-pattern--81bed55c-e336-4637-bae0-07d7d4d82ebe.json index 400f26ae..0a19764b 100644 --- a/mbc/attack-pattern/attack-pattern--81bed55c-e336-4637-bae0-07d7d4d82ebe.json +++ b/mbc/attack-pattern/attack-pattern--81bed55c-e336-4637-bae0-07d7d4d82ebe.json @@ -8,7 +8,7 @@ "id": "attack-pattern--81bed55c-e336-4637-bae0-07d7d4d82ebe", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.406956Z", "name": "Encryption", "description": "A malware sample, file, or other information is encrypted.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/obfuscate-files.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/obfuscated-files-or-information.md", "external_id": "E1027.m04" } ], diff --git a/mbc/attack-pattern/attack-pattern--81c902fa-0862-4f21-b951-f82a5d39f204.json b/mbc/attack-pattern/attack-pattern--81c902fa-0862-4f21-b951-f82a5d39f204.json index c4b02e57..dd9fdfbc 100644 --- a/mbc/attack-pattern/attack-pattern--81c902fa-0862-4f21-b951-f82a5d39f204.json +++ b/mbc/attack-pattern/attack-pattern--81c902fa-0862-4f21-b951-f82a5d39f204.json @@ -8,7 +8,7 @@ "id": "attack-pattern--81c902fa-0862-4f21-b951-f82a5d39f204", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.500263Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.289225Z", "name": "Modern Specs Check", "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.013" } ], diff --git a/mbc/attack-pattern/attack-pattern--8226e7fa-8e78-497b-9967-32e5d1395e12.json b/mbc/attack-pattern/attack-pattern--8226e7fa-8e78-497b-9967-32e5d1395e12.json index 9c33a05a..9083f764 100644 --- a/mbc/attack-pattern/attack-pattern--8226e7fa-8e78-497b-9967-32e5d1395e12.json +++ b/mbc/attack-pattern/attack-pattern--8226e7fa-8e78-497b-9967-32e5d1395e12.json @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hide-artifacts.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hide-artifacts.md", "external_id": "E1564.m05" } ], diff --git a/mbc/attack-pattern/attack-pattern--82b547ba-e0b0-457f-95fc-c661d1aa0942.json b/mbc/attack-pattern/attack-pattern--82b547ba-e0b0-457f-95fc-c661d1aa0942.json index 30863b82..ab56c24d 100644 --- a/mbc/attack-pattern/attack-pattern--82b547ba-e0b0-457f-95fc-c661d1aa0942.json +++ b/mbc/attack-pattern/attack-pattern--82b547ba-e0b0-457f-95fc-c661d1aa0942.json @@ -8,7 +8,7 @@ "id": "attack-pattern--82b547ba-e0b0-457f-95fc-c661d1aa0942", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.980486Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.372133Z", "name": "Create Socket::Socket Communication", "description": "A server or client creates a UDP or TCP socket.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", "external_id": "C0001.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--83145b10-974b-4bcd-8547-1f441be18d36.json b/mbc/attack-pattern/attack-pattern--83145b10-974b-4bcd-8547-1f441be18d36.json index b119bce7..3ac32a55 100644 --- a/mbc/attack-pattern/attack-pattern--83145b10-974b-4bcd-8547-1f441be18d36.json +++ b/mbc/attack-pattern/attack-pattern--83145b10-974b-4bcd-8547-1f441be18d36.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/modify-hardware.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/modify-hardware.md", "external_id": "B0042" } ], diff --git a/mbc/attack-pattern/attack-pattern--83576712-779f-4c76-9459-939092f6cd70.json b/mbc/attack-pattern/attack-pattern--83576712-779f-4c76-9459-939092f6cd70.json index 1c6a2edf..36e42536 100644 --- a/mbc/attack-pattern/attack-pattern--83576712-779f-4c76-9459-939092f6cd70.json +++ b/mbc/attack-pattern/attack-pattern--83576712-779f-4c76-9459-939092f6cd70.json @@ -8,7 +8,7 @@ "id": "attack-pattern--83576712-779f-4c76-9459-939092f6cd70", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.845581Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.403344Z", "name": "Application Rootkit", "description": "Application rootkits operate by exchanging standard application files with rootkit files, or changing applications by injecting code or patching.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/rootkit-behavior.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/rootkit.md", "external_id": "E1014.m12" } ], diff --git a/mbc/attack-pattern/attack-pattern--83892ea2-fded-49dd-bca7-d415f8fea8f9.json b/mbc/attack-pattern/attack-pattern--83892ea2-fded-49dd-bca7-d415f8fea8f9.json index e566109b..68ce5b16 100644 --- a/mbc/attack-pattern/attack-pattern--83892ea2-fded-49dd-bca7-d415f8fea8f9.json +++ b/mbc/attack-pattern/attack-pattern--83892ea2-fded-49dd-bca7-d415f8fea8f9.json @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", "external_id": "F0001.008" } ], diff --git a/mbc/attack-pattern/attack-pattern--838d57ce-1e63-4898-9054-14851119e5fc.json b/mbc/attack-pattern/attack-pattern--838d57ce-1e63-4898-9054-14851119e5fc.json index 7de81ea0..356eb4fe 100644 --- a/mbc/attack-pattern/attack-pattern--838d57ce-1e63-4898-9054-14851119e5fc.json +++ b/mbc/attack-pattern/attack-pattern--838d57ce-1e63-4898-9054-14851119e5fc.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/checksum.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/checksum.md", "external_id": "C0032.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--84157800-81cd-4b3a-abb0-5f7ada18a28f.json b/mbc/attack-pattern/attack-pattern--84157800-81cd-4b3a-abb0-5f7ada18a28f.json index 02875f59..f42ab84f 100644 --- a/mbc/attack-pattern/attack-pattern--84157800-81cd-4b3a-abb0-5f7ada18a28f.json +++ b/mbc/attack-pattern/attack-pattern--84157800-81cd-4b3a-abb0-5f7ada18a28f.json @@ -8,7 +8,7 @@ "id": "attack-pattern--84157800-81cd-4b3a-abb0-5f7ada18a28f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.474262Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.320572Z", "name": "TLS Callbacks", "kill_chain_phases": [ { @@ -19,7 +19,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.029" }, { diff --git a/mbc/attack-pattern/attack-pattern--84b9dfc5-4109-40fb-8378-52ecc2919cb4.json b/mbc/attack-pattern/attack-pattern--84b9dfc5-4109-40fb-8378-52ecc2919cb4.json index 78e4618e..a00fde52 100644 --- a/mbc/attack-pattern/attack-pattern--84b9dfc5-4109-40fb-8378-52ecc2919cb4.json +++ b/mbc/attack-pattern/attack-pattern--84b9dfc5-4109-40fb-8378-52ecc2919cb4.json @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", "external_id": "F0001.012" } ], diff --git a/mbc/attack-pattern/attack-pattern--85137da0-876b-4ce2-a1ce-d582043ed578.json b/mbc/attack-pattern/attack-pattern--85137da0-876b-4ce2-a1ce-d582043ed578.json index 73a7c9c6..f6498978 100644 --- a/mbc/attack-pattern/attack-pattern--85137da0-876b-4ce2-a1ce-d582043ed578.json +++ b/mbc/attack-pattern/attack-pattern--85137da0-876b-4ce2-a1ce-d582043ed578.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/read-virtual-disk.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/read-virtual-disk.md", "external_id": "C0056" } ], diff --git a/mbc/attack-pattern/attack-pattern--856d6d11-4b8a-47d6-afb0-b79aa462fa26.json b/mbc/attack-pattern/attack-pattern--856d6d11-4b8a-47d6-afb0-b79aa462fa26.json index 3d833be2..66ffffe9 100644 --- a/mbc/attack-pattern/attack-pattern--856d6d11-4b8a-47d6-afb0-b79aa462fa26.json +++ b/mbc/attack-pattern/attack-pattern--856d6d11-4b8a-47d6-afb0-b79aa462fa26.json @@ -8,7 +8,7 @@ "id": "attack-pattern--856d6d11-4b8a-47d6-afb0-b79aa462fa26", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.990485Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.386548Z", "name": "Skipjack::Decrypt Data", "description": "Malware decrypts data encrypted with the Skipjack block cipher algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", "external_id": "C0031.011" } ], diff --git a/mbc/attack-pattern/attack-pattern--85809708-79ee-4bff-824e-471b7bbd30a9.json b/mbc/attack-pattern/attack-pattern--85809708-79ee-4bff-824e-471b7bbd30a9.json index 2162caf8..253eebe8 100644 --- a/mbc/attack-pattern/attack-pattern--85809708-79ee-4bff-824e-471b7bbd30a9.json +++ b/mbc/attack-pattern/attack-pattern--85809708-79ee-4bff-824e-471b7bbd30a9.json @@ -8,7 +8,7 @@ "id": "attack-pattern--85809708-79ee-4bff-824e-471b7bbd30a9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.976483Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.377415Z", "name": "Echo Request::ICMP Communication", "description": "Send ICMP echo request.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/icmp-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/icmp-communication.md", "external_id": "C0014.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--85d9ce2b-1b52-4de5-8b03-74ed590639d6.json b/mbc/attack-pattern/attack-pattern--85d9ce2b-1b52-4de5-8b03-74ed590639d6.json index cec5c8ac..fb053d72 100644 --- a/mbc/attack-pattern/attack-pattern--85d9ce2b-1b52-4de5-8b03-74ed590639d6.json +++ b/mbc/attack-pattern/attack-pattern--85d9ce2b-1b52-4de5-8b03-74ed590639d6.json @@ -8,7 +8,7 @@ "id": "attack-pattern--85d9ce2b-1b52-4de5-8b03-74ed590639d6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.465264Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.315828Z", "name": "NtSetInformationThread", "description": "Calling this API with a fake class length or thread handle can indicate whether it is hooked. After calling NtSetInformationThread properly, the HideThreadFromDebugger flag is checked with the NtQueryInformationThread API.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.014" }, { diff --git a/mbc/attack-pattern/attack-pattern--85da3a4e-287a-45b9-91d2-019b59af07e3.json b/mbc/attack-pattern/attack-pattern--85da3a4e-287a-45b9-91d2-019b59af07e3.json index d7a09df1..ef5028ab 100644 --- a/mbc/attack-pattern/attack-pattern--85da3a4e-287a-45b9-91d2-019b59af07e3.json +++ b/mbc/attack-pattern/attack-pattern--85da3a4e-287a-45b9-91d2-019b59af07e3.json @@ -8,7 +8,7 @@ "id": "attack-pattern--85da3a4e-287a-45b9-91d2-019b59af07e3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.473261Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.319805Z", "name": "Software Breakpoints", "description": "(INT3/0xCC)", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.025" } ], diff --git a/mbc/attack-pattern/attack-pattern--8736d370-3b61-4b4d-a371-0a01e988cbde.json b/mbc/attack-pattern/attack-pattern--8736d370-3b61-4b4d-a371-0a01e988cbde.json index 8bc9481e..73d79657 100644 --- a/mbc/attack-pattern/attack-pattern--8736d370-3b61-4b4d-a371-0a01e988cbde.json +++ b/mbc/attack-pattern/attack-pattern--8736d370-3b61-4b4d-a371-0a01e988cbde.json @@ -8,7 +8,7 @@ "id": "attack-pattern--8736d370-3b61-4b4d-a371-0a01e988cbde", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.52426Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.32804Z", "name": "Illusion", "description": "Creates an illusion; makes the analyst think something happened when it didn't.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", "external_id": "B0003.009" } ], diff --git a/mbc/attack-pattern/attack-pattern--87414f49-bf46-4a09-9999-979d71eb16a5.json b/mbc/attack-pattern/attack-pattern--87414f49-bf46-4a09-9999-979d71eb16a5.json index 7a157a0e..5bded04d 100644 --- a/mbc/attack-pattern/attack-pattern--87414f49-bf46-4a09-9999-979d71eb16a5.json +++ b/mbc/attack-pattern/attack-pattern--87414f49-bf46-4a09-9999-979d71eb16a5.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/system-services.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/system-services.md", "external_id": "E1569.m01" }, { diff --git a/mbc/attack-pattern/attack-pattern--878a631a-286b-4df2-bd6c-29a14053c402.json b/mbc/attack-pattern/attack-pattern--878a631a-286b-4df2-bd6c-29a14053c402.json index 8bdc5f22..f48d45eb 100644 --- a/mbc/attack-pattern/attack-pattern--878a631a-286b-4df2-bd6c-29a14053c402.json +++ b/mbc/attack-pattern/attack-pattern--878a631a-286b-4df2-bd6c-29a14053c402.json @@ -8,7 +8,7 @@ "id": "attack-pattern--878a631a-286b-4df2-bd6c-29a14053c402", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.57026Z", - "modified": "2022-02-05T00:37:22.585511Z", + "modified": "2022-09-08T18:26:13.20381Z", "name": "Multiple VMs", "description": "Multiple virtual machines with different architectures (CISC, RISC, etc.) can be used inside of a single executable in order to make reverse engineering even more difficult.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-virtualize.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-virtualization.md", "external_id": "B0008.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859.json b/mbc/attack-pattern/attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859.json index 57b72eba..e4d72bf2 100644 --- a/mbc/attack-pattern/attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859.json +++ b/mbc/attack-pattern/attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859.json @@ -8,7 +8,7 @@ "id": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.562264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.195437Z", "name": "Executable Code Obfuscation", "description": "Executable code can be obfuscated to hinder disassembly and static code analysis. This behavior is specific to a malware sample's executable code (data and text sections).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", "external_id": "B0032" }, { @@ -35,6 +35,26 @@ "source_name": "external_source", "description": "Rob Simmons, \"Comparing Malicious Files,\" BSides, 2019.", "url": "http://www.irongeek.com/i.php?page=videos/bsidescharm2019/2-04-comparing-malicious-files-robert-simmons" + }, + { + "source_name": "external_source", + "url": "https://blogs.cisco.com/security/talos/rombertik" + }, + { + "source_name": "external_source", + "url": "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf" + }, + { + "source_name": "external_source", + "url": "https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--87b6586d-145f-47d9-8183-755ca03e5921.json b/mbc/attack-pattern/attack-pattern--87b6586d-145f-47d9-8183-755ca03e5921.json index 9b5354a0..15895b44 100644 --- a/mbc/attack-pattern/attack-pattern--87b6586d-145f-47d9-8183-755ca03e5921.json +++ b/mbc/attack-pattern/attack-pattern--87b6586d-145f-47d9-8183-755ca03e5921.json @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/cryptocurrency.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/cryptocurrency.md", "external_id": "B0028" } ], diff --git a/mbc/attack-pattern/attack-pattern--8845345d-4d1d-4527-9b6a-93f23f247992.json b/mbc/attack-pattern/attack-pattern--8845345d-4d1d-4527-9b6a-93f23f247992.json index ed24a98d..5bfb5da9 100644 --- a/mbc/attack-pattern/attack-pattern--8845345d-4d1d-4527-9b6a-93f23f247992.json +++ b/mbc/attack-pattern/attack-pattern--8845345d-4d1d-4527-9b6a-93f23f247992.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/memory/allocate-memory.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/memory/allocate-memory.md", "external_id": "C0007" } ], diff --git a/mbc/attack-pattern/attack-pattern--88906eb3-c6df-452f-a16d-d276a39a39d4.json b/mbc/attack-pattern/attack-pattern--88906eb3-c6df-452f-a16d-d276a39a39d4.json index e4271a31..e71f68ff 100644 --- a/mbc/attack-pattern/attack-pattern--88906eb3-c6df-452f-a16d-d276a39a39d4.json +++ b/mbc/attack-pattern/attack-pattern--88906eb3-c6df-452f-a16d-d276a39a39d4.json @@ -8,7 +8,7 @@ "id": "attack-pattern--88906eb3-c6df-452f-a16d-d276a39a39d4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.87726Z", - "modified": "2022-02-05T00:37:22.804261Z", + "modified": "2022-09-08T18:26:13.339477Z", "name": "Executable Heap::Change Memory Protection", "description": "The heap is made executable.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/memory/memory-protect.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/memory/change-memory-protection.md", "external_id": "C0008.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--89594c9d-1e28-49a2-8969-694ade43e857.json b/mbc/attack-pattern/attack-pattern--89594c9d-1e28-49a2-8969-694ade43e857.json index f54034b2..410fb8f8 100644 --- a/mbc/attack-pattern/attack-pattern--89594c9d-1e28-49a2-8969-694ade43e857.json +++ b/mbc/attack-pattern/attack-pattern--89594c9d-1e28-49a2-8969-694ade43e857.json @@ -8,7 +8,7 @@ "id": "attack-pattern--89594c9d-1e28-49a2-8969-694ade43e857", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.464262Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.315063Z", "name": "Monitoring Thread", "description": "Malware may spawn a monitoring thread to detect tampering, breakpoints, etc.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.011" } ], diff --git a/mbc/attack-pattern/attack-pattern--89a1d613-7163-493b-8aa9-7a528dd1dd3e.json b/mbc/attack-pattern/attack-pattern--89a1d613-7163-493b-8aa9-7a528dd1dd3e.json index f1d0f032..5ffb81ca 100644 --- a/mbc/attack-pattern/attack-pattern--89a1d613-7163-493b-8aa9-7a528dd1dd3e.json +++ b/mbc/attack-pattern/attack-pattern--89a1d613-7163-493b-8aa9-7a528dd1dd3e.json @@ -8,7 +8,7 @@ "id": "attack-pattern--89a1d613-7163-493b-8aa9-7a528dd1dd3e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.515309Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.308378Z", "name": "RtlAdjustPrivilege", "description": "Calling RtlAdjustPrivilege to either prevent a debugger from attaching or to detect if a debugger is attached.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.022" } ], diff --git a/mbc/attack-pattern/attack-pattern--89bb05dd-fd11-40c4-918e-db0c3cde0955.json b/mbc/attack-pattern/attack-pattern--89bb05dd-fd11-40c4-918e-db0c3cde0955.json index cefeeaa1..d72f08dc 100644 --- a/mbc/attack-pattern/attack-pattern--89bb05dd-fd11-40c4-918e-db0c3cde0955.json +++ b/mbc/attack-pattern/attack-pattern--89bb05dd-fd11-40c4-918e-db0c3cde0955.json @@ -8,7 +8,7 @@ "id": "attack-pattern--89bb05dd-fd11-40c4-918e-db0c3cde0955", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.922442Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.406185Z", "name": "Encoding-Custom Algorithm", "description": "A custom algorithm is used to encode a malware sample, file or other information.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/obfuscate-files.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/obfuscated-files-or-information.md", "external_id": "E1027.m03" } ], diff --git a/mbc/attack-pattern/attack-pattern--89cee1bf-b7ab-4c13-8011-22364628422d.json b/mbc/attack-pattern/attack-pattern--89cee1bf-b7ab-4c13-8011-22364628422d.json index af83e3cb..84dfb9f5 100644 --- a/mbc/attack-pattern/attack-pattern--89cee1bf-b7ab-4c13-8011-22364628422d.json +++ b/mbc/attack-pattern/attack-pattern--89cee1bf-b7ab-4c13-8011-22364628422d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--89cee1bf-b7ab-4c13-8011-22364628422d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.677261Z", - "modified": "2022-02-05T00:37:22.694887Z", + "modified": "2022-09-08T18:26:13.272368Z", "name": "Encryption - Custom Encryption", "description": "Data is encrypted. A custom algorithm is used to encrypt the exfiltrated data.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/data-encrypted.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/archive-collected-data.md", "external_id": "E1560.m06" } ], diff --git a/mbc/attack-pattern/attack-pattern--8a7350ca-f1f6-42db-9fbf-aa110d02e338.json b/mbc/attack-pattern/attack-pattern--8a7350ca-f1f6-42db-9fbf-aa110d02e338.json deleted file mode 100644 index fd9d1763..00000000 --- a/mbc/attack-pattern/attack-pattern--8a7350ca-f1f6-42db-9fbf-aa110d02e338.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--3c910be8-5dc4-4577-ae5e-e54b1c7ec214", - "objects": [ - { - "type": "attack-pattern", - "spec_version": "2.1", - "id": "attack-pattern--8a7350ca-f1f6-42db-9fbf-aa110d02e338", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.798698Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "System Service Dispatch Table Hooking", - "description": "Hooks the system service dispatch table (SSDT), also called the system service descriptor table. The SSDT contains information about the service tables used by the operating system for dispatching system calls. Hooking the SSDT enables malware to hide files, registry keys, and network connections.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/credential-access/hooking.md", - "external_id": "F0003.004" - } - ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true - } - ] -} \ No newline at end of file diff --git a/mbc/attack-pattern/attack-pattern--8abe31b2-7123-41f1-9ca3-5653bc1c0fdc.json b/mbc/attack-pattern/attack-pattern--8abe31b2-7123-41f1-9ca3-5653bc1c0fdc.json index fac48de7..b9d7ee4a 100644 --- a/mbc/attack-pattern/attack-pattern--8abe31b2-7123-41f1-9ca3-5653bc1c0fdc.json +++ b/mbc/attack-pattern/attack-pattern--8abe31b2-7123-41f1-9ca3-5653bc1c0fdc.json @@ -8,7 +8,7 @@ "id": "attack-pattern--8abe31b2-7123-41f1-9ca3-5653bc1c0fdc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.788262Z", - "modified": "2022-02-05T00:37:22.71051Z", + "modified": "2022-09-08T18:26:13.26055Z", "name": "Cryptojacking", "description": "Consume system resources to mine for cryptocurrency (e.g., Bitcoin, Litecoin, etc.).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/hijack-sys-resources.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/resource-hijacking.md", "external_id": "B0018.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--8b1810b0-5885-47ec-963b-b3fecbe1825a.json b/mbc/attack-pattern/attack-pattern--8b1810b0-5885-47ec-963b-b3fecbe1825a.json index cbca472c..1725a03b 100644 --- a/mbc/attack-pattern/attack-pattern--8b1810b0-5885-47ec-963b-b3fecbe1825a.json +++ b/mbc/attack-pattern/attack-pattern--8b1810b0-5885-47ec-963b-b3fecbe1825a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--8b1810b0-5885-47ec-963b-b3fecbe1825a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.996445Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.396526Z", "name": "RC4 PRGA::Generate Pseudo-random Sequence", "description": "Malware generates a pseudo-random sequence using the RC4 Pseudo Random (Byte) Generation Algorithm (PRGA).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/gen-random.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/generate-pseudorandom-sequence.md", "external_id": "C0021.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--8b39b092-d827-4e58-9b67-a9b9e8c6f297.json b/mbc/attack-pattern/attack-pattern--8b39b092-d827-4e58-9b67-a9b9e8c6f297.json index 0415dcca..0ca2a172 100644 --- a/mbc/attack-pattern/attack-pattern--8b39b092-d827-4e58-9b67-a9b9e8c6f297.json +++ b/mbc/attack-pattern/attack-pattern--8b39b092-d827-4e58-9b67-a9b9e8c6f297.json @@ -8,7 +8,7 @@ "id": "attack-pattern--8b39b092-d827-4e58-9b67-a9b9e8c6f297", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.465264Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.315584Z", "name": "NtQueryObject", "description": "The ObjectTypeInformation and ObjectAllTypesInformation flags are checked for debugger detection.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.013" } ], diff --git a/mbc/attack-pattern/attack-pattern--8911f215-156e-489a-a1fb-f2cdb69772f8.json b/mbc/attack-pattern/attack-pattern--8b3b15fa-f369-47b2-9e6d-b30094a799b8.json similarity index 51% rename from mbc/attack-pattern/attack-pattern--8911f215-156e-489a-a1fb-f2cdb69772f8.json rename to mbc/attack-pattern/attack-pattern--8b3b15fa-f369-47b2-9e6d-b30094a799b8.json index 91bee764..c554d7b4 100644 --- a/mbc/attack-pattern/attack-pattern--8911f215-156e-489a-a1fb-f2cdb69772f8.json +++ b/mbc/attack-pattern/attack-pattern--8b3b15fa-f369-47b2-9e6d-b30094a799b8.json @@ -1,16 +1,16 @@ { "type": "bundle", - "id": "bundle--6ef19364-234a-4f1c-8bfc-9a8f7ac9a1fe", + "id": "bundle--2bdc74dc-4ae6-4633-bc09-85e5e7492843", "objects": [ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--8911f215-156e-489a-a1fb-f2cdb69772f8", + "id": "attack-pattern--8b3b15fa-f369-47b2-9e6d-b30094a799b8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.616261Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Remote File Copy", - "description": "Malware may copy files from one system to another.", + "created": "2022-09-08T18:26:13.232941Z", + "modified": "2022-09-08T18:26:13.232941Z", + "name": "Ingress Tool Transfer", + "description": "Malware may copy files from an external system to a system on a compromised network.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/remote-file-copy.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/ingress-tool-transfer.md", "external_id": "E1105" }, { @@ -36,9 +36,20 @@ "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1105/", - "external_id": "T1105" + "source_name": "external_source", + "url": "https://www.secureworks.com/research/cryptolocker-ransomware" + }, + { + "source_name": "external_source", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" + }, + { + "source_name": "external_source", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--8bf7607c-b292-40e6-9372-8624fc971a66.json b/mbc/attack-pattern/attack-pattern--8bf7607c-b292-40e6-9372-8624fc971a66.json index ac5bbf87..ce57fe62 100644 --- a/mbc/attack-pattern/attack-pattern--8bf7607c-b292-40e6-9372-8624fc971a66.json +++ b/mbc/attack-pattern/attack-pattern--8bf7607c-b292-40e6-9372-8624fc971a66.json @@ -8,7 +8,7 @@ "id": "attack-pattern--8bf7607c-b292-40e6-9372-8624fc971a66", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.501259Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.290366Z", "name": "Modern Specs Check - Processor count", "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment. Checks number of processors; single CPU machines are suspect.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.018" } ], diff --git a/mbc/attack-pattern/attack-pattern--8c803835-6fd8-4af8-a178-be3e2dc43687.json b/mbc/attack-pattern/attack-pattern--8c803835-6fd8-4af8-a178-be3e2dc43687.json index 8a4816d2..82b1228a 100644 --- a/mbc/attack-pattern/attack-pattern--8c803835-6fd8-4af8-a178-be3e2dc43687.json +++ b/mbc/attack-pattern/attack-pattern--8c803835-6fd8-4af8-a178-be3e2dc43687.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/modify-hardware.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/modify-hardware.md", "external_id": "B0042.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--8cae892e-69de-4f27-a49c-a369c2f8f20a.json b/mbc/attack-pattern/attack-pattern--8cae892e-69de-4f27-a49c-a369c2f8f20a.json index 06fd1e0f..4901896b 100644 --- a/mbc/attack-pattern/attack-pattern--8cae892e-69de-4f27-a49c-a369c2f8f20a.json +++ b/mbc/attack-pattern/attack-pattern--8cae892e-69de-4f27-a49c-a369c2f8f20a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--8cae892e-69de-4f27-a49c-a369c2f8f20a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.003478Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.335406Z", "name": "Decode Data", "description": "Malware may decode data.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/decode.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/decode-data.md", "external_id": "C0053" } ], diff --git a/mbc/attack-pattern/attack-pattern--8cf4e8d0-21b6-4e35-97c2-97e6c5322509.json b/mbc/attack-pattern/attack-pattern--8cf4e8d0-21b6-4e35-97c2-97e6c5322509.json index 5105e5cd..eb5d28ab 100644 --- a/mbc/attack-pattern/attack-pattern--8cf4e8d0-21b6-4e35-97c2-97e6c5322509.json +++ b/mbc/attack-pattern/attack-pattern--8cf4e8d0-21b6-4e35-97c2-97e6c5322509.json @@ -8,7 +8,7 @@ "id": "attack-pattern--8cf4e8d0-21b6-4e35-97c2-97e6c5322509", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.985484Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.380498Z", "name": "MD5::Cryptographic Hash", "description": "Malware uses an MD5 hash.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/crypto-hash.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/cryptographic-hash.md", "external_id": "C0029.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--8d788ace-f057-449d-bd8b-b0db3fdb5b07.json b/mbc/attack-pattern/attack-pattern--8d788ace-f057-449d-bd8b-b0db3fdb5b07.json index 8dd13c23..50473489 100644 --- a/mbc/attack-pattern/attack-pattern--8d788ace-f057-449d-bd8b-b0db3fdb5b07.json +++ b/mbc/attack-pattern/attack-pattern--8d788ace-f057-449d-bd8b-b0db3fdb5b07.json @@ -8,7 +8,7 @@ "id": "attack-pattern--8d788ace-f057-449d-bd8b-b0db3fdb5b07", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.974485Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.365285Z", "name": "Send Response::HTTP Communication", "description": "HTTP server sends response.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", "external_id": "C0002.016" } ], diff --git a/mbc/attack-pattern/attack-pattern--8d901ae3-1492-4090-b730-438071314947.json b/mbc/attack-pattern/attack-pattern--8d901ae3-1492-4090-b730-438071314947.json index f9bdd0ba..21992239 100644 --- a/mbc/attack-pattern/attack-pattern--8d901ae3-1492-4090-b730-438071314947.json +++ b/mbc/attack-pattern/attack-pattern--8d901ae3-1492-4090-b730-438071314947.json @@ -8,7 +8,7 @@ "id": "attack-pattern--8d901ae3-1492-4090-b730-438071314947", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.65626Z", - "modified": "2022-02-05T00:37:22.616726Z", + "modified": "2022-09-08T18:26:13.428766Z", "name": "Disable System File Overwrite Protection", "description": "Disables system file overwrite protection mechanisms such as Windows file protection, thereby enabling system files to be modified or replaced.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", "external_id": "F0004.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--8df78326-a8e8-4039-82a7-3dd375910e71.json b/mbc/attack-pattern/attack-pattern--8df78326-a8e8-4039-82a7-3dd375910e71.json index 4f7444c1..7c7fdbc2 100644 --- a/mbc/attack-pattern/attack-pattern--8df78326-a8e8-4039-82a7-3dd375910e71.json +++ b/mbc/attack-pattern/attack-pattern--8df78326-a8e8-4039-82a7-3dd375910e71.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/registry.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/registry.md", "external_id": "C0036.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb.json b/mbc/attack-pattern/attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb.json index ffa15282..88707c8f 100644 --- a/mbc/attack-pattern/attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb.json +++ b/mbc/attack-pattern/attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb.json @@ -8,7 +8,7 @@ "id": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.47626Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.32216Z", "name": "Debugger Detection", "description": "Malware detects whether it's being executed inside a debugger. If so, conditional execution selects a benign execution path.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001" }, { @@ -57,6 +57,18 @@ "source_name": "external_source", "description": "Anti Debugging Tricks, Al-Khaser.", "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + }, + { + "source_name": "external_source", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/" + }, + { + "source_name": "external_source", + "url": "https://blogs.cisco.com/security/talos/rombertik" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--8fb51611-3f2a-42e3-9af0-fd8eda882cf8.json b/mbc/attack-pattern/attack-pattern--8fb51611-3f2a-42e3-9af0-fd8eda882cf8.json index 659e1992..f3cf8b53 100644 --- a/mbc/attack-pattern/attack-pattern--8fb51611-3f2a-42e3-9af0-fd8eda882cf8.json +++ b/mbc/attack-pattern/attack-pattern--8fb51611-3f2a-42e3-9af0-fd8eda882cf8.json @@ -8,7 +8,7 @@ "id": "attack-pattern--8fb51611-3f2a-42e3-9af0-fd8eda882cf8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.513264Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.306605Z", "name": "Nanomites", "description": "int3 with code replacement table; debugs itself.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.015" } ], diff --git a/mbc/attack-pattern/attack-pattern--8fcb44c9-dec3-4358-bf3d-35b4174f7d2b.json b/mbc/attack-pattern/attack-pattern--8fcb44c9-dec3-4358-bf3d-35b4174f7d2b.json index 9bd08e33..5a56f48c 100644 --- a/mbc/attack-pattern/attack-pattern--8fcb44c9-dec3-4358-bf3d-35b4174f7d2b.json +++ b/mbc/attack-pattern/attack-pattern--8fcb44c9-dec3-4358-bf3d-35b4174f7d2b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--8fcb44c9-dec3-4358-bf3d-35b4174f7d2b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.516301Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.308858Z", "name": "Self-Debugging", "description": "Debug itself to prevent another debugger to be attached.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.024" } ], diff --git a/mbc/attack-pattern/attack-pattern--90006260-5019-4c35-8c88-6ee23826734e.json b/mbc/attack-pattern/attack-pattern--90006260-5019-4c35-8c88-6ee23826734e.json index 929884bb..b2eb27de 100644 --- a/mbc/attack-pattern/attack-pattern--90006260-5019-4c35-8c88-6ee23826734e.json +++ b/mbc/attack-pattern/attack-pattern--90006260-5019-4c35-8c88-6ee23826734e.json @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/remote-access.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/remote-access.md", "external_id": "B0022.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--90206369-0c71-47cd-abf2-65e4e75fee99.json b/mbc/attack-pattern/attack-pattern--90206369-0c71-47cd-abf2-65e4e75fee99.json index e071e0f6..afce95c6 100644 --- a/mbc/attack-pattern/attack-pattern--90206369-0c71-47cd-abf2-65e4e75fee99.json +++ b/mbc/attack-pattern/attack-pattern--90206369-0c71-47cd-abf2-65e4e75fee99.json @@ -8,7 +8,7 @@ "id": "attack-pattern--90206369-0c71-47cd-abf2-65e4e75fee99", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.980486Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.371885Z", "name": "Start TCP Server::Socket Communication", "description": "A TCP server listens for client requests.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", "external_id": "C0001.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--903b44e8-0547-4945-ac5a-ee21d0898d4d.json b/mbc/attack-pattern/attack-pattern--903b44e8-0547-4945-ac5a-ee21d0898d4d.json index 809329db..8bfb3832 100644 --- a/mbc/attack-pattern/attack-pattern--903b44e8-0547-4945-ac5a-ee21d0898d4d.json +++ b/mbc/attack-pattern/attack-pattern--903b44e8-0547-4945-ac5a-ee21d0898d4d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--903b44e8-0547-4945-ac5a-ee21d0898d4d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.479261Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.32387Z", "name": "Check for WINE Version", "description": "Checks for WINE via the `get_wine_version` function from WINE's `ntdll.dll`.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-emulator.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-detection.md", "external_id": "B0004.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--9048df12-c89f-45a6-99ac-caaa7446d6db.json b/mbc/attack-pattern/attack-pattern--9048df12-c89f-45a6-99ac-caaa7446d6db.json index 315a63b0..0d57dda3 100644 --- a/mbc/attack-pattern/attack-pattern--9048df12-c89f-45a6-99ac-caaa7446d6db.json +++ b/mbc/attack-pattern/attack-pattern--9048df12-c89f-45a6-99ac-caaa7446d6db.json @@ -8,7 +8,7 @@ "id": "attack-pattern--9048df12-c89f-45a6-99ac-caaa7446d6db", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.918444Z", - "modified": "2022-02-05T00:37:22.632387Z", + "modified": "2022-09-08T18:26:13.415916Z", "name": "Timestamp", "description": "Malware may change the timestamp on a file to prevent detection.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hidden-files.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hidden-files-and-directories.md", "external_id": "F0005.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--904b465b-d733-4619-b0d5-5c394cd2b7f3.json b/mbc/attack-pattern/attack-pattern--904b465b-d733-4619-b0d5-5c394cd2b7f3.json index e425a7be..ae8a759b 100644 --- a/mbc/attack-pattern/attack-pattern--904b465b-d733-4619-b0d5-5c394cd2b7f3.json +++ b/mbc/attack-pattern/attack-pattern--904b465b-d733-4619-b0d5-5c394cd2b7f3.json @@ -8,7 +8,7 @@ "id": "attack-pattern--904b465b-d733-4619-b0d5-5c394cd2b7f3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.466263Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.316169Z", "name": "NtYieldExecution/SwitchToThread", "kill_chain_phases": [ { @@ -19,7 +19,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.015" }, { diff --git a/mbc/attack-pattern/attack-pattern--90bb4fe0-057f-40b0-8fba-37005e7f6524.json b/mbc/attack-pattern/attack-pattern--90bb4fe0-057f-40b0-8fba-37005e7f6524.json index 4d4eba1b..df40d45a 100644 --- a/mbc/attack-pattern/attack-pattern--90bb4fe0-057f-40b0-8fba-37005e7f6524.json +++ b/mbc/attack-pattern/attack-pattern--90bb4fe0-057f-40b0-8fba-37005e7f6524.json @@ -8,7 +8,7 @@ "id": "attack-pattern--90bb4fe0-057f-40b0-8fba-37005e7f6524", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.490263Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.283125Z", "name": "Check Registry Keys", "description": "Virtual machines register artifacts in the registry, which can be detected by malware. For example, a search for \"VMware\" or \"VBOX\" in the registry might reveal keys that include information about a virtual hard drive, adapters, running services, or virtual mouse. Example registry key value artifacts include \"HARDWARE\\Description\\System (SystemBiosVersion) (VBOX)\" and \"SYSTEM\\ControlSet001\\Control\\SystemInformation (SystemManufacturer) (VMWARE)\"; example registry key artifacts include \"SOFTWARE\\VMware, Inc.\\VMware Tools (VMWARE)\" and \"SOFTWARE\\Oracle\\VirtualBox Guest Additions (VBOX)\".", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.005" }, { diff --git a/mbc/attack-pattern/attack-pattern--916d6dca-adbc-4af9-b810-eb7cd72779c8.json b/mbc/attack-pattern/attack-pattern--916d6dca-adbc-4af9-b810-eb7cd72779c8.json index 8a752227..4cc42f53 100644 --- a/mbc/attack-pattern/attack-pattern--916d6dca-adbc-4af9-b810-eb7cd72779c8.json +++ b/mbc/attack-pattern/attack-pattern--916d6dca-adbc-4af9-b810-eb7cd72779c8.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/hardware/load-driver.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/hardware/load-driver.md", "external_id": "C0023" } ], diff --git a/mbc/attack-pattern/attack-pattern--91859e1a-022e-420a-bc00-af0546d891cb.json b/mbc/attack-pattern/attack-pattern--91859e1a-022e-420a-bc00-af0546d891cb.json index d16039a8..19c91227 100644 --- a/mbc/attack-pattern/attack-pattern--91859e1a-022e-420a-bc00-af0546d891cb.json +++ b/mbc/attack-pattern/attack-pattern--91859e1a-022e-420a-bc00-af0546d891cb.json @@ -8,7 +8,7 @@ "id": "attack-pattern--91859e1a-022e-420a-bc00-af0546d891cb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.003478Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.334848Z", "name": "Base64::Decode Data", "description": "Malware may decode data using Base64.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/decode.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/decode-data.md", "external_id": "C0053.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--91b7e621-49fe-4f7b-a8c6-0a377ceac3cd.json b/mbc/attack-pattern/attack-pattern--91b7e621-49fe-4f7b-a8c6-0a377ceac3cd.json index 64adeb0a..51dc342a 100644 --- a/mbc/attack-pattern/attack-pattern--91b7e621-49fe-4f7b-a8c6-0a377ceac3cd.json +++ b/mbc/attack-pattern/attack-pattern--91b7e621-49fe-4f7b-a8c6-0a377ceac3cd.json @@ -8,7 +8,7 @@ "id": "attack-pattern--91b7e621-49fe-4f7b-a8c6-0a377ceac3cd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.494264Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.285661Z", "name": "HTML5 Performance Object Check", "description": "In three browser families, it is possible to extract the frequency of the Windows performance counter frequency, using standard HTML and Javascript. This value can then be used to detect whether the code is being executed in a virtual machine, by detecting two specific frequencies commonly used in virtual but not physical machines.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.011" } ], diff --git a/mbc/attack-pattern/attack-pattern--91e25008-204c-4723-9c53-ca041c5fd2b1.json b/mbc/attack-pattern/attack-pattern--91e25008-204c-4723-9c53-ca041c5fd2b1.json index 57ca228c..3bffc2e5 100644 --- a/mbc/attack-pattern/attack-pattern--91e25008-204c-4723-9c53-ca041c5fd2b1.json +++ b/mbc/attack-pattern/attack-pattern--91e25008-204c-4723-9c53-ca041c5fd2b1.json @@ -8,7 +8,7 @@ "id": "attack-pattern--91e25008-204c-4723-9c53-ca041c5fd2b1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.917484Z", - "modified": "2022-02-05T00:37:22.632387Z", + "modified": "2022-09-08T18:26:13.415303Z", "name": "Extension", "description": "Malware may change or use a particular file extension to hide a file.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hidden-files.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hidden-files-and-directories.md", "external_id": "F0005.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--92ac0cef-de80-4baa-869c-dc993492c0da.json b/mbc/attack-pattern/attack-pattern--92ac0cef-de80-4baa-869c-dc993492c0da.json index 98984d49..9b1c5741 100644 --- a/mbc/attack-pattern/attack-pattern--92ac0cef-de80-4baa-869c-dc993492c0da.json +++ b/mbc/attack-pattern/attack-pattern--92ac0cef-de80-4baa-869c-dc993492c0da.json @@ -8,7 +8,7 @@ "id": "attack-pattern--92ac0cef-de80-4baa-869c-dc993492c0da", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.986482Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.381478Z", "name": "SHA256::Cryptographic Hash", "description": "Malware uses a SHA-256 hash.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/crypto-hash.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/cryptographic-hash.md", "external_id": "C0029.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--9398839c-520f-4aab-9c81-92d6518800e7.json b/mbc/attack-pattern/attack-pattern--9398839c-520f-4aab-9c81-92d6518800e7.json index 176bce22..d5f4d9bc 100644 --- a/mbc/attack-pattern/attack-pattern--9398839c-520f-4aab-9c81-92d6518800e7.json +++ b/mbc/attack-pattern/attack-pattern--9398839c-520f-4aab-9c81-92d6518800e7.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/check-string.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/check-string.md", "external_id": "C0019" } ], diff --git a/mbc/attack-pattern/attack-pattern--93ac6386-6f04-44cd-b7a5-78da3ced8b13.json b/mbc/attack-pattern/attack-pattern--93ac6386-6f04-44cd-b7a5-78da3ced8b13.json index 45416055..bf74ed30 100644 --- a/mbc/attack-pattern/attack-pattern--93ac6386-6f04-44cd-b7a5-78da3ced8b13.json +++ b/mbc/attack-pattern/attack-pattern--93ac6386-6f04-44cd-b7a5-78da3ced8b13.json @@ -8,7 +8,7 @@ "id": "attack-pattern--93ac6386-6f04-44cd-b7a5-78da3ced8b13", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.467265Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.317071Z", "name": "Parent Process", "description": "(Explorer.exe); Executing an application by a debugger will result in the parent process being the debugger process rather than the shell process (Explorer.exe) or the command line. Malware checks its parent process; if it's not explorer.exe, it's assumed to be a debugger.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.018" }, { diff --git a/mbc/attack-pattern/attack-pattern--93bd89e3-9cfd-47f6-9fed-bb13b58acd82.json b/mbc/attack-pattern/attack-pattern--93bd89e3-9cfd-47f6-9fed-bb13b58acd82.json index a76b417e..6a824ce7 100644 --- a/mbc/attack-pattern/attack-pattern--93bd89e3-9cfd-47f6-9fed-bb13b58acd82.json +++ b/mbc/attack-pattern/attack-pattern--93bd89e3-9cfd-47f6-9fed-bb13b58acd82.json @@ -8,7 +8,7 @@ "id": "attack-pattern--93bd89e3-9cfd-47f6-9fed-bb13b58acd82", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.491263Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.284044Z", "name": "Check Virtual Devices", "description": "The presence of virtual devices can indicate a virtualized environment (e.g., \"\\\\.\\VBoxTrayIPC\").", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.008" }, { diff --git a/mbc/attack-pattern/attack-pattern--9406d0e3-7e61-42c9-8532-a35459deb4e7.json b/mbc/attack-pattern/attack-pattern--9406d0e3-7e61-42c9-8532-a35459deb4e7.json index 5b167446..e2d56dfb 100644 --- a/mbc/attack-pattern/attack-pattern--9406d0e3-7e61-42c9-8532-a35459deb4e7.json +++ b/mbc/attack-pattern/attack-pattern--9406d0e3-7e61-42c9-8532-a35459deb4e7.json @@ -8,7 +8,7 @@ "id": "attack-pattern--9406d0e3-7e61-42c9-8532-a35459deb4e7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.492261Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.284658Z", "name": "Check Windows - Title bars", "description": "Malware may check windows for VM-related characteristics. May inject malicious code to svchost.exe to check all open window title bar text to a list of strings indicating virtualized environment.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.022" } ], diff --git a/mbc/attack-pattern/attack-pattern--94813d2d-0eb5-4037-8c03-07896bd7233b.json b/mbc/attack-pattern/attack-pattern--94813d2d-0eb5-4037-8c03-07896bd7233b.json index 0545cc3f..84fd700c 100644 --- a/mbc/attack-pattern/attack-pattern--94813d2d-0eb5-4037-8c03-07896bd7233b.json +++ b/mbc/attack-pattern/attack-pattern--94813d2d-0eb5-4037-8c03-07896bd7233b.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/wininet.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/wininet.md", "external_id": "C0005.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--948cdf0e-8ac2-46a4-8bc0-a5ab5eda55a2.json b/mbc/attack-pattern/attack-pattern--948cdf0e-8ac2-46a4-8bc0-a5ab5eda55a2.json index 87604d1b..f09be870 100644 --- a/mbc/attack-pattern/attack-pattern--948cdf0e-8ac2-46a4-8bc0-a5ab5eda55a2.json +++ b/mbc/attack-pattern/attack-pattern--948cdf0e-8ac2-46a4-8bc0-a5ab5eda55a2.json @@ -8,7 +8,7 @@ "id": "attack-pattern--948cdf0e-8ac2-46a4-8bc0-a5ab5eda55a2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.981483Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.373431Z", "name": "Send Data::Socket Communication", "description": "Send data on socket.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", "external_id": "C0001.007" } ], diff --git a/mbc/attack-pattern/attack-pattern--957f9b42-4f80-4da0-8dd1-75738e470fe2.json b/mbc/attack-pattern/attack-pattern--957f9b42-4f80-4da0-8dd1-75738e470fe2.json index 935d44ce..0332d09e 100644 --- a/mbc/attack-pattern/attack-pattern--957f9b42-4f80-4da0-8dd1-75738e470fe2.json +++ b/mbc/attack-pattern/attack-pattern--957f9b42-4f80-4da0-8dd1-75738e470fe2.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/create-thread.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/create-thread.md", "external_id": "C0038" } ], diff --git a/mbc/attack-pattern/attack-pattern--95c86aee-57b2-4cc2-9354-772a30b4024f.json b/mbc/attack-pattern/attack-pattern--95c86aee-57b2-4cc2-9354-772a30b4024f.json index 11538c4f..e15844b2 100644 --- a/mbc/attack-pattern/attack-pattern--95c86aee-57b2-4cc2-9354-772a30b4024f.json +++ b/mbc/attack-pattern/attack-pattern--95c86aee-57b2-4cc2-9354-772a30b4024f.json @@ -8,7 +8,7 @@ "id": "attack-pattern--95c86aee-57b2-4cc2-9354-772a30b4024f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.707263Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.216141Z", "name": "Process detection - Process Utilities", "description": "Malware can scan for the process name associated with common analysis tools. ProcessHacker / SysAnalyzer / HookExplorer / SysInspector", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", "external_id": "B0013.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--9615d610-999a-417d-bf19-54da01c38b89.json b/mbc/attack-pattern/attack-pattern--9615d610-999a-417d-bf19-54da01c38b89.json index 390cd560..18c2b532 100644 --- a/mbc/attack-pattern/attack-pattern--9615d610-999a-417d-bf19-54da01c38b89.json +++ b/mbc/attack-pattern/attack-pattern--9615d610-999a-417d-bf19-54da01c38b89.json @@ -8,7 +8,7 @@ "id": "attack-pattern--9615d610-999a-417d-bf19-54da01c38b89", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.502264Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.291887Z", "name": "Unique Hardware/Firmware Check", "description": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.023" } ], diff --git a/mbc/attack-pattern/attack-pattern--963d7b96-04f2-4c34-82ae-64bc6d5d37dc.json b/mbc/attack-pattern/attack-pattern--963d7b96-04f2-4c34-82ae-64bc6d5d37dc.json index 64e3a7d9..997b1d35 100644 --- a/mbc/attack-pattern/attack-pattern--963d7b96-04f2-4c34-82ae-64bc6d5d37dc.json +++ b/mbc/attack-pattern/attack-pattern--963d7b96-04f2-4c34-82ae-64bc6d5d37dc.json @@ -8,7 +8,7 @@ "id": "attack-pattern--963d7b96-04f2-4c34-82ae-64bc6d5d37dc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.606261Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.229783Z", "name": "Request Email Template", "description": "Request email template.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", "external_id": "B0030.009" } ], diff --git a/mbc/attack-pattern/attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397.json b/mbc/attack-pattern/attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397.json index 0ae9a31a..58c882d3 100644 --- a/mbc/attack-pattern/attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397.json +++ b/mbc/attack-pattern/attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397.json @@ -8,9 +8,9 @@ "id": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.708261Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.217492Z", "name": "Analysis Tool Discovery", - "description": "Malware can employ various means to detect whether analysis tools are present or running on the system on which it is executing. Note that analysis tools are used to *analyze* malware whereas security software (see [Software Discovery: Security Software Discovery](https://attack.mitre.org/techniques/T1518/001/)) aims to *detect/mitigate* malware on a system or network.", + "description": "Malware can employ various means to detect whether analysis tools are present or running on the system on which it is executing. Note that analysis tools are used to *analyze* malware whereas security software (see **Software Discovery: Security Software Discovery ([T1518](https://attack.mitre.org/techniques/T1518/001/))** aims to *detect/mitigate* malware on a system or network.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -20,8 +20,16 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", "external_id": "B0013" + }, + { + "source_name": "external_source", + "url": "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--966c59f0-e5f7-4c3f-80f8-49091c015ad7.json b/mbc/attack-pattern/attack-pattern--966c59f0-e5f7-4c3f-80f8-49091c015ad7.json index b5ab8186..3d82428e 100644 --- a/mbc/attack-pattern/attack-pattern--966c59f0-e5f7-4c3f-80f8-49091c015ad7.json +++ b/mbc/attack-pattern/attack-pattern--966c59f0-e5f7-4c3f-80f8-49091c015ad7.json @@ -8,7 +8,7 @@ "id": "attack-pattern--966c59f0-e5f7-4c3f-80f8-49091c015ad7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.405881Z", "name": "Encoding", "description": "A malware sample, file, or other information is encoded.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/obfuscate-files.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/obfuscated-files-or-information.md", "external_id": "E1027.m01" } ], diff --git a/mbc/attack-pattern/attack-pattern--968a2baa-33b0-4c2a-afb8-b899e1acbc0a.json b/mbc/attack-pattern/attack-pattern--968a2baa-33b0-4c2a-afb8-b899e1acbc0a.json index 603e676e..87febb75 100644 --- a/mbc/attack-pattern/attack-pattern--968a2baa-33b0-4c2a-afb8-b899e1acbc0a.json +++ b/mbc/attack-pattern/attack-pattern--968a2baa-33b0-4c2a-afb8-b899e1acbc0a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--968a2baa-33b0-4c2a-afb8-b899e1acbc0a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.936476Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.208374Z", "name": "Log File", "description": "Malware may look for system log files.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/file-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/file-and-directory-discovery.md", "external_id": "E1083.m01" } ], diff --git a/mbc/attack-pattern/attack-pattern--97024953-18b1-43d8-adf2-207ac2dca44e.json b/mbc/attack-pattern/attack-pattern--97024953-18b1-43d8-adf2-207ac2dca44e.json index 629fb889..9e255bca 100644 --- a/mbc/attack-pattern/attack-pattern--97024953-18b1-43d8-adf2-207ac2dca44e.json +++ b/mbc/attack-pattern/attack-pattern--97024953-18b1-43d8-adf2-207ac2dca44e.json @@ -8,7 +8,7 @@ "id": "attack-pattern--97024953-18b1-43d8-adf2-207ac2dca44e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.479261Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.323623Z", "name": "Check for Emulator-related Files", "description": "Checks whether particular files (e.g., QEMU files) exist.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-emulator.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-detection.md", "external_id": "B0004.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--97a53670-fbd8-40bb-a950-acec7a6e7958.json b/mbc/attack-pattern/attack-pattern--97a53670-fbd8-40bb-a950-acec7a6e7958.json index 87def1dd..aa53e417 100644 --- a/mbc/attack-pattern/attack-pattern--97a53670-fbd8-40bb-a950-acec7a6e7958.json +++ b/mbc/attack-pattern/attack-pattern--97a53670-fbd8-40bb-a950-acec7a6e7958.json @@ -8,7 +8,7 @@ "id": "attack-pattern--97a53670-fbd8-40bb-a950-acec7a6e7958", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.980486Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.371634Z", "name": "Initialize Winsock Library::Socket Communication", "description": "Winsock is initialized for TCP communication.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", "external_id": "C0001.009" } ], diff --git a/mbc/attack-pattern/attack-pattern--97dff623-9e06-4810-b316-8eedabe893f0.json b/mbc/attack-pattern/attack-pattern--97dff623-9e06-4810-b316-8eedabe893f0.json index 77a73400..a3966030 100644 --- a/mbc/attack-pattern/attack-pattern--97dff623-9e06-4810-b316-8eedabe893f0.json +++ b/mbc/attack-pattern/attack-pattern--97dff623-9e06-4810-b316-8eedabe893f0.json @@ -8,7 +8,7 @@ "id": "attack-pattern--97dff623-9e06-4810-b316-8eedabe893f0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.87726Z", - "modified": "2022-02-05T00:37:22.804261Z", + "modified": "2022-09-08T18:26:13.339743Z", "name": "Executable Stack::Change Memory Protection", "description": "The stack is made executable.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/memory/memory-protect.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/memory/change-memory-protection.md", "external_id": "C0008.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--bc6ed4f1-4e73-477a-b05c-a49a3dd52642.json b/mbc/attack-pattern/attack-pattern--97ebea10-8852-4c4f-bf50-8b866ebc90ab.json similarity index 54% rename from mbc/attack-pattern/attack-pattern--bc6ed4f1-4e73-477a-b05c-a49a3dd52642.json rename to mbc/attack-pattern/attack-pattern--97ebea10-8852-4c4f-bf50-8b866ebc90ab.json index 15b4366f..f905fead 100644 --- a/mbc/attack-pattern/attack-pattern--bc6ed4f1-4e73-477a-b05c-a49a3dd52642.json +++ b/mbc/attack-pattern/attack-pattern--97ebea10-8852-4c4f-bf50-8b866ebc90ab.json @@ -1,15 +1,16 @@ { "type": "bundle", - "id": "bundle--68a49fd5-69e1-447c-998a-40d5a82776e8", + "id": "bundle--9377b567-6cec-434d-8281-5877b5823876", "objects": [ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--bc6ed4f1-4e73-477a-b05c-a49a3dd52642", + "id": "attack-pattern--97ebea10-8852-4c4f-bf50-8b866ebc90ab", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.462262Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Interrupt 1", + "created": "2022-09-08T18:26:13.312829Z", + "modified": "2022-09-08T18:26:13.312829Z", + "name": "Check Processes", + "description": "The malware may check running processes for specific strings such as \"malw\" to detect a analysis environment.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -19,13 +20,8 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.007" - }, - { - "source_name": "external_source", - "description": "Anti Debugging Tricks, Al-Khaser.", - "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.038" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--97fc67af-9ec6-44a7-8187-32e07b5cdcb5.json b/mbc/attack-pattern/attack-pattern--97fc67af-9ec6-44a7-8187-32e07b5cdcb5.json index 4aa88de5..da0a37e4 100644 --- a/mbc/attack-pattern/attack-pattern--97fc67af-9ec6-44a7-8187-32e07b5cdcb5.json +++ b/mbc/attack-pattern/attack-pattern--97fc67af-9ec6-44a7-8187-32e07b5cdcb5.json @@ -8,7 +8,7 @@ "id": "attack-pattern--97fc67af-9ec6-44a7-8187-32e07b5cdcb5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.469264Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.31816Z", "name": "Process Environment Block NtGlobalFlag", "description": "The NtGlobalFlag field is tested to determine whether the process is being debugged.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.036" } ], diff --git a/mbc/attack-pattern/attack-pattern--98cc634e-8ebb-4c19-b3f1-bea0abef18ae.json b/mbc/attack-pattern/attack-pattern--98cc634e-8ebb-4c19-b3f1-bea0abef18ae.json index e09668ac..b19a8175 100644 --- a/mbc/attack-pattern/attack-pattern--98cc634e-8ebb-4c19-b3f1-bea0abef18ae.json +++ b/mbc/attack-pattern/attack-pattern--98cc634e-8ebb-4c19-b3f1-bea0abef18ae.json @@ -8,7 +8,7 @@ "id": "attack-pattern--98cc634e-8ebb-4c19-b3f1-bea0abef18ae", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.503263Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.292708Z", "name": "Unique Hardware/Firmware Check - CPU Name", "description": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment. Checks the CPU name to determine virtualization.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.026" } ], diff --git a/mbc/attack-pattern/attack-pattern--999fdac4-2cd5-471e-960e-993f82214902.json b/mbc/attack-pattern/attack-pattern--999fdac4-2cd5-471e-960e-993f82214902.json index 613188f4..7e9b6172 100644 --- a/mbc/attack-pattern/attack-pattern--999fdac4-2cd5-471e-960e-993f82214902.json +++ b/mbc/attack-pattern/attack-pattern--999fdac4-2cd5-471e-960e-993f82214902.json @@ -8,7 +8,7 @@ "id": "attack-pattern--999fdac4-2cd5-471e-960e-993f82214902", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.558264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.19278Z", "name": "Import Compression", "description": "Store and load imports with a compact import table format. Each DLL needed by the executable is mentioned in the IAT, but only one function from each/most is imported; the rest are imported via GetProcAddress calls.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", "external_id": "B0032.012" } ], diff --git a/mbc/attack-pattern/attack-pattern--99bd055e-cadd-4ed3-94a4-b21570cd8350.json b/mbc/attack-pattern/attack-pattern--99bd055e-cadd-4ed3-94a4-b21570cd8350.json index 78c0c52e..f06effac 100644 --- a/mbc/attack-pattern/attack-pattern--99bd055e-cadd-4ed3-94a4-b21570cd8350.json +++ b/mbc/attack-pattern/attack-pattern--99bd055e-cadd-4ed3-94a4-b21570cd8350.json @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/keylogging.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/keylogging.md", "external_id": "F0002.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--9a20e319-4340-469f-a31c-5153dbd05bd0.json b/mbc/attack-pattern/attack-pattern--9a20e319-4340-469f-a31c-5153dbd05bd0.json index 898f461b..09581720 100644 --- a/mbc/attack-pattern/attack-pattern--9a20e319-4340-469f-a31c-5153dbd05bd0.json +++ b/mbc/attack-pattern/attack-pattern--9a20e319-4340-469f-a31c-5153dbd05bd0.json @@ -8,7 +8,7 @@ "id": "attack-pattern--9a20e319-4340-469f-a31c-5153dbd05bd0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.845581Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.403868Z", "name": "Hardware/Firmware Rootkit", "description": "A firmware rootkit compromises hardware (e.g. network card, hard drive), system BIOS, UEFI firmware. LoJack is the first in-the-wild UEFI rootkit. See ATT&CK: [System Firmware](https://attack.mitre.org/techniques/T1542/001/).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/rootkit-behavior.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/rootkit.md", "external_id": "E1014.m14" } ], diff --git a/mbc/attack-pattern/attack-pattern--9a5f43f7-dd94-4035-b335-9d0d388c93ae.json b/mbc/attack-pattern/attack-pattern--9a5f43f7-dd94-4035-b335-9d0d388c93ae.json index 27c7f1ab..5a070898 100644 --- a/mbc/attack-pattern/attack-pattern--9a5f43f7-dd94-4035-b335-9d0d388c93ae.json +++ b/mbc/attack-pattern/attack-pattern--9a5f43f7-dd94-4035-b335-9d0d388c93ae.json @@ -8,7 +8,7 @@ "id": "attack-pattern--9a5f43f7-dd94-4035-b335-9d0d388c93ae", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.678261Z", - "modified": "2022-02-05T00:37:22.694887Z", + "modified": "2022-09-08T18:26:13.272615Z", "name": "Encryption - Standard Encryption", "description": "Data is encrypted. A standard algorithm, such as Rijndael/AES, DES, RC4, is used to encrypt the exfiltrated data.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/data-encrypted.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/archive-collected-data.md", "external_id": "E1560.m05" } ], diff --git a/mbc/attack-pattern/attack-pattern--9aa48852-5d9f-45e3-a094-113bc10c1cbc.json b/mbc/attack-pattern/attack-pattern--9aa48852-5d9f-45e3-a094-113bc10c1cbc.json index d8e2ed57..bc27d455 100644 --- a/mbc/attack-pattern/attack-pattern--9aa48852-5d9f-45e3-a094-113bc10c1cbc.json +++ b/mbc/attack-pattern/attack-pattern--9aa48852-5d9f-45e3-a094-113bc10c1cbc.json @@ -8,7 +8,7 @@ "id": "attack-pattern--9aa48852-5d9f-45e3-a094-113bc10c1cbc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.483264Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.296154Z", "name": "Check Files", "description": "Sandboxes create files on the file system. Malware can check the different folders to find sandbox artifacts.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", "external_id": "B0007.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--9aa6cbcb-2654-4533-a47c-3b44b62cb6a2.json b/mbc/attack-pattern/attack-pattern--9aa6cbcb-2654-4533-a47c-3b44b62cb6a2.json index 3be4fa3f..e8d2a7eb 100644 --- a/mbc/attack-pattern/attack-pattern--9aa6cbcb-2654-4533-a47c-3b44b62cb6a2.json +++ b/mbc/attack-pattern/attack-pattern--9aa6cbcb-2654-4533-a47c-3b44b62cb6a2.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/registry.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/registry.md", "external_id": "C0036.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--9b4638cb-2e9b-480e-a502-4ac8acfa4dd8.json b/mbc/attack-pattern/attack-pattern--9b4638cb-2e9b-480e-a502-4ac8acfa4dd8.json index 2bc15fb8..99c63080 100644 --- a/mbc/attack-pattern/attack-pattern--9b4638cb-2e9b-480e-a502-4ac8acfa4dd8.json +++ b/mbc/attack-pattern/attack-pattern--9b4638cb-2e9b-480e-a502-4ac8acfa4dd8.json @@ -8,7 +8,7 @@ "id": "attack-pattern--9b4638cb-2e9b-480e-a502-4ac8acfa4dd8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.983492Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.375633Z", "name": "UDP Client::Socket Communication", "description": "UDP client behavior.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", "external_id": "C0001.013" } ], diff --git a/mbc/attack-pattern/attack-pattern--9c6a7353-74f8-468b-94d8-faee128fa78d.json b/mbc/attack-pattern/attack-pattern--9c6a7353-74f8-468b-94d8-faee128fa78d.json index 4391b908..5ba20d35 100644 --- a/mbc/attack-pattern/attack-pattern--9c6a7353-74f8-468b-94d8-faee128fa78d.json +++ b/mbc/attack-pattern/attack-pattern--9c6a7353-74f8-468b-94d8-faee128fa78d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--9c6a7353-74f8-468b-94d8-faee128fa78d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.007478Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.33721Z", "name": "dhash::Non-Cryptographic Hash", "description": "Malware uses the dhash hash function.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/noncrypto-hash.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/noncryptographic-hash.md", "external_id": "C0030.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--9dd6ef57-b3b3-48e8-a77e-233ffee5d45b.json b/mbc/attack-pattern/attack-pattern--9dd6ef57-b3b3-48e8-a77e-233ffee5d45b.json index b0e68b2a..21073f43 100644 --- a/mbc/attack-pattern/attack-pattern--9dd6ef57-b3b3-48e8-a77e-233ffee5d45b.json +++ b/mbc/attack-pattern/attack-pattern--9dd6ef57-b3b3-48e8-a77e-233ffee5d45b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--9dd6ef57-b3b3-48e8-a77e-233ffee5d45b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.870658Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.210153Z", "name": "Inspect Section Memory Permissions", "description": "Malware identifies section memory permissions from image section header.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/code-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/code-discovery.md", "external_id": "B0046.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--9f4141a2-af76-4a8e-b493-f3c1f5bdc9ac.json b/mbc/attack-pattern/attack-pattern--9f4141a2-af76-4a8e-b493-f3c1f5bdc9ac.json index 12f7000e..d94fc163 100644 --- a/mbc/attack-pattern/attack-pattern--9f4141a2-af76-4a8e-b493-f3c1f5bdc9ac.json +++ b/mbc/attack-pattern/attack-pattern--9f4141a2-af76-4a8e-b493-f3c1f5bdc9ac.json @@ -8,7 +8,7 @@ "id": "attack-pattern--9f4141a2-af76-4a8e-b493-f3c1f5bdc9ac", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.990485Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.387325Z", "name": "Twofish::Decrypt Data", "description": "Malware decrypts data encrypted with the Twofish algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", "external_id": "C0031.014" } ], diff --git a/mbc/attack-pattern/attack-pattern--9f6817c0-0ec9-4097-a55b-b39b08db2b92.json b/mbc/attack-pattern/attack-pattern--9f6817c0-0ec9-4097-a55b-b39b08db2b92.json index 70b119a5..e5987ac7 100644 --- a/mbc/attack-pattern/attack-pattern--9f6817c0-0ec9-4097-a55b-b39b08db2b92.json +++ b/mbc/attack-pattern/attack-pattern--9f6817c0-0ec9-4097-a55b-b39b08db2b92.json @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", "external_id": "F0001.006" } ], diff --git a/mbc/attack-pattern/attack-pattern--9fb37268-5250-495b-b80c-96315169c1a8.json b/mbc/attack-pattern/attack-pattern--9fb37268-5250-495b-b80c-96315169c1a8.json new file mode 100644 index 00000000..40441545 --- /dev/null +++ b/mbc/attack-pattern/attack-pattern--9fb37268-5250-495b-b80c-96315169c1a8.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--38b36f22-4dd7-49fe-90db-1d2b5379cf96", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--9fb37268-5250-495b-b80c-96315169c1a8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2022-09-08T18:26:13.299902Z", + "modified": "2022-09-08T18:26:13.299902Z", + "name": "Test API Routines", + "description": "Calls Windows API routines with invalid arguments to identify error supression.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", + "external_id": "B0007.010" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_is_subtechnique": true + } + ] +} \ No newline at end of file diff --git a/mbc/attack-pattern/attack-pattern--9fb8ebbb-efc5-4f9c-8059-dca2a21412fd.json b/mbc/attack-pattern/attack-pattern--9fb8ebbb-efc5-4f9c-8059-dca2a21412fd.json index ea7f4c6c..d6a5ff19 100644 --- a/mbc/attack-pattern/attack-pattern--9fb8ebbb-efc5-4f9c-8059-dca2a21412fd.json +++ b/mbc/attack-pattern/attack-pattern--9fb8ebbb-efc5-4f9c-8059-dca2a21412fd.json @@ -8,7 +8,7 @@ "id": "attack-pattern--9fb8ebbb-efc5-4f9c-8059-dca2a21412fd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.523261Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.327493Z", "name": "Hook File System", "description": "Execution happens when a particular file or directory is accessed, often through hooking certain API calls such as CreateFileA and CreateFileW.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", "external_id": "B0003.007" } ], diff --git a/mbc/attack-pattern/attack-pattern--a0021942-1e00-442e-8ed8-285293eeb5e9.json b/mbc/attack-pattern/attack-pattern--a0021942-1e00-442e-8ed8-285293eeb5e9.json index 0dbde27d..4f8a9c00 100644 --- a/mbc/attack-pattern/attack-pattern--a0021942-1e00-442e-8ed8-285293eeb5e9.json +++ b/mbc/attack-pattern/attack-pattern--a0021942-1e00-442e-8ed8-285293eeb5e9.json @@ -8,7 +8,7 @@ "id": "attack-pattern--a0021942-1e00-442e-8ed8-285293eeb5e9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.986482Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.381759Z", "name": "Snefru::Cryptographic Hash", "description": "Malware uses a Snefru hash.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/crypto-hash.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/cryptographic-hash.md", "external_id": "C0029.006" } ], diff --git a/mbc/attack-pattern/attack-pattern--a0033d2f-e4c5-4bbf-854b-198fd82d0c0b.json b/mbc/attack-pattern/attack-pattern--a0033d2f-e4c5-4bbf-854b-198fd82d0c0b.json index a4e15b15..8a03aa08 100644 --- a/mbc/attack-pattern/attack-pattern--a0033d2f-e4c5-4bbf-854b-198fd82d0c0b.json +++ b/mbc/attack-pattern/attack-pattern--a0033d2f-e4c5-4bbf-854b-198fd82d0c0b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--a0033d2f-e4c5-4bbf-854b-198fd82d0c0b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.498264Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.288016Z", "name": "Instruction Testing - SMSW", "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.032" }, { diff --git a/mbc/attack-pattern/attack-pattern--a03af833-a578-465a-bf8c-43c9db4f4775.json b/mbc/attack-pattern/attack-pattern--a03af833-a578-465a-bf8c-43c9db4f4775.json index 9a9d7c45..c2d9051f 100644 --- a/mbc/attack-pattern/attack-pattern--a03af833-a578-465a-bf8c-43c9db4f4775.json +++ b/mbc/attack-pattern/attack-pattern--a03af833-a578-465a-bf8c-43c9db4f4775.json @@ -8,7 +8,7 @@ "id": "attack-pattern--a03af833-a578-465a-bf8c-43c9db4f4775", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.783046Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.227069Z", "name": "Authenticate", "description": "Implant may authenticate itself to the controller, controller may authenticate itself to implant, or both. This is often at or near the start of communication. Examples include but are not limited to a simple shared secret (e.g. password), challenge-response with symmetric encryption, or challenge-response with asymmetric encryption.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", "external_id": "B0030.011" } ], diff --git a/mbc/attack-pattern/attack-pattern--a385dfe3-ba5e-4cc7-9a6d-a38349b44739.json b/mbc/attack-pattern/attack-pattern--a385dfe3-ba5e-4cc7-9a6d-a38349b44739.json new file mode 100644 index 00000000..c82f4602 --- /dev/null +++ b/mbc/attack-pattern/attack-pattern--a385dfe3-ba5e-4cc7-9a6d-a38349b44739.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--bfdd7d25-6a5a-4fb9-a03d-d00bdaba7694", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a385dfe3-ba5e-4cc7-9a6d-a38349b44739", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2022-09-08T18:26:13.393348Z", + "modified": "2022-09-08T18:26:13.393348Z", + "name": "API Call::Crypto Library", + "description": "Malware uses crypto API calls.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/crypto-lib.md", + "external_id": "C0059.001" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_is_subtechnique": true + } + ] +} \ No newline at end of file diff --git a/mbc/attack-pattern/attack-pattern--a438adb9-e8d8-40da-8fb3-0500b0c812f5.json b/mbc/attack-pattern/attack-pattern--a438adb9-e8d8-40da-8fb3-0500b0c812f5.json index 065ad359..3e12c5de 100644 --- a/mbc/attack-pattern/attack-pattern--a438adb9-e8d8-40da-8fb3-0500b0c812f5.json +++ b/mbc/attack-pattern/attack-pattern--a438adb9-e8d8-40da-8fb3-0500b0c812f5.json @@ -8,7 +8,7 @@ "id": "attack-pattern--a438adb9-e8d8-40da-8fb3-0500b0c812f5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.736174Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.277014Z", "name": "Hook memory mapping APIs", "description": "Hooking prevents memory dumps by preventing mapping of memory into the kernel's virtual address space.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", "external_id": "B0006.010" }, { diff --git a/mbc/attack-pattern/attack-pattern--a453cf88-1389-4ffd-8f3c-e95475f10a9f.json b/mbc/attack-pattern/attack-pattern--a453cf88-1389-4ffd-8f3c-e95475f10a9f.json index 60e2e5d4..998e8213 100644 --- a/mbc/attack-pattern/attack-pattern--a453cf88-1389-4ffd-8f3c-e95475f10a9f.json +++ b/mbc/attack-pattern/attack-pattern--a453cf88-1389-4ffd-8f3c-e95475f10a9f.json @@ -8,7 +8,7 @@ "id": "attack-pattern--a453cf88-1389-4ffd-8f3c-e95475f10a9f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.989483Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.384472Z", "name": "Blowfish::Decrypt Data", "description": "Malware decrypts data encrypted with the Blowfish algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", "external_id": "C0031.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--a46f5dce-2530-4823-8253-d702c8b2abeb.json b/mbc/attack-pattern/attack-pattern--a46f5dce-2530-4823-8253-d702c8b2abeb.json index 8c04a974..64b1db24 100644 --- a/mbc/attack-pattern/attack-pattern--a46f5dce-2530-4823-8253-d702c8b2abeb.json +++ b/mbc/attack-pattern/attack-pattern--a46f5dce-2530-4823-8253-d702c8b2abeb.json @@ -8,7 +8,7 @@ "id": "attack-pattern--a46f5dce-2530-4823-8253-d702c8b2abeb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.783046Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.227674Z", "name": "Directory Listing", "description": "Controller requests a directory listing from the implant, optionally from a given path, optionally recursive.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", "external_id": "B0030.012" } ], diff --git a/mbc/attack-pattern/attack-pattern--a53ab24d-020a-46dc-8a13-7ef51ab07f35.json b/mbc/attack-pattern/attack-pattern--a53ab24d-020a-46dc-8a13-7ef51ab07f35.json index f5f7c2da..1271e4af 100644 --- a/mbc/attack-pattern/attack-pattern--a53ab24d-020a-46dc-8a13-7ef51ab07f35.json +++ b/mbc/attack-pattern/attack-pattern--a53ab24d-020a-46dc-8a13-7ef51ab07f35.json @@ -8,9 +8,9 @@ "id": "attack-pattern--a53ab24d-020a-46dc-8a13-7ef51ab07f35", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.883261Z", - "modified": "2022-02-05T00:37:22.804261Z", + "modified": "2022-09-08T18:26:13.341413Z", "name": "Stack Pivot", - "description": "Stack pivoting involves pointing the stack pointer to an attacker-owned buffer, such as the heap, and facilitates exploits such as ROP-based exploits (see [Bypass DEP](https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/bypass-dep.md) behavior).", + "description": "Stack pivoting involves pointing the stack pointer to an attacker-owned buffer, such as the heap, and facilitates exploits such as ROP-based exploits (see [Bypass DEP](https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/bypass-data-execution-prevention.md) behavior).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/memory/stack-pivot.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/memory/stack-pivot.md", "external_id": "C0009" } ], diff --git a/mbc/attack-pattern/attack-pattern--a5490a04-b672-4587-ae13-f0a25eb1cea4.json b/mbc/attack-pattern/attack-pattern--a5490a04-b672-4587-ae13-f0a25eb1cea4.json index a8ca3d06..4eb5356c 100644 --- a/mbc/attack-pattern/attack-pattern--a5490a04-b672-4587-ae13-f0a25eb1cea4.json +++ b/mbc/attack-pattern/attack-pattern--a5490a04-b672-4587-ae13-f0a25eb1cea4.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/persistence/shutdown-event.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/persistence/shutdown-event.md", "external_id": "B0035" }, { diff --git a/mbc/attack-pattern/attack-pattern--a5589cd0-a6ee-4d1a-9963-3c44e9734242.json b/mbc/attack-pattern/attack-pattern--a5589cd0-a6ee-4d1a-9963-3c44e9734242.json index 40d066d0..7dab9c32 100644 --- a/mbc/attack-pattern/attack-pattern--a5589cd0-a6ee-4d1a-9963-3c44e9734242.json +++ b/mbc/attack-pattern/attack-pattern--a5589cd0-a6ee-4d1a-9963-3c44e9734242.json @@ -8,7 +8,7 @@ "id": "attack-pattern--a5589cd0-a6ee-4d1a-9963-3c44e9734242", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.706262Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.21541Z", "name": "Process detection - Debuggers", "description": "Malware can scan for the process name associated with common analysis tools. OllyDBG / ImmunityDebugger / WinDbg / IDA Pro", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", "external_id": "B0013.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--a5bc5daf-255e-4e9b-a4c4-508dc3a434ff.json b/mbc/attack-pattern/attack-pattern--a5bc5daf-255e-4e9b-a4c4-508dc3a434ff.json index e328bc2e..e51650c3 100644 --- a/mbc/attack-pattern/attack-pattern--a5bc5daf-255e-4e9b-a4c4-508dc3a434ff.json +++ b/mbc/attack-pattern/attack-pattern--a5bc5daf-255e-4e9b-a4c4-508dc3a434ff.json @@ -8,7 +8,7 @@ "id": "attack-pattern--a5bc5daf-255e-4e9b-a4c4-508dc3a434ff", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.754261Z", - "modified": "2022-02-05T00:37:22.694887Z", + "modified": "2022-09-08T18:26:13.273564Z", "name": "Exfiltrate via File Hosting Service", "description": "Malware may exfiltrate files to a file hosting location.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/auto-exfiltrate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/automated-exfiltration.md", "external_id": "E1020.m01" } ], diff --git a/mbc/attack-pattern/attack-pattern--a60432c5-54ee-4c76-be1b-409f3f0e4795.json b/mbc/attack-pattern/attack-pattern--a60432c5-54ee-4c76-be1b-409f3f0e4795.json index 6d6acbaf..2d47ec7f 100644 --- a/mbc/attack-pattern/attack-pattern--a60432c5-54ee-4c76-be1b-409f3f0e4795.json +++ b/mbc/attack-pattern/attack-pattern--a60432c5-54ee-4c76-be1b-409f3f0e4795.json @@ -8,7 +8,7 @@ "id": "attack-pattern--a60432c5-54ee-4c76-be1b-409f3f0e4795", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.928367Z", - "modified": "2022-02-05T00:37:22.71051Z", + "modified": "2022-09-08T18:26:13.270304Z", "name": "Ransom Note", "description": "Ransomware displays a ransom note. Ransom notes are sometimes used to link instances of ransomware, even when the code or anti-analysis techniques change.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/encrypt-impact.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/data-encrypted-for-impact.md", "external_id": "E1486.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--a6389b1f-c2f4-4bb7-8b52-6725b00f6052.json b/mbc/attack-pattern/attack-pattern--a6389b1f-c2f4-4bb7-8b52-6725b00f6052.json index d8e7c111..670d6efd 100644 --- a/mbc/attack-pattern/attack-pattern--a6389b1f-c2f4-4bb7-8b52-6725b00f6052.json +++ b/mbc/attack-pattern/attack-pattern--a6389b1f-c2f4-4bb7-8b52-6725b00f6052.json @@ -8,7 +8,7 @@ "id": "attack-pattern--a6389b1f-c2f4-4bb7-8b52-6725b00f6052", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.688263Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.409864Z", "name": "Injection and Persistence via Registry Modification", "description": "Malware may insert the location of its malicious library under a registry key (e.g., Appinit_DLL, AppCertDlls, IFEO) to have another process load its library.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/process-inject.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/process-injection.md", "external_id": "E1055.m02" }, { diff --git a/mbc/attack-pattern/attack-pattern--a67c8a5d-cce9-4892-9338-9fec55e45419.json b/mbc/attack-pattern/attack-pattern--a67c8a5d-cce9-4892-9338-9fec55e45419.json index c9091da1..4fe6dc8e 100644 --- a/mbc/attack-pattern/attack-pattern--a67c8a5d-cce9-4892-9338-9fec55e45419.json +++ b/mbc/attack-pattern/attack-pattern--a67c8a5d-cce9-4892-9338-9fec55e45419.json @@ -8,7 +8,7 @@ "id": "attack-pattern--a67c8a5d-cce9-4892-9338-9fec55e45419", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.491263Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.283798Z", "name": "Check Software", "description": "Malware may check software version; for example, to determine whether the software is relatively current.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.007" } ], diff --git a/mbc/attack-pattern/attack-pattern--a6c50b34-3247-4e39-91d5-75f4fb97a9f9.json b/mbc/attack-pattern/attack-pattern--a6c50b34-3247-4e39-91d5-75f4fb97a9f9.json index 3e9b3e50..b68b4bfe 100644 --- a/mbc/attack-pattern/attack-pattern--a6c50b34-3247-4e39-91d5-75f4fb97a9f9.json +++ b/mbc/attack-pattern/attack-pattern--a6c50b34-3247-4e39-91d5-75f4fb97a9f9.json @@ -8,7 +8,7 @@ "id": "attack-pattern--a6c50b34-3247-4e39-91d5-75f4fb97a9f9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.993484Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.390576Z", "name": "RSA::Encrypt Data", "description": "Malware encrypts with the RSA algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", "external_id": "C0027.011" } ], diff --git a/mbc/attack-pattern/attack-pattern--a7d53e43-1336-49be-bf6b-9cc3fb832ab2.json b/mbc/attack-pattern/attack-pattern--a7d53e43-1336-49be-bf6b-9cc3fb832ab2.json index 273f281a..8ae0adac 100644 --- a/mbc/attack-pattern/attack-pattern--a7d53e43-1336-49be-bf6b-9cc3fb832ab2.json +++ b/mbc/attack-pattern/attack-pattern--a7d53e43-1336-49be-bf6b-9cc3fb832ab2.json @@ -8,7 +8,7 @@ "id": "attack-pattern--a7d53e43-1336-49be-bf6b-9cc3fb832ab2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.473261Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.320052Z", "name": "Stack Canary", "description": "Similar to the anti-exploitation method of the same name, malware may try to detect mucking with values on the stack.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.026" } ], diff --git a/mbc/attack-pattern/attack-pattern--a8761808-d474-430a-9bd9-c770bc1163be.json b/mbc/attack-pattern/attack-pattern--a8761808-d474-430a-9bd9-c770bc1163be.json index f622ca52..cf8e0736 100644 --- a/mbc/attack-pattern/attack-pattern--a8761808-d474-430a-9bd9-c770bc1163be.json +++ b/mbc/attack-pattern/attack-pattern--a8761808-d474-430a-9bd9-c770bc1163be.json @@ -8,7 +8,7 @@ "id": "attack-pattern--a8761808-d474-430a-9bd9-c770bc1163be", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.989483Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.384972Z", "name": "3DES::Decrypt Data", "description": "Malware decrypts data encrypted with the 3DES algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", "external_id": "C0031.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--a894c73b-8a05-4d53-86e8-39434b189fb6.json b/mbc/attack-pattern/attack-pattern--a894c73b-8a05-4d53-86e8-39434b189fb6.json index eaf03503..c60dd3c2 100644 --- a/mbc/attack-pattern/attack-pattern--a894c73b-8a05-4d53-86e8-39434b189fb6.json +++ b/mbc/attack-pattern/attack-pattern--a894c73b-8a05-4d53-86e8-39434b189fb6.json @@ -8,7 +8,7 @@ "id": "attack-pattern--a894c73b-8a05-4d53-86e8-39434b189fb6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.751794Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.205139Z", "name": "Implicit Flows", "description": "Data is propagated via semantic relationships, for example one variable not changing its state could imply the state of another variable.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-data-flow-analysis.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/data-flow-analysis-evasion.md", "external_id": "B0045.002" }, { diff --git a/mbc/attack-pattern/attack-pattern--a90fbac2-8ec1-486c-85bf-6cb6269a5ea6.json b/mbc/attack-pattern/attack-pattern--a90fbac2-8ec1-486c-85bf-6cb6269a5ea6.json index bb9f2f91..5afdff31 100644 --- a/mbc/attack-pattern/attack-pattern--a90fbac2-8ec1-486c-85bf-6cb6269a5ea6.json +++ b/mbc/attack-pattern/attack-pattern--a90fbac2-8ec1-486c-85bf-6cb6269a5ea6.json @@ -8,7 +8,7 @@ "id": "attack-pattern--a90fbac2-8ec1-486c-85bf-6cb6269a5ea6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.788262Z", - "modified": "2022-02-05T00:37:22.71051Z", + "modified": "2022-09-08T18:26:13.260856Z", "name": "Password Cracking", "description": "Consume system resources for the purpose of password cracking.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/hijack-sys-resources.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/resource-hijacking.md", "external_id": "B0018.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--a9364e83-2893-4989-b01a-e74ea9ced03a.json b/mbc/attack-pattern/attack-pattern--a9364e83-2893-4989-b01a-e74ea9ced03a.json index 1d8cab28..d6d1895c 100644 --- a/mbc/attack-pattern/attack-pattern--a9364e83-2893-4989-b01a-e74ea9ced03a.json +++ b/mbc/attack-pattern/attack-pattern--a9364e83-2893-4989-b01a-e74ea9ced03a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--a9364e83-2893-4989-b01a-e74ea9ced03a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.493266Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.285146Z", "name": "Check Windows - Window size", "description": "Malware may check windows for VM-related characteristics. Tiny window size may indicate a VM.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.020" } ], diff --git a/mbc/attack-pattern/attack-pattern--a9530e23-d959-40a7-870a-bd6b29bee078.json b/mbc/attack-pattern/attack-pattern--a9530e23-d959-40a7-870a-bd6b29bee078.json index 98cdd8a3..c1fcf7b7 100644 --- a/mbc/attack-pattern/attack-pattern--a9530e23-d959-40a7-870a-bd6b29bee078.json +++ b/mbc/attack-pattern/attack-pattern--a9530e23-d959-40a7-870a-bd6b29bee078.json @@ -8,7 +8,7 @@ "id": "attack-pattern--a9530e23-d959-40a7-870a-bd6b29bee078", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.00648Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.33634Z", "name": "Encode Data", "description": "Malware may encode data.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/encode.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/encode-data.md", "external_id": "C0026" } ], diff --git a/mbc/attack-pattern/attack-pattern--a962a19b-79e6-4154-a634-b85d9e9d0264.json b/mbc/attack-pattern/attack-pattern--a962a19b-79e6-4154-a634-b85d9e9d0264.json index fc20b5a7..60923f6b 100644 --- a/mbc/attack-pattern/attack-pattern--a962a19b-79e6-4154-a634-b85d9e9d0264.json +++ b/mbc/attack-pattern/attack-pattern--a962a19b-79e6-4154-a634-b85d9e9d0264.json @@ -8,9 +8,9 @@ "id": "attack-pattern--a962a19b-79e6-4154-a634-b85d9e9d0264", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.689293Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.296639Z", "name": "Human User Check", - "description": "Detects whether there is any \"user\" activity on the machine, such as the movement of the mouse cursor, non-default wallpaper, or recently opened Office files. Directories or file might be counted. If there is no human activity, the machine is suspected to be a virtualized machine and/or sandbox. Other items used to detect a user: mouse clicks (single/double), DialogBox, scrolling, color of background pixel . This method is very similar to ATT&CK's [Virtualization/Sandbox Evasion: User Activity Based Checks](https://attack.mitre.org/techniques/T1497/002/) sub-technique.", + "description": "Detects whether there is any \"user\" activity on the machine, such as the movement of the mouse cursor, non-default wallpaper, or recently opened Office files. Directories or file might be counted. If there is no human activity, the machine is suspected to be a virtualized machine and/or sandbox. Other items used to detect a user: mouse clicks (single/double), DialogBox, scrolling, color of background pixel . This method is similar to ATT&CK's [Virtualization/Sandbox Evasion: User Activity Based Checks](https://attack.mitre.org/techniques/T1497/002/) sub-technique.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", "external_id": "B0007.003" }, { diff --git a/mbc/attack-pattern/attack-pattern--a9dd9c1d-b3dd-4dec-9ab2-1a99f1f3e483.json b/mbc/attack-pattern/attack-pattern--a9dd9c1d-b3dd-4dec-9ab2-1a99f1f3e483.json index 8cd6cae3..599b1c7c 100644 --- a/mbc/attack-pattern/attack-pattern--a9dd9c1d-b3dd-4dec-9ab2-1a99f1f3e483.json +++ b/mbc/attack-pattern/attack-pattern--a9dd9c1d-b3dd-4dec-9ab2-1a99f1f3e483.json @@ -8,7 +8,7 @@ "id": "attack-pattern--a9dd9c1d-b3dd-4dec-9ab2-1a99f1f3e483", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.736174Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.277363Z", "name": "Patch MmGetPhysicalMemoryRanges", "description": "Patching this function to always return NULL prevents drivers from getting information about the physical address space layout, preventing memory dumps.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", "external_id": "B0006.011" }, { diff --git a/mbc/attack-pattern/attack-pattern--aaa5cf52-8414-4ac3-9bbb-3a45ba1f6d0d.json b/mbc/attack-pattern/attack-pattern--aaa5cf52-8414-4ac3-9bbb-3a45ba1f6d0d.json index 826a955e..e7d03c2b 100644 --- a/mbc/attack-pattern/attack-pattern--aaa5cf52-8414-4ac3-9bbb-3a45ba1f6d0d.json +++ b/mbc/attack-pattern/attack-pattern--aaa5cf52-8414-4ac3-9bbb-3a45ba1f6d0d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--aaa5cf52-8414-4ac3-9bbb-3a45ba1f6d0d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.65626Z", - "modified": "2022-02-05T00:37:22.616726Z", + "modified": "2022-09-08T18:26:13.428514Z", "name": "Disable Kernel Patch Protection", "description": "Bypasses or disables kernel patch protection mechanisms such as Windows' PatchGuard, enabling the malware instance to operate at the same level as the operating system kernel and kernel mode drivers (KMD).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", "external_id": "F0004.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--aaa95359-3220-45fe-9ae6-397718608ee4.json b/mbc/attack-pattern/attack-pattern--aaa95359-3220-45fe-9ae6-397718608ee4.json index 12574c7e..6402c8b2 100644 --- a/mbc/attack-pattern/attack-pattern--aaa95359-3220-45fe-9ae6-397718608ee4.json +++ b/mbc/attack-pattern/attack-pattern--aaa95359-3220-45fe-9ae6-397718608ee4.json @@ -8,7 +8,7 @@ "id": "attack-pattern--aaa95359-3220-45fe-9ae6-397718608ee4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.637267Z", - "modified": "2022-02-05T00:37:22.616726Z", + "modified": "2022-09-08T18:26:13.433819Z", "name": "Fileless Malware", "description": "Stores itself in memory.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/alter-install-location.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/alternative-installation-location.md", "external_id": "B0027.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--ab2e210b-f2a3-4f50-b42a-7304b875429c.json b/mbc/attack-pattern/attack-pattern--ab2e210b-f2a3-4f50-b42a-7304b875429c.json index e0e9a5b4..c01daeec 100644 --- a/mbc/attack-pattern/attack-pattern--ab2e210b-f2a3-4f50-b42a-7304b875429c.json +++ b/mbc/attack-pattern/attack-pattern--ab2e210b-f2a3-4f50-b42a-7304b875429c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--ab2e210b-f2a3-4f50-b42a-7304b875429c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.915483Z", - "modified": "2022-02-05T00:37:22.616726Z", + "modified": "2022-09-08T18:26:13.42906Z", "name": "Force Lazy Writing", "description": "Some operating systems will sometimes use a form of \"lazy writing\" for disk I/O, which may obscure the true provenance of the write operation. This method occurs when code intentionally forces the operating system to perform a lazy writing operation. For example, in Windows, a file may be opened, memory mapped, and closed, but the memory map will still exist and can be written to, which will cause a lazy write that looks like it is coming from the System process.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", "external_id": "F0004.006" }, { diff --git a/mbc/attack-pattern/attack-pattern--ab699bec-3a3f-498f-a658-1eabe6fe90c9.json b/mbc/attack-pattern/attack-pattern--ab699bec-3a3f-498f-a658-1eabe6fe90c9.json index b82c08f3..30eb11a9 100644 --- a/mbc/attack-pattern/attack-pattern--ab699bec-3a3f-498f-a658-1eabe6fe90c9.json +++ b/mbc/attack-pattern/attack-pattern--ab699bec-3a3f-498f-a658-1eabe6fe90c9.json @@ -8,7 +8,7 @@ "id": "attack-pattern--ab699bec-3a3f-498f-a658-1eabe6fe90c9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.981483Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.372406Z", "name": "Create UDP Socket::Socket Communication", "description": "A UDP socket is created.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", "external_id": "C0001.010" } ], diff --git a/mbc/attack-pattern/attack-pattern--ac446754-73f8-4642-ac66-26b41c5f24ce.json b/mbc/attack-pattern/attack-pattern--ac446754-73f8-4642-ac66-26b41c5f24ce.json index 7b85f49d..4ae980c9 100644 --- a/mbc/attack-pattern/attack-pattern--ac446754-73f8-4642-ac66-26b41c5f24ce.json +++ b/mbc/attack-pattern/attack-pattern--ac446754-73f8-4642-ac66-26b41c5f24ce.json @@ -8,7 +8,7 @@ "id": "attack-pattern--ac446754-73f8-4642-ac66-26b41c5f24ce", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.517264Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.276769Z", "name": "Tampering", "description": "Erase or corrupt specific file parts to prevent rebuilding (header, packer stub, etc.).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", "external_id": "B0006.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--acddeb41-5339-4148-8a12-04b9ca687086.json b/mbc/attack-pattern/attack-pattern--acddeb41-5339-4148-8a12-04b9ca687086.json index 034e7eb5..a15af7a6 100644 --- a/mbc/attack-pattern/attack-pattern--acddeb41-5339-4148-8a12-04b9ca687086.json +++ b/mbc/attack-pattern/attack-pattern--acddeb41-5339-4148-8a12-04b9ca687086.json @@ -8,7 +8,7 @@ "id": "attack-pattern--acddeb41-5339-4148-8a12-04b9ca687086", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.608264Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.230896Z", "name": "Server to Client File Transfer", "description": "File is transferred from controller to implant.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", "external_id": "B0030.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--ad4ab2e7-0491-4ef3-b69b-f4a73a5a7cd4.json b/mbc/attack-pattern/attack-pattern--ad4ab2e7-0491-4ef3-b69b-f4a73a5a7cd4.json index 061216bf..aefd68e7 100644 --- a/mbc/attack-pattern/attack-pattern--ad4ab2e7-0491-4ef3-b69b-f4a73a5a7cd4.json +++ b/mbc/attack-pattern/attack-pattern--ad4ab2e7-0491-4ef3-b69b-f4a73a5a7cd4.json @@ -8,7 +8,7 @@ "id": "attack-pattern--ad4ab2e7-0491-4ef3-b69b-f4a73a5a7cd4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.71926Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.248354Z", "name": "Command and Scripting Interpreter", "description": "Malware may abuse command and script interpreters to execute commands, scripts, or binaries.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/command-line.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/command-and-scripting-interpreter.md", "external_id": "E1059" }, { @@ -28,9 +28,24 @@ "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1059", - "external_id": "T1059" + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" + }, + { + "source_name": "external_source", + "url": "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--ad80fa16-a148-4562-951c-be0510a866fb.json b/mbc/attack-pattern/attack-pattern--ad80fa16-a148-4562-951c-be0510a866fb.json index 78ecbcf2..e503f133 100644 --- a/mbc/attack-pattern/attack-pattern--ad80fa16-a148-4562-951c-be0510a866fb.json +++ b/mbc/attack-pattern/attack-pattern--ad80fa16-a148-4562-951c-be0510a866fb.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/terminate-thread.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/terminate-thread.md", "external_id": "C0039" } ], diff --git a/mbc/attack-pattern/attack-pattern--adac5b9d-77f6-4c07-898d-1515fbf37162.json b/mbc/attack-pattern/attack-pattern--adac5b9d-77f6-4c07-898d-1515fbf37162.json index 768034cb..2ebe4d24 100644 --- a/mbc/attack-pattern/attack-pattern--adac5b9d-77f6-4c07-898d-1515fbf37162.json +++ b/mbc/attack-pattern/attack-pattern--adac5b9d-77f6-4c07-898d-1515fbf37162.json @@ -8,7 +8,7 @@ "id": "attack-pattern--adac5b9d-77f6-4c07-898d-1515fbf37162", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.689263Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.41057Z", "name": "Injection using Shims", "description": "Malware may use shims to target an executable (shims are a way of hooking into APIs and targeting specific executables and are provided by Microsoft for backward compatibility, allowing developers to apply program fixes without rewriting code).", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/process-inject.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/process-injection.md", "external_id": "E1055.m03" }, { diff --git a/mbc/attack-pattern/attack-pattern--add320e6-3798-40f7-91be-5062eb3a9e00.json b/mbc/attack-pattern/attack-pattern--add320e6-3798-40f7-91be-5062eb3a9e00.json index 7567c9a1..93e36341 100644 --- a/mbc/attack-pattern/attack-pattern--add320e6-3798-40f7-91be-5062eb3a9e00.json +++ b/mbc/attack-pattern/attack-pattern--add320e6-3798-40f7-91be-5062eb3a9e00.json @@ -8,7 +8,7 @@ "id": "attack-pattern--add320e6-3798-40f7-91be-5062eb3a9e00", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.458263Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.312218Z", "name": "Anti-debugging Instructions", "description": "Malware code contains mnemonics related to anti-debugging (e.g., rdtsc, icebp).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.034" } ], diff --git a/mbc/attack-pattern/attack-pattern--adf43bd9-7112-42fe-8024-7f7fe5a2225f.json b/mbc/attack-pattern/attack-pattern--adf43bd9-7112-42fe-8024-7f7fe5a2225f.json index 75eaea3e..4ebaf9b5 100644 --- a/mbc/attack-pattern/attack-pattern--adf43bd9-7112-42fe-8024-7f7fe5a2225f.json +++ b/mbc/attack-pattern/attack-pattern--adf43bd9-7112-42fe-8024-7f7fe5a2225f.json @@ -8,7 +8,7 @@ "id": "attack-pattern--adf43bd9-7112-42fe-8024-7f7fe5a2225f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.485265Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.298994Z", "name": "Timing/Date Check", "description": "Calling GetSystemTime or equiv and only executing code if the current date/hour/minute/second passes some check. Often this is for running only after or only until a specific date. This behavior can be mitigated in non-automated analysis environments.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", "external_id": "B0007.008" } ], diff --git a/mbc/attack-pattern/attack-pattern--ae167f71-8166-4906-97ba-8b9efb6daca2.json b/mbc/attack-pattern/attack-pattern--ae167f71-8166-4906-97ba-8b9efb6daca2.json index dea2e8aa..ee0ce63c 100644 --- a/mbc/attack-pattern/attack-pattern--ae167f71-8166-4906-97ba-8b9efb6daca2.json +++ b/mbc/attack-pattern/attack-pattern--ae167f71-8166-4906-97ba-8b9efb6daca2.json @@ -8,7 +8,7 @@ "id": "attack-pattern--ae167f71-8166-4906-97ba-8b9efb6daca2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.475261Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.321636Z", "name": "UnhandledExceptionFilter", "description": "The UnhandledExceptionFilter function is called if no registered exception handlers exist, but it will not be reached if a debugger is present. See for details.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.030" }, { diff --git a/mbc/attack-pattern/attack-pattern--a6d7b549-6392-47dd-a5b3-f5ba522166c4.json b/mbc/attack-pattern/attack-pattern--ae29c6ea-39f3-47f5-b2e9-49a18cbe3d9f.json similarity index 55% rename from mbc/attack-pattern/attack-pattern--a6d7b549-6392-47dd-a5b3-f5ba522166c4.json rename to mbc/attack-pattern/attack-pattern--ae29c6ea-39f3-47f5-b2e9-49a18cbe3d9f.json index 01675775..f8e69cdc 100644 --- a/mbc/attack-pattern/attack-pattern--a6d7b549-6392-47dd-a5b3-f5ba522166c4.json +++ b/mbc/attack-pattern/attack-pattern--ae29c6ea-39f3-47f5-b2e9-49a18cbe3d9f.json @@ -1,16 +1,16 @@ { "type": "bundle", - "id": "bundle--c5031266-109f-40e7-905f-99f31ff621ec", + "id": "bundle--a8e60bf8-5f9f-481f-af06-be2a50facc84", "objects": [ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--a6d7b549-6392-47dd-a5b3-f5ba522166c4", + "id": "attack-pattern--ae29c6ea-39f3-47f5-b2e9-49a18cbe3d9f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.75026Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "User Interaction", - "description": "Malware may include code that relies on specific actions by a user to execute. Note that this MBC behavior differs from [User Execution](https://attack.mitre.org/techniques/T1204) in that it does do not include direct code execution (user action for *initial* execution) - MBE does not encompass ATT&CK's Initial Access Tactic.", + "created": "2022-09-08T18:26:13.249609Z", + "modified": "2022-09-08T18:26:13.249609Z", + "name": "User Execution", + "description": "Malware may include code that relies on specific actions by a user to execute. Note that this MBC behavior differs from [User Execution](https://attack.mitre.org/techniques/T1204) in that it does do not include direct code execution (user action for *initial* execution) - MBC does not encompass ATT&CK's Initial Access Tactic.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -20,13 +20,20 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/user-interaction.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/user-execution.md", "external_id": "E1204" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1204", - "external_id": "T1204" + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://blogs.cisco.com/security/talos/rombertik" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/resources/hot-knives-through-butter-evading-file-based-sandboxes" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--ae4acd7c-89e1-44d8-a5fa-0d53fe88911e.json b/mbc/attack-pattern/attack-pattern--ae4acd7c-89e1-44d8-a5fa-0d53fe88911e.json new file mode 100644 index 00000000..7bcc07e0 --- /dev/null +++ b/mbc/attack-pattern/attack-pattern--ae4acd7c-89e1-44d8-a5fa-0d53fe88911e.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--1f7fe7fb-4070-4d17-8290-157f530ce84c", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--ae4acd7c-89e1-44d8-a5fa-0d53fe88911e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2022-09-08T18:26:13.325559Z", + "modified": "2022-09-08T18:26:13.325559Z", + "name": "API Hammering", + "description": "Uses of a huge number of calls to Windows APIs as a form of extended sleep to evade analysis in sandbox environments.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", + "external_id": "B0003.012" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_is_subtechnique": true + } + ] +} \ No newline at end of file diff --git a/mbc/attack-pattern/attack-pattern--ae865c4b-d90b-46be-aae6-6fbe897b76d9.json b/mbc/attack-pattern/attack-pattern--ae865c4b-d90b-46be-aae6-6fbe897b76d9.json index 6f24ceb4..9a43430a 100644 --- a/mbc/attack-pattern/attack-pattern--ae865c4b-d90b-46be-aae6-6fbe897b76d9.json +++ b/mbc/attack-pattern/attack-pattern--ae865c4b-d90b-46be-aae6-6fbe897b76d9.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/data-destruction.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/data-destruction.md", "external_id": "E1485.m02" } ], diff --git a/mbc/attack-pattern/attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4.json b/mbc/attack-pattern/attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4.json index ef2bb0cf..e6834e5a 100644 --- a/mbc/attack-pattern/attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4.json +++ b/mbc/attack-pattern/attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4.json @@ -8,7 +8,7 @@ "id": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.68026Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.408474Z", "name": "Obfuscated Files or Information", "description": "Malware may make files or information difficult to discover or analyze by encoding, encrypting, or otherwise obfuscating the content. In addition, a malware sample itself can be encoded or encrypted (i.e., encoding/encryption is a code characteristic).", "kill_chain_phases": [ @@ -24,13 +24,16 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/obfuscate-files.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/obfuscated-files-or-information.md", "external_id": "E1027" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1027", - "external_id": "T1027" + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--af706b89-56dd-4b02-81e6-eb64fe57c2e6.json b/mbc/attack-pattern/attack-pattern--af706b89-56dd-4b02-81e6-eb64fe57c2e6.json index 39666501..cb79eb52 100644 --- a/mbc/attack-pattern/attack-pattern--af706b89-56dd-4b02-81e6-eb64fe57c2e6.json +++ b/mbc/attack-pattern/attack-pattern--af706b89-56dd-4b02-81e6-eb64fe57c2e6.json @@ -8,7 +8,7 @@ "id": "attack-pattern--af706b89-56dd-4b02-81e6-eb64fe57c2e6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.516301Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.309405Z", "name": "Static Linking", "description": "Copy locally the whole content of API code.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.026" } ], diff --git a/mbc/attack-pattern/attack-pattern--af70b2f4-e552-4ec0-b6ce-1c8c38e6748c.json b/mbc/attack-pattern/attack-pattern--af70b2f4-e552-4ec0-b6ce-1c8c38e6748c.json index f2021758..4a8057b7 100644 --- a/mbc/attack-pattern/attack-pattern--af70b2f4-e552-4ec0-b6ce-1c8c38e6748c.json +++ b/mbc/attack-pattern/attack-pattern--af70b2f4-e552-4ec0-b6ce-1c8c38e6748c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--af70b2f4-e552-4ec0-b6ce-1c8c38e6748c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.783046Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.228703Z", "name": "Implant to Controller File Transfer", "description": "File is transferred from implant to controller.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", "external_id": "B0030.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--b063a520-75fb-41bc-afd7-bf13a8118dc5.json b/mbc/attack-pattern/attack-pattern--b063a520-75fb-41bc-afd7-bf13a8118dc5.json new file mode 100644 index 00000000..5713a26a --- /dev/null +++ b/mbc/attack-pattern/attack-pattern--b063a520-75fb-41bc-afd7-bf13a8118dc5.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--1190e1e9-2c9f-4833-8dd7-93ffbf99f5f1", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b063a520-75fb-41bc-afd7-bf13a8118dc5", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2022-09-08T18:26:13.208642Z", + "modified": "2022-09-08T18:26:13.208642Z", + "name": "Filter by Extension", + "description": "Malware may filter by extension (common in ransomware).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/file-and-directory-discovery.md", + "external_id": "E1083.m02" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_is_subtechnique": true + } + ] +} \ No newline at end of file diff --git a/mbc/attack-pattern/attack-pattern--b0cd3324-b762-4e02-8e9d-7dd3708d5e0a.json b/mbc/attack-pattern/attack-pattern--b0cd3324-b762-4e02-8e9d-7dd3708d5e0a.json index a4ea216e..acf2645c 100644 --- a/mbc/attack-pattern/attack-pattern--b0cd3324-b762-4e02-8e9d-7dd3708d5e0a.json +++ b/mbc/attack-pattern/attack-pattern--b0cd3324-b762-4e02-8e9d-7dd3708d5e0a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b0cd3324-b762-4e02-8e9d-7dd3708d5e0a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.03448Z", - "modified": "2022-02-05T00:37:22.819853Z", + "modified": "2022-09-08T18:26:13.354982Z", "name": "Check Mutex", "description": "Malware checks a mutex.", "kill_chain_phases": [ @@ -20,8 +20,12 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/check-mutex.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/check-mutex.md", "external_id": "C0043" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--b1089154-3ee0-4713-893f-af97047f8ab5.json b/mbc/attack-pattern/attack-pattern--b1089154-3ee0-4713-893f-af97047f8ab5.json index 97125a22..78b6c1ce 100644 --- a/mbc/attack-pattern/attack-pattern--b1089154-3ee0-4713-893f-af97047f8ab5.json +++ b/mbc/attack-pattern/attack-pattern--b1089154-3ee0-4713-893f-af97047f8ab5.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b1089154-3ee0-4713-893f-af97047f8ab5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.459263Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.312531Z", "name": "CheckRemoteDebuggerPresent", "description": "The kernel32!CheckRemoteDebuggerPresent function calls NtQueryInformationProcess with ProcessInformationClass parameter set to 7 (ProcessDebugPort constant).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--b16029de-92c1-4b77-b334-733f0d099ecd.json b/mbc/attack-pattern/attack-pattern--b16029de-92c1-4b77-b334-733f0d099ecd.json index 862da378..50a8d524 100644 --- a/mbc/attack-pattern/attack-pattern--b16029de-92c1-4b77-b334-733f0d099ecd.json +++ b/mbc/attack-pattern/attack-pattern--b16029de-92c1-4b77-b334-733f0d099ecd.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b16029de-92c1-4b77-b334-733f0d099ecd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.561265Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.19463Z", "name": "Structured Exception Handling (SEH)", "description": "A portion of the code always generates an exception so that malicious code is executed with the exception handling. See .", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", "external_id": "B0032.016" }, { diff --git a/mbc/attack-pattern/attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae.json b/mbc/attack-pattern/attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae.json index 3970f337..710572d0 100644 --- a/mbc/attack-pattern/attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae.json +++ b/mbc/attack-pattern/attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.722263Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.24581Z", "name": "Conditional Execution", "description": "Malware checks system environment conditions or characteristics to determine execution path. For example, malware may not run or be dormant unless system conditions are right, or file that is dropped may vary according to execution environment. Conditional execution in malware happens autonomously, not because of an attacker's command.", "kill_chain_phases": [ @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md", "external_id": "B0025" }, { @@ -36,9 +36,12 @@ "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1480", - "external_id": "T1480" + "source_name": "external_source", + "url": "https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaign-sandbox-evasion-techniques" + }, + { + "source_name": "external_source", + "url": "https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--b1937ce5-4376-4b5d-944e-5406d8501413.json b/mbc/attack-pattern/attack-pattern--b1937ce5-4376-4b5d-944e-5406d8501413.json index e563eb3a..fc872893 100644 --- a/mbc/attack-pattern/attack-pattern--b1937ce5-4376-4b5d-944e-5406d8501413.json +++ b/mbc/attack-pattern/attack-pattern--b1937ce5-4376-4b5d-944e-5406d8501413.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b1937ce5-4376-4b5d-944e-5406d8501413", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.706262Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.215656Z", "name": "Process detection - PCAP Utilities", "description": "Malware can scan for the process name associated with common analysis tools. Wireshark / Dumpcap", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", "external_id": "B0013.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--b1c9e70b-d514-4924-848d-c6403560e6c5.json b/mbc/attack-pattern/attack-pattern--b1c9e70b-d514-4924-848d-c6403560e6c5.json index a3cd78d0..4565f715 100644 --- a/mbc/attack-pattern/attack-pattern--b1c9e70b-d514-4924-848d-c6403560e6c5.json +++ b/mbc/attack-pattern/attack-pattern--b1c9e70b-d514-4924-848d-c6403560e6c5.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b1c9e70b-d514-4924-848d-c6403560e6c5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.90926Z", - "modified": "2022-02-05T00:37:22.835477Z", + "modified": "2022-09-08T18:26:13.256543Z", "name": "Device Driver", "description": "Allows kernel to access hardware connected to the system.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/persistence/kernel-modules-ext.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/persistence/kernel-modules-and-extensions.md", "external_id": "F0010.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58.json b/mbc/attack-pattern/attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58.json index b81b3b69..96f1bfeb 100644 --- a/mbc/attack-pattern/attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58.json +++ b/mbc/attack-pattern/attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58.json @@ -8,10 +8,22 @@ "id": "attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", + "modified": "2022-09-08T18:26:13.421077Z", "name": "Hijack Execution Flow", - "description": "Malware may execute by hijacking the way operating systems run programs. Malware (e.g. rootkit) alters API behavior or redirects execution to a malicious API version for a variety of purposes. Malware may use hooking to load and execute code within the context of another process, hiding execution and gaining elevated privileges and access to the process's memory. Different types of hooking are defined as methods below.", + "description": "Malware may execute by hijacking the way operating systems run programs. Malware (e.g. rootkit) alters API behavior or redirects execution (i.e., hooking) to a malicious API version for a variety of purposes. Malware may use hooking to load and execute code within the context of another process, hiding execution and gaining elevated privileges and access to the process's memory. Different types of hooking are defined as methods below.", "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + }, { "kill_chain_name": "mitre-mbc", "phase_name": "defense-evasion" @@ -28,7 +40,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hijack-execution-flow.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hijack-execution-flow.md", "external_id": "F0015" }, { @@ -48,9 +60,32 @@ "url": "http://ropgadget.com/posts/abusing_win_functions.html" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1574/", - "external_id": "T1574" + "source_name": "external_source", + "url": "https://docs.microsoft.com/en-us/windows/win32/winmsg/about-hooks?redirectedfrom=MSDN#hook-procedures" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279" + }, + { + "source_name": "external_source", + "url": "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/resources/synful-knock-acis" + }, + { + "source_name": "external_source", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--b2320873-c5bb-4691-80f6-ffbd143b8b9a.json b/mbc/attack-pattern/attack-pattern--b2320873-c5bb-4691-80f6-ffbd143b8b9a.json index 1c9d8ab8..e9fa62c1 100644 --- a/mbc/attack-pattern/attack-pattern--b2320873-c5bb-4691-80f6-ffbd143b8b9a.json +++ b/mbc/attack-pattern/attack-pattern--b2320873-c5bb-4691-80f6-ffbd143b8b9a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b2320873-c5bb-4691-80f6-ffbd143b8b9a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.783046Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.228169Z", "name": "Execute Shell Command", "description": "Execute/run the given command using a built-in program (e.g. cmd.exe, PowerShell, bash). This differs from Start Interactive Shell because the shell process is started only for the received command or set of commands and then exits. There is no loop looking for additional commands while the shell process is still running.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", "external_id": "B0030.014" } ], diff --git a/mbc/attack-pattern/attack-pattern--b3030683-9d60-4b63-8498-f7fac91c244d.json b/mbc/attack-pattern/attack-pattern--b3030683-9d60-4b63-8498-f7fac91c244d.json index 523a87be..98388355 100644 --- a/mbc/attack-pattern/attack-pattern--b3030683-9d60-4b63-8498-f7fac91c244d.json +++ b/mbc/attack-pattern/attack-pattern--b3030683-9d60-4b63-8498-f7fac91c244d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b3030683-9d60-4b63-8498-f7fac91c244d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.814301Z", - "modified": "2022-02-05T00:37:22.632387Z", + "modified": "2022-09-08T18:26:13.430594Z", "name": "Disable Code Integrity", "description": "Malware disables Code Integrity driver.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", "external_id": "F0004.009" } ], diff --git a/mbc/attack-pattern/attack-pattern--b3369595-ed1a-4660-a239-08f6abd5810c.json b/mbc/attack-pattern/attack-pattern--b3369595-ed1a-4660-a239-08f6abd5810c.json index 367a6b9c..f2c7771d 100644 --- a/mbc/attack-pattern/attack-pattern--b3369595-ed1a-4660-a239-08f6abd5810c.json +++ b/mbc/attack-pattern/attack-pattern--b3369595-ed1a-4660-a239-08f6abd5810c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b3369595-ed1a-4660-a239-08f6abd5810c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.982483Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.373922Z", "name": "Send UDP Data::Socket Communication", "description": "Send UDP data.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", "external_id": "C0001.015" } ], diff --git a/mbc/attack-pattern/attack-pattern--b3bc7ff9-4ea7-4b1a-9301-ea0e07e4a85f.json b/mbc/attack-pattern/attack-pattern--b3bc7ff9-4ea7-4b1a-9301-ea0e07e4a85f.json index 17dc020c..e720fc80 100644 --- a/mbc/attack-pattern/attack-pattern--b3bc7ff9-4ea7-4b1a-9301-ea0e07e4a85f.json +++ b/mbc/attack-pattern/attack-pattern--b3bc7ff9-4ea7-4b1a-9301-ea0e07e4a85f.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/hardware/load-driver.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/hardware/load-driver.md", "external_id": "C0023.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--b40aba49-57d9-4a99-a29e-2629e35991c9.json b/mbc/attack-pattern/attack-pattern--b40aba49-57d9-4a99-a29e-2629e35991c9.json index 7abee5b0..2d72dafd 100644 --- a/mbc/attack-pattern/attack-pattern--b40aba49-57d9-4a99-a29e-2629e35991c9.json +++ b/mbc/attack-pattern/attack-pattern--b40aba49-57d9-4a99-a29e-2629e35991c9.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b40aba49-57d9-4a99-a29e-2629e35991c9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.510265Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.303866Z", "name": "Change SizeOfImage", "description": "Changing this value during run time can prevent some debuggers from attaching. Also confuses some unpackers and dumpers.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--b4931f82-5f27-4329-a0c4-4f953195e6f1.json b/mbc/attack-pattern/attack-pattern--b4931f82-5f27-4329-a0c4-4f953195e6f1.json index 2aaa9b74..747a0fdc 100644 --- a/mbc/attack-pattern/attack-pattern--b4931f82-5f27-4329-a0c4-4f953195e6f1.json +++ b/mbc/attack-pattern/attack-pattern--b4931f82-5f27-4329-a0c4-4f953195e6f1.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b4931f82-5f27-4329-a0c4-4f953195e6f1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.559264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.193622Z", "name": "Jump Insertion", "description": "Insert jumps to make analysis visually harder.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", "external_id": "B0032.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--b535d57f-a2e0-427b-8f4d-69d948e6ebf4.json b/mbc/attack-pattern/attack-pattern--b535d57f-a2e0-427b-8f4d-69d948e6ebf4.json index 26ecd82c..9ca42438 100644 --- a/mbc/attack-pattern/attack-pattern--b535d57f-a2e0-427b-8f4d-69d948e6ebf4.json +++ b/mbc/attack-pattern/attack-pattern--b535d57f-a2e0-427b-8f4d-69d948e6ebf4.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b535d57f-a2e0-427b-8f4d-69d948e6ebf4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.975482Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.367085Z", "name": "WinINet::HTTP Communication", "description": "A HTTP request is made via the Windows Internet (WinINet) application programming interface (API). A specific function can be specified as a method on the [WinInet](../communication/wininet.md) microbehavior.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", "external_id": "C0002.007" } ], diff --git a/mbc/attack-pattern/attack-pattern--b5d3d3c7-f9bd-4d61-8a73-593972018a8b.json b/mbc/attack-pattern/attack-pattern--b5d3d3c7-f9bd-4d61-8a73-593972018a8b.json index 1024c681..a65f9152 100644 --- a/mbc/attack-pattern/attack-pattern--b5d3d3c7-f9bd-4d61-8a73-593972018a8b.json +++ b/mbc/attack-pattern/attack-pattern--b5d3d3c7-f9bd-4d61-8a73-593972018a8b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b5d3d3c7-f9bd-4d61-8a73-593972018a8b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.643261Z", - "modified": "2022-02-05T00:37:22.616726Z", + "modified": "2022-09-08T18:26:13.40232Z", "name": "ROP Chains", "description": "Return-Oriented Programming can be used to bypass DEP. It can also be used to bypass code signing.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/bypass-dep.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/bypass-data-execution-prevention.md", "external_id": "B0037.001" }, { diff --git a/mbc/attack-pattern/attack-pattern--b5f07958-9aea-4414-ab2c-d5a46399dc23.json b/mbc/attack-pattern/attack-pattern--b5f07958-9aea-4414-ab2c-d5a46399dc23.json index 8ee5fec0..cb282581 100644 --- a/mbc/attack-pattern/attack-pattern--b5f07958-9aea-4414-ab2c-d5a46399dc23.json +++ b/mbc/attack-pattern/attack-pattern--b5f07958-9aea-4414-ab2c-d5a46399dc23.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b5f07958-9aea-4414-ab2c-d5a46399dc23", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.989483Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.384722Z", "name": "Camellia::Decrypt Data", "description": "Malware decrypts data encrypted with the Camellia algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", "external_id": "C0031.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--b5f930c9-ea8f-45dd-9317-60b270606cb2.json b/mbc/attack-pattern/attack-pattern--b5f930c9-ea8f-45dd-9317-60b270606cb2.json index 390c82cf..96c349d9 100644 --- a/mbc/attack-pattern/attack-pattern--b5f930c9-ea8f-45dd-9317-60b270606cb2.json +++ b/mbc/attack-pattern/attack-pattern--b5f930c9-ea8f-45dd-9317-60b270606cb2.json @@ -8,9 +8,9 @@ "id": "attack-pattern--b5f930c9-ea8f-45dd-9317-60b270606cb2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.877737Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.23535Z", "name": "Execution Dependency", - "description": "Software may require certain run-time or library dependencies consistent with normal software development and deployment. For example, software may require the presence of a .NET or Java runtime or to be run by a webserver that supports PHP. Unlike in [Conditional Execution](https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md) this dependency is not because of an explicit check coded into the malware by the author.", + "description": "Software may require certain run-time or library dependencies consistent with normal software development and deployment. For example, software may require the presence of a .NET or Java runtime or to be run by a webserver that supports PHP. Unlike in **Conditional Execution ([B0025](https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md))** this dependency is not because of an explicit check coded into the malware by the author.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/execution-dependency.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/execution-dependency.md", "external_id": "B0044" } ], diff --git a/mbc/attack-pattern/attack-pattern--b62ec15e-4b56-482f-9721-72733c520d1b.json b/mbc/attack-pattern/attack-pattern--b62ec15e-4b56-482f-9721-72733c520d1b.json index afb47480..2b144fb1 100644 --- a/mbc/attack-pattern/attack-pattern--b62ec15e-4b56-482f-9721-72733c520d1b.json +++ b/mbc/attack-pattern/attack-pattern--b62ec15e-4b56-482f-9721-72733c520d1b.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/wininet.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/wininet.md", "external_id": "C0005.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--b6679c6a-6312-44ec-a6fe-628a66d0cefe.json b/mbc/attack-pattern/attack-pattern--b6679c6a-6312-44ec-a6fe-628a66d0cefe.json index 3ae46748..499025b5 100644 --- a/mbc/attack-pattern/attack-pattern--b6679c6a-6312-44ec-a6fe-628a66d0cefe.json +++ b/mbc/attack-pattern/attack-pattern--b6679c6a-6312-44ec-a6fe-628a66d0cefe.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b6679c6a-6312-44ec-a6fe-628a66d0cefe", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.501259Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.290074Z", "name": "Modern Specs Check - Printer", "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment. Checks whether there is a potential connected printer or default Windows printers; if not a virtual environment is suspected.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.017" } ], diff --git a/mbc/attack-pattern/attack-pattern--b67d0824-50d3-4066-906b-93dd26a9f05f.json b/mbc/attack-pattern/attack-pattern--b67d0824-50d3-4066-906b-93dd26a9f05f.json index de52e3fa..4b46fe81 100644 --- a/mbc/attack-pattern/attack-pattern--b67d0824-50d3-4066-906b-93dd26a9f05f.json +++ b/mbc/attack-pattern/attack-pattern--b67d0824-50d3-4066-906b-93dd26a9f05f.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b67d0824-50d3-4066-906b-93dd26a9f05f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.923443Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.407533Z", "name": "Encryption-Standard Algorithm", "description": "A standard algorithm (e.g., Rijndael/AES, DES, RC4) is used to encrypt a malware sample, file, or other information.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/obfuscate-files.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/obfuscated-files-or-information.md", "external_id": "E1027.m05" } ], diff --git a/mbc/attack-pattern/attack-pattern--b7225469-01b6-4708-8bf9-aff549a703ce.json b/mbc/attack-pattern/attack-pattern--b7225469-01b6-4708-8bf9-aff549a703ce.json index be05796e..b66cc4b9 100644 --- a/mbc/attack-pattern/attack-pattern--b7225469-01b6-4708-8bf9-aff549a703ce.json +++ b/mbc/attack-pattern/attack-pattern--b7225469-01b6-4708-8bf9-aff549a703ce.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b7225469-01b6-4708-8bf9-aff549a703ce", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.511265Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.304375Z", "name": "Exception Misdirection", "description": "Using exception handling (SEH) to cause flow of program to non-obvious paths.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.006" } ], diff --git a/mbc/attack-pattern/attack-pattern--b729ab37-a73c-4d87-a72b-4123385a2581.json b/mbc/attack-pattern/attack-pattern--b729ab37-a73c-4d87-a72b-4123385a2581.json index 5ca3ad1c..7c6994f5 100644 --- a/mbc/attack-pattern/attack-pattern--b729ab37-a73c-4d87-a72b-4123385a2581.json +++ b/mbc/attack-pattern/attack-pattern--b729ab37-a73c-4d87-a72b-4123385a2581.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b729ab37-a73c-4d87-a72b-4123385a2581", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.608264Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.230651Z", "name": "Send System Information", "description": "Implant sends system information.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", "external_id": "B0030.006" } ], diff --git a/mbc/attack-pattern/attack-pattern--b74af853-9674-4bc7-9d30-be251db05e3d.json b/mbc/attack-pattern/attack-pattern--b74af853-9674-4bc7-9d30-be251db05e3d.json index a25f6b32..5809578e 100644 --- a/mbc/attack-pattern/attack-pattern--b74af853-9674-4bc7-9d30-be251db05e3d.json +++ b/mbc/attack-pattern/attack-pattern--b74af853-9674-4bc7-9d30-be251db05e3d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b74af853-9674-4bc7-9d30-be251db05e3d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.994484Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.392125Z", "name": "Stream Cipher::Encrypt Data", "description": "Malware encrypts with a stream cipher.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", "external_id": "C0027.012" } ], diff --git a/mbc/attack-pattern/attack-pattern--b7727763-8ffd-4588-b8a1-15168d18f0dd.json b/mbc/attack-pattern/attack-pattern--b7727763-8ffd-4588-b8a1-15168d18f0dd.json index 4eff3b59..68b7857d 100644 --- a/mbc/attack-pattern/attack-pattern--b7727763-8ffd-4588-b8a1-15168d18f0dd.json +++ b/mbc/attack-pattern/attack-pattern--b7727763-8ffd-4588-b8a1-15168d18f0dd.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b7727763-8ffd-4588-b8a1-15168d18f0dd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.493266Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.284903Z", "name": "Check Windows - Unique windows", "description": "Malware may check windows for VM-related characteristics. May check for the presence of known windows from analysis tools running in a VM.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.021" } ], diff --git a/mbc/attack-pattern/attack-pattern--b7a3c18a-0a7c-407a-8857-3e2e8d941775.json b/mbc/attack-pattern/attack-pattern--b7a3c18a-0a7c-407a-8857-3e2e8d941775.json index cce0cbd3..74a519a2 100644 --- a/mbc/attack-pattern/attack-pattern--b7a3c18a-0a7c-407a-8857-3e2e8d941775.json +++ b/mbc/attack-pattern/attack-pattern--b7a3c18a-0a7c-407a-8857-3e2e8d941775.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b7a3c18a-0a7c-407a-8857-3e2e8d941775", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.993484Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.389718Z", "name": "HC-256::Encrypt Data", "description": "Malware encrypts with the HC-256 algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", "external_id": "C0027.007" } ], diff --git a/mbc/attack-pattern/attack-pattern--b7d3d8a7-75a8-4e3b-a1e8-c20844d0a8cf.json b/mbc/attack-pattern/attack-pattern--b7d3d8a7-75a8-4e3b-a1e8-c20844d0a8cf.json index 177ca9d9..acd500ac 100644 --- a/mbc/attack-pattern/attack-pattern--b7d3d8a7-75a8-4e3b-a1e8-c20844d0a8cf.json +++ b/mbc/attack-pattern/attack-pattern--b7d3d8a7-75a8-4e3b-a1e8-c20844d0a8cf.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/open-thread.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/open-thread.md", "external_id": "C0066" } ], diff --git a/mbc/attack-pattern/attack-pattern--b7df4632-63d2-4195-a529-643ab6098e16.json b/mbc/attack-pattern/attack-pattern--b7df4632-63d2-4195-a529-643ab6098e16.json new file mode 100644 index 00000000..b7663e1a --- /dev/null +++ b/mbc/attack-pattern/attack-pattern--b7df4632-63d2-4195-a529-643ab6098e16.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--e6ae688d-44ff-48a3-b4e8-46b37f037dac", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b7df4632-63d2-4195-a529-643ab6098e16", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2022-09-08T18:26:13.325804Z", + "modified": "2022-09-08T18:26:13.325804Z", + "name": "Code Integrity Check", + "description": "Compares memory-based and disk-based versions of itself. If differences are detected, the malware alters its execution, possibly acting destructively.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", + "external_id": "B0003.011" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_is_subtechnique": true + } + ] +} \ No newline at end of file diff --git a/mbc/attack-pattern/attack-pattern--b82bbd87-e936-4b0e-a708-a277630fec11.json b/mbc/attack-pattern/attack-pattern--b82bbd87-e936-4b0e-a708-a277630fec11.json index 4bfbcb6d..426fb80e 100644 --- a/mbc/attack-pattern/attack-pattern--b82bbd87-e936-4b0e-a708-a277630fec11.json +++ b/mbc/attack-pattern/attack-pattern--b82bbd87-e936-4b0e-a708-a277630fec11.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/read-file.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/read-file.md", "external_id": "C0051" } ], diff --git a/mbc/attack-pattern/attack-pattern--b82faecb-bcb2-4dcc-9155-bbd52d31c35d.json b/mbc/attack-pattern/attack-pattern--b82faecb-bcb2-4dcc-9155-bbd52d31c35d.json index 2a5bb133..8b15c259 100644 --- a/mbc/attack-pattern/attack-pattern--b82faecb-bcb2-4dcc-9155-bbd52d31c35d.json +++ b/mbc/attack-pattern/attack-pattern--b82faecb-bcb2-4dcc-9155-bbd52d31c35d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b82faecb-bcb2-4dcc-9155-bbd52d31c35d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.713265Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.20944Z", "name": "SMTP Connection Discovery", "description": "Malware may test whether an outgoing SMTP connection can be made from the system on which the malware instance is executing to some SMTP server, by sending a test SMTP transaction.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/smtp-connect-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/smtp-connection-discovery.md", "external_id": "B0014" } ], diff --git a/mbc/attack-pattern/attack-pattern--b8311cd4-85f0-4e4c-83c5-0af831e6d7f1.json b/mbc/attack-pattern/attack-pattern--b8311cd4-85f0-4e4c-83c5-0af831e6d7f1.json index a39825d3..3006dcf6 100644 --- a/mbc/attack-pattern/attack-pattern--b8311cd4-85f0-4e4c-83c5-0af831e6d7f1.json +++ b/mbc/attack-pattern/attack-pattern--b8311cd4-85f0-4e4c-83c5-0af831e6d7f1.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b8311cd4-85f0-4e4c-83c5-0af831e6d7f1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.772261Z", - "modified": "2022-02-05T00:37:22.71051Z", + "modified": "2022-09-08T18:26:13.264559Z", "name": "Denial of Service", "description": "Malware may make a network unavailable, for example, by launching a network-based denial of service (DoS) attack.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/denial-of-service.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/denial-of-service.md", "external_id": "B0033" }, { @@ -28,9 +28,8 @@ "url": "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1498/", - "external_id": "T1498" + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--b85681f8-57a9-485e-bc46-ab3602990675.json b/mbc/attack-pattern/attack-pattern--b85681f8-57a9-485e-bc46-ab3602990675.json index 8741229c..ff541190 100644 --- a/mbc/attack-pattern/attack-pattern--b85681f8-57a9-485e-bc46-ab3602990675.json +++ b/mbc/attack-pattern/attack-pattern--b85681f8-57a9-485e-bc46-ab3602990675.json @@ -8,7 +8,7 @@ "id": "attack-pattern--b85681f8-57a9-485e-bc46-ab3602990675", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.042481Z", - "modified": "2022-02-05T00:37:22.835477Z", + "modified": "2022-09-08T18:26:13.355957Z", "name": "Set Thread Local Storage Value", "description": "Malware allocates thread local storage.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/thread-storage-set-value.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/set-thread-local-storage-value.md", "external_id": "C0041" } ], diff --git a/mbc/attack-pattern/attack-pattern--b87f5902-5985-4b45-b8df-b3b24f214650.json b/mbc/attack-pattern/attack-pattern--b87f5902-5985-4b45-b8df-b3b24f214650.json index 96be5b02..b638f36f 100644 --- a/mbc/attack-pattern/attack-pattern--b87f5902-5985-4b45-b8df-b3b24f214650.json +++ b/mbc/attack-pattern/attack-pattern--b87f5902-5985-4b45-b8df-b3b24f214650.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/console.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/console.md", "external_id": "C0033" } ], diff --git a/mbc/attack-pattern/attack-pattern--b9a7ebfb-ce75-4050-b9ac-79d2bf146c4f.json b/mbc/attack-pattern/attack-pattern--b9a7ebfb-ce75-4050-b9ac-79d2bf146c4f.json index f9906986..7bb49181 100644 --- a/mbc/attack-pattern/attack-pattern--b9a7ebfb-ce75-4050-b9ac-79d2bf146c4f.json +++ b/mbc/attack-pattern/attack-pattern--b9a7ebfb-ce75-4050-b9ac-79d2bf146c4f.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/hardware/install-driver.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/hardware/install-driver.md", "external_id": "C0037" } ], diff --git a/mbc/attack-pattern/attack-pattern--b9cf6d75-631e-4209-b84d-63a7dcaf9b65.json b/mbc/attack-pattern/attack-pattern--b9cf6d75-631e-4209-b84d-63a7dcaf9b65.json index d9b0da36..ed26d7ed 100644 --- a/mbc/attack-pattern/attack-pattern--b9cf6d75-631e-4209-b84d-63a7dcaf9b65.json +++ b/mbc/attack-pattern/attack-pattern--b9cf6d75-631e-4209-b84d-63a7dcaf9b65.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/checksum.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/checksum.md", "external_id": "C0032.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--baae0d7a-88a9-479c-879e-9bbd0dea3bf0.json b/mbc/attack-pattern/attack-pattern--baae0d7a-88a9-479c-879e-9bbd0dea3bf0.json index 9c066a4c..4f1244fb 100644 --- a/mbc/attack-pattern/attack-pattern--baae0d7a-88a9-479c-879e-9bbd0dea3bf0.json +++ b/mbc/attack-pattern/attack-pattern--baae0d7a-88a9-479c-879e-9bbd0dea3bf0.json @@ -8,7 +8,7 @@ "id": "attack-pattern--baae0d7a-88a9-479c-879e-9bbd0dea3bf0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.523261Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.327733Z", "name": "Hook Interrupt", "description": "Modification of interrupt vector or descriptor tables.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", "external_id": "B0003.008" } ], diff --git a/mbc/attack-pattern/attack-pattern--bab113ca-bbe4-4b39-bcac-d7fa7325b1e9.json b/mbc/attack-pattern/attack-pattern--bab113ca-bbe4-4b39-bcac-d7fa7325b1e9.json index b58e8140..40c4422b 100644 --- a/mbc/attack-pattern/attack-pattern--bab113ca-bbe4-4b39-bcac-d7fa7325b1e9.json +++ b/mbc/attack-pattern/attack-pattern--bab113ca-bbe4-4b39-bcac-d7fa7325b1e9.json @@ -8,7 +8,7 @@ "id": "attack-pattern--bab113ca-bbe4-4b39-bcac-d7fa7325b1e9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.547264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.189329Z", "name": "Two-layer Function Return", "description": "Two layer jumping confuses tools plotting call graphs.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-call-graph.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/call-graph-generation-evasion.md", "external_id": "B0010.001" }, { diff --git a/mbc/attack-pattern/attack-pattern--bad6ec3f-e218-4190-8033-3e4e8dae8d00.json b/mbc/attack-pattern/attack-pattern--bad6ec3f-e218-4190-8033-3e4e8dae8d00.json index 563c917c..bab9834e 100644 --- a/mbc/attack-pattern/attack-pattern--bad6ec3f-e218-4190-8033-3e4e8dae8d00.json +++ b/mbc/attack-pattern/attack-pattern--bad6ec3f-e218-4190-8033-3e4e8dae8d00.json @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", "external_id": "F0001.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--bb0c753c-31a4-48b9-9548-47a29cce149a.json b/mbc/attack-pattern/attack-pattern--bb0c753c-31a4-48b9-9548-47a29cce149a.json index 1490dffc..3507aee8 100644 --- a/mbc/attack-pattern/attack-pattern--bb0c753c-31a4-48b9-9548-47a29cce149a.json +++ b/mbc/attack-pattern/attack-pattern--bb0c753c-31a4-48b9-9548-47a29cce149a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--bb0c753c-31a4-48b9-9548-47a29cce149a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.935444Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.211201Z", "name": "Window Text", "description": "After finding an open application window, malware gets graphical window text.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/app-window-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/application-window-discovery.md", "external_id": "E1010.m01" } ], diff --git a/mbc/attack-pattern/attack-pattern--bb3514c7-f3ad-4236-b5b9-a38aa432ea17.json b/mbc/attack-pattern/attack-pattern--bb3514c7-f3ad-4236-b5b9-a38aa432ea17.json index 0961894f..402a03f2 100644 --- a/mbc/attack-pattern/attack-pattern--bb3514c7-f3ad-4236-b5b9-a38aa432ea17.json +++ b/mbc/attack-pattern/attack-pattern--bb3514c7-f3ad-4236-b5b9-a38aa432ea17.json @@ -8,7 +8,7 @@ "id": "attack-pattern--bb3514c7-f3ad-4236-b5b9-a38aa432ea17", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.764262Z", - "modified": "2022-02-05T00:37:22.694887Z", + "modified": "2022-09-08T18:26:13.263733Z", "name": "Compromise Data Integrity", "description": "Data stored on the file system of a compromised system is manipulated to compromise its integrity.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/compromise-data.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/compromise-data-integrity.md", "external_id": "B0016" } ], diff --git a/mbc/attack-pattern/attack-pattern--bb61fa8d-d4d6-492b-9885-17b320bddf36.json b/mbc/attack-pattern/attack-pattern--bb61fa8d-d4d6-492b-9885-17b320bddf36.json index 843ea3b3..f3755f16 100644 --- a/mbc/attack-pattern/attack-pattern--bb61fa8d-d4d6-492b-9885-17b320bddf36.json +++ b/mbc/attack-pattern/attack-pattern--bb61fa8d-d4d6-492b-9885-17b320bddf36.json @@ -8,7 +8,7 @@ "id": "attack-pattern--bb61fa8d-d4d6-492b-9885-17b320bddf36", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.751794Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.204823Z", "name": "Control Dependence", "description": "Data is propagated via an if-then-else clause instead of direct assignment.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-data-flow-analysis.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/data-flow-analysis-evasion.md", "external_id": "B0045.001" }, { diff --git a/mbc/attack-pattern/attack-pattern--bbcbbd85-689f-486f-b3be-e36852dfe5c5.json b/mbc/attack-pattern/attack-pattern--bbcbbd85-689f-486f-b3be-e36852dfe5c5.json index a5fd1be6..c552e691 100644 --- a/mbc/attack-pattern/attack-pattern--bbcbbd85-689f-486f-b3be-e36852dfe5c5.json +++ b/mbc/attack-pattern/attack-pattern--bbcbbd85-689f-486f-b3be-e36852dfe5c5.json @@ -8,7 +8,7 @@ "id": "attack-pattern--bbcbbd85-689f-486f-b3be-e36852dfe5c5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.008483Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.338251Z", "name": "pHash::Non-Cryptographic Hash", "description": "Malware uses the pHash hash function.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/noncrypto-hash.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/noncryptographic-hash.md", "external_id": "C0030.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--bd879126-0126-4f7a-a1b7-d9944efb251f.json b/mbc/attack-pattern/attack-pattern--bd879126-0126-4f7a-a1b7-d9944efb251f.json index 05a4a7d7..edc58816 100644 --- a/mbc/attack-pattern/attack-pattern--bd879126-0126-4f7a-a1b7-d9944efb251f.json +++ b/mbc/attack-pattern/attack-pattern--bd879126-0126-4f7a-a1b7-d9944efb251f.json @@ -8,7 +8,7 @@ "id": "attack-pattern--bd879126-0126-4f7a-a1b7-d9944efb251f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.716259Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.213401Z", "name": "System Information Discovery", "description": "Malware may attempt to get detailed information about the system.", "kill_chain_phases": [ @@ -20,13 +20,28 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/system-info-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/system-information-discovery.md", "external_id": "E1082" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1082", - "external_id": "T1082" + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279" + }, + { + "source_name": "external_source", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" + }, + { + "source_name": "external_source", + "url": "https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--bdeba524-0f2d-4d2f-a107-2b7516a0b496.json b/mbc/attack-pattern/attack-pattern--bdeba524-0f2d-4d2f-a107-2b7516a0b496.json index 58cce0c7..fe906186 100644 --- a/mbc/attack-pattern/attack-pattern--bdeba524-0f2d-4d2f-a107-2b7516a0b496.json +++ b/mbc/attack-pattern/attack-pattern--bdeba524-0f2d-4d2f-a107-2b7516a0b496.json @@ -8,7 +8,7 @@ "id": "attack-pattern--bdeba524-0f2d-4d2f-a107-2b7516a0b496", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.475261Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.321116Z", "name": "Timing/Delay Check GetTickCount", "description": "Malware uses GetTickCount function in a timing/delay check.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.032" } ], diff --git a/mbc/attack-pattern/attack-pattern--bdf66c87-1488-4eed-ae9c-2482bc93e93d.json b/mbc/attack-pattern/attack-pattern--bdf66c87-1488-4eed-ae9c-2482bc93e93d.json index c8ca9b8d..033e6142 100644 --- a/mbc/attack-pattern/attack-pattern--bdf66c87-1488-4eed-ae9c-2482bc93e93d.json +++ b/mbc/attack-pattern/attack-pattern--bdf66c87-1488-4eed-ae9c-2482bc93e93d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--bdf66c87-1488-4eed-ae9c-2482bc93e93d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.970483Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.376431Z", "name": "Send File::FTP Communication", "description": "Send FTP file.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/ftp-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/ftp-communication.md", "external_id": "C0004.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--be9f9f28-01bb-4b94-b973-14f06a71c968.json b/mbc/attack-pattern/attack-pattern--be9f9f28-01bb-4b94-b973-14f06a71c968.json index 6b4da8ec..3e7250fa 100644 --- a/mbc/attack-pattern/attack-pattern--be9f9f28-01bb-4b94-b973-14f06a71c968.json +++ b/mbc/attack-pattern/attack-pattern--be9f9f28-01bb-4b94-b973-14f06a71c968.json @@ -8,7 +8,7 @@ "id": "attack-pattern--be9f9f28-01bb-4b94-b973-14f06a71c968", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.47626Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.321926Z", "name": "WudfIsAnyDebuggerPresent", "description": "Includes use of WudfIsAnyDebuggerPresent, WudfIsKernelDebuggerPresent, WudfIsUserDebuggerPresent.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.031" } ], diff --git a/mbc/attack-pattern/attack-pattern--becb5385-146e-42a3-a343-5beffc43a15c.json b/mbc/attack-pattern/attack-pattern--becb5385-146e-42a3-a343-5beffc43a15c.json index accf2b94..70d016bc 100644 --- a/mbc/attack-pattern/attack-pattern--becb5385-146e-42a3-a343-5beffc43a15c.json +++ b/mbc/attack-pattern/attack-pattern--becb5385-146e-42a3-a343-5beffc43a15c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--becb5385-146e-42a3-a343-5beffc43a15c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.992483Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.389187Z", "name": "3DES::Encrypt Data", "description": "Malware encrypts with the 3DES algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", "external_id": "C0027.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--befe8d09-ebeb-4a60-89a4-9efaaf325e9b.json b/mbc/attack-pattern/attack-pattern--befe8d09-ebeb-4a60-89a4-9efaaf325e9b.json index be51ee5d..a70d9d66 100644 --- a/mbc/attack-pattern/attack-pattern--befe8d09-ebeb-4a60-89a4-9efaaf325e9b.json +++ b/mbc/attack-pattern/attack-pattern--befe8d09-ebeb-4a60-89a4-9efaaf325e9b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--befe8d09-ebeb-4a60-89a4-9efaaf325e9b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:36.109082Z", - "modified": "2022-02-05T00:37:22.819853Z", + "modified": "2022-09-08T18:26:13.4016Z", "name": "Get Variable::Environment Variable", "description": "Malware gets an environment variable.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/enviro-var.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/environment-variable.md", "external_id": "C0034.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--bf25a194-496a-4db2-801b-f2c5d3f951b5.json b/mbc/attack-pattern/attack-pattern--bf25a194-496a-4db2-801b-f2c5d3f951b5.json index ee821820..8be53d71 100644 --- a/mbc/attack-pattern/attack-pattern--bf25a194-496a-4db2-801b-f2c5d3f951b5.json +++ b/mbc/attack-pattern/attack-pattern--bf25a194-496a-4db2-801b-f2c5d3f951b5.json @@ -8,7 +8,7 @@ "id": "attack-pattern--bf25a194-496a-4db2-801b-f2c5d3f951b5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.008483Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.337978Z", "name": "MurmurHash::Non-Cryptographic Hash", "description": "Malware uses the MurmurHash hash function.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/noncrypto-hash.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/noncryptographic-hash.md", "external_id": "C0030.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--bf339932-e456-44db-a711-b2d3482d9065.json b/mbc/attack-pattern/attack-pattern--bf339932-e456-44db-a711-b2d3482d9065.json index 4cff578b..d529efd0 100644 --- a/mbc/attack-pattern/attack-pattern--bf339932-e456-44db-a711-b2d3482d9065.json +++ b/mbc/attack-pattern/attack-pattern--bf339932-e456-44db-a711-b2d3482d9065.json @@ -8,7 +8,7 @@ "id": "attack-pattern--bf339932-e456-44db-a711-b2d3482d9065", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.996445Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.396775Z", "name": "Mersenne Twister::Generate Pseudo-random Sequence", "description": "Malware generates a pseudo-random sequence using the Mersenne Twister PRNG.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/gen-random.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/generate-pseudorandom-sequence.md", "external_id": "C0021.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--c08285dc-2707-4016-9db1-187e19f504f6.json b/mbc/attack-pattern/attack-pattern--c08285dc-2707-4016-9db1-187e19f504f6.json index f80d77f2..9d1e4c6c 100644 --- a/mbc/attack-pattern/attack-pattern--c08285dc-2707-4016-9db1-187e19f504f6.json +++ b/mbc/attack-pattern/attack-pattern--c08285dc-2707-4016-9db1-187e19f504f6.json @@ -8,7 +8,7 @@ "id": "attack-pattern--c08285dc-2707-4016-9db1-187e19f504f6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.499265Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.28893Z", "name": "Instruction Testing - VPCEXT", "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.038" }, { diff --git a/mbc/attack-pattern/attack-pattern--c09b91df-e723-4ad4-b021-04d2773094f9.json b/mbc/attack-pattern/attack-pattern--c09b91df-e723-4ad4-b021-04d2773094f9.json index 3dc133ed..ab5194a9 100644 --- a/mbc/attack-pattern/attack-pattern--c09b91df-e723-4ad4-b021-04d2773094f9.json +++ b/mbc/attack-pattern/attack-pattern--c09b91df-e723-4ad4-b021-04d2773094f9.json @@ -8,7 +8,7 @@ "id": "attack-pattern--c09b91df-e723-4ad4-b021-04d2773094f9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.566267Z", - "modified": "2022-02-05T00:37:22.585511Z", + "modified": "2022-09-08T18:26:13.203067Z", "name": "Executable Code Optimization", "description": "Code is optimized, making it harder to statically analyze.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-optimize.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-optimization.md", "external_id": "B0034" }, { diff --git a/mbc/attack-pattern/attack-pattern--c1e8e932-3864-444e-b56b-70292bb7695c.json b/mbc/attack-pattern/attack-pattern--c1e8e932-3864-444e-b56b-70292bb7695c.json index 4fa3abcb..0d7c319e 100644 --- a/mbc/attack-pattern/attack-pattern--c1e8e932-3864-444e-b56b-70292bb7695c.json +++ b/mbc/attack-pattern/attack-pattern--c1e8e932-3864-444e-b56b-70292bb7695c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--c1e8e932-3864-444e-b56b-70292bb7695c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.82226Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.367861Z", "name": "Connect Pipe::Interprocess Communication", "kill_chain_phases": [ { @@ -19,7 +19,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/inter-process.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/interprocess-communication.md", "external_id": "C0003.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--c25f5d58-e8e5-49ef-a54d-68e17b4ac824.json b/mbc/attack-pattern/attack-pattern--c25f5d58-e8e5-49ef-a54d-68e17b4ac824.json index 7e245eea..e58a76fe 100644 --- a/mbc/attack-pattern/attack-pattern--c25f5d58-e8e5-49ef-a54d-68e17b4ac824.json +++ b/mbc/attack-pattern/attack-pattern--c25f5d58-e8e5-49ef-a54d-68e17b4ac824.json @@ -8,7 +8,7 @@ "id": "attack-pattern--c25f5d58-e8e5-49ef-a54d-68e17b4ac824", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.796261Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.262138Z", "name": "Remote Access", "description": "Malware may provide an attacker with potentially full access to a system via a remote network connection, which may also provide persistence.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/remote-access.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/remote-access.md", "external_id": "B0022" }, { @@ -38,6 +38,10 @@ { "source_name": "external_source", "url": "https://en.wikipedia.org/wiki/DarkComet" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HUPIGON" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--c2c8a6d7-c5be-40c2-98ae-96640b2048af.json b/mbc/attack-pattern/attack-pattern--c2c8a6d7-c5be-40c2-98ae-96640b2048af.json index c1ec4821..ed35b981 100644 --- a/mbc/attack-pattern/attack-pattern--c2c8a6d7-c5be-40c2-98ae-96640b2048af.json +++ b/mbc/attack-pattern/attack-pattern--c2c8a6d7-c5be-40c2-98ae-96640b2048af.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/modify-hardware.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/modify-hardware.md", "external_id": "B0042.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--c2e926cc-5d54-4cce-91f3-acf946574563.json b/mbc/attack-pattern/attack-pattern--c2e926cc-5d54-4cce-91f3-acf946574563.json index c63e301c..f8000edd 100644 --- a/mbc/attack-pattern/attack-pattern--c2e926cc-5d54-4cce-91f3-acf946574563.json +++ b/mbc/attack-pattern/attack-pattern--c2e926cc-5d54-4cce-91f3-acf946574563.json @@ -19,7 +19,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/remote-commands.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/remote-commands.md", "external_id": "B0011.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--c31eb81c-b21c-4ae2-aed3-bcc77821d3ca.json b/mbc/attack-pattern/attack-pattern--c31eb81c-b21c-4ae2-aed3-bcc77821d3ca.json index f284e5ad..5af072ad 100644 --- a/mbc/attack-pattern/attack-pattern--c31eb81c-b21c-4ae2-aed3-bcc77821d3ca.json +++ b/mbc/attack-pattern/attack-pattern--c31eb81c-b21c-4ae2-aed3-bcc77821d3ca.json @@ -8,7 +8,7 @@ "id": "attack-pattern--c31eb81c-b21c-4ae2-aed3-bcc77821d3ca", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.861259Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.34657Z", "name": "Append Extension::Alter File Extension", "description": "A new extension is appended.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/alter-extend.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/alter-file-extension.md", "external_id": "C0015.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--c3a03554-f52e-49bd-ad0d-f01d4ded7f39.json b/mbc/attack-pattern/attack-pattern--c3a03554-f52e-49bd-ad0d-f01d4ded7f39.json index 3caf2c54..30893cf6 100644 --- a/mbc/attack-pattern/attack-pattern--c3a03554-f52e-49bd-ad0d-f01d4ded7f39.json +++ b/mbc/attack-pattern/attack-pattern--c3a03554-f52e-49bd-ad0d-f01d4ded7f39.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/checksum.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/checksum.md", "external_id": "C0032.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--c4004f59-4494-4ba9-b5d0-334fd96068ee.json b/mbc/attack-pattern/attack-pattern--c4004f59-4494-4ba9-b5d0-334fd96068ee.json index e845cb60..d3f192f1 100644 --- a/mbc/attack-pattern/attack-pattern--c4004f59-4494-4ba9-b5d0-334fd96068ee.json +++ b/mbc/attack-pattern/attack-pattern--c4004f59-4494-4ba9-b5d0-334fd96068ee.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/modulo.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/modulo.md", "external_id": "C0058" } ], diff --git a/mbc/attack-pattern/attack-pattern--c44b1c58-8da1-4ebe-a427-a9f2821e7a85.json b/mbc/attack-pattern/attack-pattern--c44b1c58-8da1-4ebe-a427-a9f2821e7a85.json index ca7a3f53..5e615e88 100644 --- a/mbc/attack-pattern/attack-pattern--c44b1c58-8da1-4ebe-a427-a9f2821e7a85.json +++ b/mbc/attack-pattern/attack-pattern--c44b1c58-8da1-4ebe-a427-a9f2821e7a85.json @@ -8,7 +8,7 @@ "id": "attack-pattern--c44b1c58-8da1-4ebe-a427-a9f2821e7a85", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.845581Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.403617Z", "name": "Bootloader", "description": "A bootloader rootkit modifies the bootloader, enabling activation before the operating system is started. Also known as a Bootkit. See ATT&CK: [Bootkit](https://attack.mitre.org/techniques/T1542/003/).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/rootkit-behavior.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/rootkit.md", "external_id": "E1014.m13" } ], diff --git a/mbc/attack-pattern/attack-pattern--c484a07a-2c0e-4141-bfd0-161a38812c64.json b/mbc/attack-pattern/attack-pattern--c484a07a-2c0e-4141-bfd0-161a38812c64.json index c9e770c3..373bb0b6 100644 --- a/mbc/attack-pattern/attack-pattern--c484a07a-2c0e-4141-bfd0-161a38812c64.json +++ b/mbc/attack-pattern/attack-pattern--c484a07a-2c0e-4141-bfd0-161a38812c64.json @@ -8,7 +8,7 @@ "id": "attack-pattern--c484a07a-2c0e-4141-bfd0-161a38812c64", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.75826Z", - "modified": "2022-02-05T00:37:22.694887Z", + "modified": "2022-09-08T18:26:13.271823Z", "name": "Encoding - Standard Encoding", "description": "Data is encoded. A standard algorithm, such as base64 encoding, is used to encode the exfiltrated data.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/data-encrypted.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/archive-collected-data.md", "external_id": "E1560.m03" } ], diff --git a/mbc/attack-pattern/attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63.json b/mbc/attack-pattern/attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63.json index 33136dda..e6249241 100644 --- a/mbc/attack-pattern/attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63.json +++ b/mbc/attack-pattern/attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63.json @@ -8,7 +8,7 @@ "id": "attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.69826Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.404863Z", "name": "Rootkit", "description": "Behaviors of a rootkit: \"A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that is not otherwise allowed and often masks its existence or the existence of other software.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/rootkit-behavior.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/rootkit.md", "external_id": "E1014" }, { @@ -32,9 +32,12 @@ "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1014", - "external_id": "T1014" + "source_name": "external_source", + "url": "https://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--c5c986d0-cf3f-44bb-9f0e-023783e6066d.json b/mbc/attack-pattern/attack-pattern--c5c986d0-cf3f-44bb-9f0e-023783e6066d.json new file mode 100644 index 00000000..0d5558e3 --- /dev/null +++ b/mbc/attack-pattern/attack-pattern--c5c986d0-cf3f-44bb-9f0e-023783e6066d.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--07e45fb2-c3e1-4440-911c-2a548648aaab", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--c5c986d0-cf3f-44bb-9f0e-023783e6066d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2022-09-08T18:26:13.214811Z", + "modified": "2022-09-08T18:26:13.214811Z", + "name": "Known Windows Class Name", + "description": "Running program windows are checked to see if any windows class name contains a string indicating that an analysis tool is running. For example, 'WinDbgFrameClass' is Windbg main window\u2019s class name. [2]", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", + "external_id": "B0013.010" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_is_subtechnique": true + } + ] +} \ No newline at end of file diff --git a/mbc/attack-pattern/attack-pattern--c6c8f32e-7d92-401e-930f-d193a59e4c95.json b/mbc/attack-pattern/attack-pattern--c6c8f32e-7d92-401e-930f-d193a59e4c95.json index b469f1cb..1cbc9031 100644 --- a/mbc/attack-pattern/attack-pattern--c6c8f32e-7d92-401e-930f-d193a59e4c95.json +++ b/mbc/attack-pattern/attack-pattern--c6c8f32e-7d92-401e-930f-d193a59e4c95.json @@ -8,7 +8,7 @@ "id": "attack-pattern--c6c8f32e-7d92-401e-930f-d193a59e4c95", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.548264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.189627Z", "name": "Call Graph Generation Evasion", "description": "Malware code evades accurate call graph generation during disassembly. Call graphs are used by malware similarity tools and algorithms ([[1]](#1), [[4]](#4)), as well as for malware detection [[2]](#2).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-call-graph.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/call-graph-generation-evasion.md", "external_id": "B0010" }, { diff --git a/mbc/attack-pattern/attack-pattern--c6f384e3-bf80-4251-8591-265ab51480cc.json b/mbc/attack-pattern/attack-pattern--c6f384e3-bf80-4251-8591-265ab51480cc.json index f30c29ad..2acf71e5 100644 --- a/mbc/attack-pattern/attack-pattern--c6f384e3-bf80-4251-8591-265ab51480cc.json +++ b/mbc/attack-pattern/attack-pattern--c6f384e3-bf80-4251-8591-265ab51480cc.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/crypto-lib.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/crypto-lib.md", "external_id": "C0059" } ], diff --git a/mbc/attack-pattern/attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644.json b/mbc/attack-pattern/attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644.json index ce7874d7..eb114027 100644 --- a/mbc/attack-pattern/attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644.json +++ b/mbc/attack-pattern/attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644.json @@ -8,7 +8,7 @@ "id": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.518266Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.310636Z", "name": "Debugger Evasion", "description": "Behaviors that make debugging difficult.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002" }, { diff --git a/mbc/attack-pattern/attack-pattern--c863faee-3dcc-4fc0-9d16-9d0b7e75051c.json b/mbc/attack-pattern/attack-pattern--c863faee-3dcc-4fc0-9d16-9d0b7e75051c.json index 063d8fa3..0d4fa6b5 100644 --- a/mbc/attack-pattern/attack-pattern--c863faee-3dcc-4fc0-9d16-9d0b7e75051c.json +++ b/mbc/attack-pattern/attack-pattern--c863faee-3dcc-4fc0-9d16-9d0b7e75051c.json @@ -8,9 +8,9 @@ "id": "attack-pattern--c863faee-3dcc-4fc0-9d16-9d0b7e75051c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.65626Z", - "modified": "2022-02-05T00:37:22.616726Z", + "modified": "2022-09-08T18:26:13.429818Z", "name": "Modify Policy", - "description": "Malware may modify policies to make software less effective.", + "description": "Malware may modify policies to make software less effective. This is similar to ATT&CK's Subvert Trust Controls: Code Signing Policy Modification ([T1553.006](https://attack.mitre.org/techniques/T1553/006/), [T1632.001](https://attack.mitre.org/techniques/T1632/001/))", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", "external_id": "F0004.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--c8a2e7c9-e359-43de-ba00-ca147397701e.json b/mbc/attack-pattern/attack-pattern--c8a2e7c9-e359-43de-ba00-ca147397701e.json index 8e3168f5..231cb0b4 100644 --- a/mbc/attack-pattern/attack-pattern--c8a2e7c9-e359-43de-ba00-ca147397701e.json +++ b/mbc/attack-pattern/attack-pattern--c8a2e7c9-e359-43de-ba00-ca147397701e.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/copy-file.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/copy-file.md", "external_id": "C0045" } ], diff --git a/mbc/attack-pattern/attack-pattern--c8d17860-f4e4-4403-a28b-02c784a3ca70.json b/mbc/attack-pattern/attack-pattern--c8d17860-f4e4-4403-a28b-02c784a3ca70.json index 62539a42..ef76a449 100644 --- a/mbc/attack-pattern/attack-pattern--c8d17860-f4e4-4403-a28b-02c784a3ca70.json +++ b/mbc/attack-pattern/attack-pattern--c8d17860-f4e4-4403-a28b-02c784a3ca70.json @@ -8,7 +8,7 @@ "id": "attack-pattern--c8d17860-f4e4-4403-a28b-02c784a3ca70", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.557264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.192535Z", "name": "Import Address Table Obfuscation", "description": "Obfuscate the import address table.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", "external_id": "B0032.011" } ], diff --git a/mbc/attack-pattern/attack-pattern--c9223618-2865-499f-890e-2848db80a6d9.json b/mbc/attack-pattern/attack-pattern--c9223618-2865-499f-890e-2848db80a6d9.json index 9a5a6341..8f9f955d 100644 --- a/mbc/attack-pattern/attack-pattern--c9223618-2865-499f-890e-2848db80a6d9.json +++ b/mbc/attack-pattern/attack-pattern--c9223618-2865-499f-890e-2848db80a6d9.json @@ -8,7 +8,7 @@ "id": "attack-pattern--c9223618-2865-499f-890e-2848db80a6d9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.877737Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.243824Z", "name": "GetVolumeInformation", "description": "This Windows API call is used to get the GUID on a system drive. Malware compares it to a previous (targeted) GUID value and only executes maliciously if they match. This behavior can be mitigated in non-automated analysis environments.", "kill_chain_phases": [ @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md", "external_id": "B0025.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--ca32295b-c968-4099-a010-e8758c066be6.json b/mbc/attack-pattern/attack-pattern--ca32295b-c968-4099-a010-e8758c066be6.json index 7606b267..36b330b5 100644 --- a/mbc/attack-pattern/attack-pattern--ca32295b-c968-4099-a010-e8758c066be6.json +++ b/mbc/attack-pattern/attack-pattern--ca32295b-c968-4099-a010-e8758c066be6.json @@ -8,7 +8,7 @@ "id": "attack-pattern--ca32295b-c968-4099-a010-e8758c066be6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.845581Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.404115Z", "name": "Hypervisor/Virtualized Rootkit", "description": "A hypervisor (virtualized) rootkit hosts the target operating system as a virtual machine, enabling interception of all hardware calls. Also called, virtual-machine-based rootkit (VMBR).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/rootkit-behavior.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/rootkit.md", "external_id": "E1014.m15" } ], diff --git a/mbc/attack-pattern/attack-pattern--1b8eadb6-6e0f-4739-b31c-2805b225aa89.json b/mbc/attack-pattern/attack-pattern--ca97cf63-678d-45e3-8ac8-bca2334e520e.json similarity index 68% rename from mbc/attack-pattern/attack-pattern--1b8eadb6-6e0f-4739-b31c-2805b225aa89.json rename to mbc/attack-pattern/attack-pattern--ca97cf63-678d-45e3-8ac8-bca2334e520e.json index e29d5056..ba41998c 100644 --- a/mbc/attack-pattern/attack-pattern--1b8eadb6-6e0f-4739-b31c-2805b225aa89.json +++ b/mbc/attack-pattern/attack-pattern--ca97cf63-678d-45e3-8ac8-bca2334e520e.json @@ -1,15 +1,15 @@ { "type": "bundle", - "id": "bundle--f3068cb3-c6da-4946-9b16-cf340eca4bce", + "id": "bundle--79057988-970f-4ac3-b984-103f4c9d2eaf", "objects": [ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--1b8eadb6-6e0f-4739-b31c-2805b225aa89", + "id": "attack-pattern--ca97cf63-678d-45e3-8ac8-bca2334e520e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.781262Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Exploit Kit Behavior", + "created": "2022-09-08T18:26:13.268708Z", + "modified": "2022-09-08T18:26:13.268708Z", + "name": "Exploit Kit", "description": "An Exploit Kit is a toolkit that exploits vulnerabilities in software to deliver malicious payloads (malware).", "kill_chain_phases": [ { @@ -20,17 +20,12 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/exploit-kit-behavior.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/exploit-kit.md", "external_id": "E1190" }, { "source_name": "external_source", "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1190", - "external_id": "T1190" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--cada9d62-2163-42e3-88ec-d37e2ade1030.json b/mbc/attack-pattern/attack-pattern--cada9d62-2163-42e3-88ec-d37e2ade1030.json index d6737a38..745a3fa6 100644 --- a/mbc/attack-pattern/attack-pattern--cada9d62-2163-42e3-88ec-d37e2ade1030.json +++ b/mbc/attack-pattern/attack-pattern--cada9d62-2163-42e3-88ec-d37e2ade1030.json @@ -8,7 +8,7 @@ "id": "attack-pattern--cada9d62-2163-42e3-88ec-d37e2ade1030", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.502264Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.292135Z", "name": "Unique Hardware/Firmware Check - BIOS", "description": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment. Characteristics of the BIOS, such as version, can indicate virtualization.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.024" } ], diff --git a/mbc/attack-pattern/attack-pattern--cb1c9047-e589-4aed-b5d5-c6062a1ab340.json b/mbc/attack-pattern/attack-pattern--cb1c9047-e589-4aed-b5d5-c6062a1ab340.json index 6203ec58..2c3ce9d9 100644 --- a/mbc/attack-pattern/attack-pattern--cb1c9047-e589-4aed-b5d5-c6062a1ab340.json +++ b/mbc/attack-pattern/attack-pattern--cb1c9047-e589-4aed-b5d5-c6062a1ab340.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/lateral-movement/supply-chain-compromise.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/lateral-movement/supply-chain-compromise.md", "external_id": "E1195.m01" } ], diff --git a/mbc/attack-pattern/attack-pattern--cb329a09-0291-4a05-ac20-3b35500bfd9b.json b/mbc/attack-pattern/attack-pattern--cb329a09-0291-4a05-ac20-3b35500bfd9b.json index a8b27ed1..53edcaa8 100644 --- a/mbc/attack-pattern/attack-pattern--cb329a09-0291-4a05-ac20-3b35500bfd9b.json +++ b/mbc/attack-pattern/attack-pattern--cb329a09-0291-4a05-ac20-3b35500bfd9b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--cb329a09-0291-4a05-ac20-3b35500bfd9b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.522264Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.327226Z", "name": "Encode File", "description": "Encode a file on disk, such as an implant's config file.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", "external_id": "B0003.006" } ], diff --git a/mbc/attack-pattern/attack-pattern--cb5e801d-a60f-497e-93b6-23d5e29c09fd.json b/mbc/attack-pattern/attack-pattern--cb5e801d-a60f-497e-93b6-23d5e29c09fd.json index 3e0fb0fb..0994ce1d 100644 --- a/mbc/attack-pattern/attack-pattern--cb5e801d-a60f-497e-93b6-23d5e29c09fd.json +++ b/mbc/attack-pattern/attack-pattern--cb5e801d-a60f-497e-93b6-23d5e29c09fd.json @@ -8,7 +8,7 @@ "id": "attack-pattern--cb5e801d-a60f-497e-93b6-23d5e29c09fd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.538265Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.276225Z", "name": "On-the-Fly APIs", "description": "Resolve API addresses before each use to prevent complete dumping.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", "external_id": "B0006.007" } ], diff --git a/mbc/attack-pattern/attack-pattern--cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae.json b/mbc/attack-pattern/attack-pattern--cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae.json index f8513d0e..1bb89823 100644 --- a/mbc/attack-pattern/attack-pattern--cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae.json +++ b/mbc/attack-pattern/attack-pattern--cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae.json @@ -8,7 +8,7 @@ "id": "attack-pattern--cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.73126Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.235931Z", "name": "Install Additional Program", "description": "Installs another, different program on the system. The additional program can be any secondary module; examples include backdoors, malicious drivers, kernel modules, and OS X Apps.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/install-prog.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/install-additional-program.md", "external_id": "B0023" }, { @@ -34,6 +34,10 @@ { "source_name": "external_source", "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://citizenlab.ca/2016/04/between-hong-kong-and-burma/" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--cbfcfc30-2fa3-4160-a9ba-4cc6c0f48345.json b/mbc/attack-pattern/attack-pattern--cbfcfc30-2fa3-4160-a9ba-4cc6c0f48345.json index 824086ed..d030cd52 100644 --- a/mbc/attack-pattern/attack-pattern--cbfcfc30-2fa3-4160-a9ba-4cc6c0f48345.json +++ b/mbc/attack-pattern/attack-pattern--cbfcfc30-2fa3-4160-a9ba-4cc6c0f48345.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/modify-hardware.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/modify-hardware.md", "external_id": "B0042.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--cc396380-d266-4e87-8fc7-412e89a2b4b0.json b/mbc/attack-pattern/attack-pattern--cc396380-d266-4e87-8fc7-412e89a2b4b0.json index 90e62ec3..3eb97187 100644 --- a/mbc/attack-pattern/attack-pattern--cc396380-d266-4e87-8fc7-412e89a2b4b0.json +++ b/mbc/attack-pattern/attack-pattern--cc396380-d266-4e87-8fc7-412e89a2b4b0.json @@ -8,7 +8,7 @@ "id": "attack-pattern--cc396380-d266-4e87-8fc7-412e89a2b4b0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.908377Z", - "modified": "2022-02-05T00:37:22.694887Z", + "modified": "2022-09-08T18:26:13.246998Z", "name": "System Services", "description": "Malware may abuse system services or daemons to execute.", "kill_chain_phases": [ @@ -20,17 +20,12 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/system-services.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/system-services.md", "external_id": "E1569" }, { "source_name": "external_source", "url": "https://support.resolver.com/hc/en-ca/articles/207161116-Configure-Microsoft-Distributed-Transaction-Coordinator-MSDTC-" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1569/", - "external_id": "T1569" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--cc89a8c1-00d2-4ae2-bda2-a35398a63214.json b/mbc/attack-pattern/attack-pattern--cc89a8c1-00d2-4ae2-bda2-a35398a63214.json index dd4a0cbb..236d3499 100644 --- a/mbc/attack-pattern/attack-pattern--cc89a8c1-00d2-4ae2-bda2-a35398a63214.json +++ b/mbc/attack-pattern/attack-pattern--cc89a8c1-00d2-4ae2-bda2-a35398a63214.json @@ -8,7 +8,7 @@ "id": "attack-pattern--cc89a8c1-00d2-4ae2-bda2-a35398a63214", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.501259Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.289829Z", "name": "Modern Specs Check - Keyboard layout", "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment. Check keyboard layout.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.019" } ], diff --git a/mbc/attack-pattern/attack-pattern--cd438b37-74b0-433b-85d2-8530724401fa.json b/mbc/attack-pattern/attack-pattern--cd438b37-74b0-433b-85d2-8530724401fa.json index 8ffb2feb..bb23ef1b 100644 --- a/mbc/attack-pattern/attack-pattern--cd438b37-74b0-433b-85d2-8530724401fa.json +++ b/mbc/attack-pattern/attack-pattern--cd438b37-74b0-433b-85d2-8530724401fa.json @@ -8,7 +8,7 @@ "id": "attack-pattern--cd438b37-74b0-433b-85d2-8530724401fa", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.499265Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.288336Z", "name": "Instruction Testing - STR", "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.033" }, { diff --git a/mbc/attack-pattern/attack-pattern--ce322a95-0385-40cb-af25-96e377a7de8f.json b/mbc/attack-pattern/attack-pattern--ce322a95-0385-40cb-af25-96e377a7de8f.json index 1fcc7da1..26eff9fe 100644 --- a/mbc/attack-pattern/attack-pattern--ce322a95-0385-40cb-af25-96e377a7de8f.json +++ b/mbc/attack-pattern/attack-pattern--ce322a95-0385-40cb-af25-96e377a7de8f.json @@ -8,7 +8,7 @@ "id": "attack-pattern--ce322a95-0385-40cb-af25-96e377a7de8f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.565262Z", - "modified": "2022-02-05T00:37:22.585511Z", + "modified": "2022-09-08T18:26:13.20246Z", "name": "Jump/Call Absolute Address", "description": "Relative operands of jumps and calls into are made absolute (better compression). May confuse some basic block detection algorithms.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-optimize.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-optimization.md", "external_id": "B0034.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--ce6015e7-3065-420f-aea8-c9e0e5d5ed74.json b/mbc/attack-pattern/attack-pattern--ce6015e7-3065-420f-aea8-c9e0e5d5ed74.json index a947403a..3d9b1149 100644 --- a/mbc/attack-pattern/attack-pattern--ce6015e7-3065-420f-aea8-c9e0e5d5ed74.json +++ b/mbc/attack-pattern/attack-pattern--ce6015e7-3065-420f-aea8-c9e0e5d5ed74.json @@ -8,7 +8,7 @@ "id": "attack-pattern--ce6015e7-3065-420f-aea8-c9e0e5d5ed74", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.67026Z", - "modified": "2022-02-05T00:37:22.632387Z", + "modified": "2022-09-08T18:26:13.412487Z", "name": "Modify Registry", "description": "Malware may make changes to the Windows Registry to hide execution or to persist on the system (note that ATT&CK does not extend this behavior to the Persistence objective).", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/modify-reg.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/modify-registry.md", "external_id": "E1112" }, { @@ -32,9 +32,24 @@ "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1112", - "external_id": "T1112" + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HUPIGON" + }, + { + "source_name": "external_source", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/" + }, + { + "source_name": "external_source", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--ced26a03-d356-4f8e-8337-9a07c0becd86.json b/mbc/attack-pattern/attack-pattern--ced26a03-d356-4f8e-8337-9a07c0becd86.json index 53df2623..cd6763cf 100644 --- a/mbc/attack-pattern/attack-pattern--ced26a03-d356-4f8e-8337-9a07c0becd86.json +++ b/mbc/attack-pattern/attack-pattern--ced26a03-d356-4f8e-8337-9a07c0becd86.json @@ -8,7 +8,7 @@ "id": "attack-pattern--ced26a03-d356-4f8e-8337-9a07c0becd86", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.982483Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.375069Z", "name": "TCP Server::Socket Communication", "description": "TCP server behavior.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", "external_id": "C0001.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--cefefa87-2f06-4008-afcf-847a8bd746af.json b/mbc/attack-pattern/attack-pattern--cefefa87-2f06-4008-afcf-847a8bd746af.json index 5235dc1f..2b685f9a 100644 --- a/mbc/attack-pattern/attack-pattern--cefefa87-2f06-4008-afcf-847a8bd746af.json +++ b/mbc/attack-pattern/attack-pattern--cefefa87-2f06-4008-afcf-847a8bd746af.json @@ -8,7 +8,7 @@ "id": "attack-pattern--cefefa87-2f06-4008-afcf-847a8bd746af", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.982483Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.374529Z", "name": "Receive TCP Data::Socket Communication", "description": "Receive TCP data.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", "external_id": "C0001.016" } ], diff --git a/mbc/attack-pattern/attack-pattern--cfa8658b-c504-41eb-9886-05de4962319c.json b/mbc/attack-pattern/attack-pattern--cfa8658b-c504-41eb-9886-05de4962319c.json index f1ead62a..aaab3e7d 100644 --- a/mbc/attack-pattern/attack-pattern--cfa8658b-c504-41eb-9886-05de4962319c.json +++ b/mbc/attack-pattern/attack-pattern--cfa8658b-c504-41eb-9886-05de4962319c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--cfa8658b-c504-41eb-9886-05de4962319c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.982483Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.374171Z", "name": "Receive Data::Socket Communication", "description": "Receive data on socket.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", "external_id": "C0001.006" } ], diff --git a/mbc/attack-pattern/attack-pattern--d10a18cc-23b6-4421-82e1-1ba28319012b.json b/mbc/attack-pattern/attack-pattern--d10a18cc-23b6-4421-82e1-1ba28319012b.json index 3d670238..bd46a3bb 100644 --- a/mbc/attack-pattern/attack-pattern--d10a18cc-23b6-4421-82e1-1ba28319012b.json +++ b/mbc/attack-pattern/attack-pattern--d10a18cc-23b6-4421-82e1-1ba28319012b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--d10a18cc-23b6-4421-82e1-1ba28319012b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.90926Z", - "modified": "2022-02-05T00:37:22.835477Z", + "modified": "2022-09-08T18:26:13.256882Z", "name": "Kernel Modules and Extensions", "description": "Malware may use loadable kernel modules to persist on a system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. Malware may try to hide drivers or modules by creating them without a name.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/persistence/kernel-modules-ext.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/persistence/kernel-modules-and-extensions.md", "external_id": "F0010" } ], diff --git a/mbc/attack-pattern/attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263.json b/mbc/attack-pattern/attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263.json deleted file mode 100644 index 3f4a98df..00000000 --- a/mbc/attack-pattern/attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--8f5421b0-b0d1-4e7f-a1d6-0b56034f4016", - "objects": [ - { - "type": "attack-pattern", - "spec_version": "2.1", - "id": "attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.634261Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Hooking", - "description": "Malware alters API behavior or redirects execution to a malicious API version for a variety of purposes. Malware may use hooking to load and execute code within the context of another process, hiding execution and gaining elevated privileges and access to the process's memory. Methods related to anti-behavioral analysis are below. For example, hooking can be used to prevent memory dumps - see also [Memory Dump Evasion](https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/credential-access/hooking.md", - "external_id": "F0003" - }, - { - "source_name": "external_source", - "url": "https://docs.microsoft.com/en-us/windows/win32/winmsg/about-hooks?redirectedfrom=MSDN#hook-procedures" - }, - { - "source_name": "external_source", - "url": "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/" - } - ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false - } - ] -} \ No newline at end of file diff --git a/mbc/attack-pattern/attack-pattern--d1a3a19c-bcd0-40fc-8b5f-9e755260abc2.json b/mbc/attack-pattern/attack-pattern--d1a3a19c-bcd0-40fc-8b5f-9e755260abc2.json index ecbcbdd1..a2f08ac1 100644 --- a/mbc/attack-pattern/attack-pattern--d1a3a19c-bcd0-40fc-8b5f-9e755260abc2.json +++ b/mbc/attack-pattern/attack-pattern--d1a3a19c-bcd0-40fc-8b5f-9e755260abc2.json @@ -8,7 +8,7 @@ "id": "attack-pattern--d1a3a19c-bcd0-40fc-8b5f-9e755260abc2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.002478Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.330475Z", "name": "Compress Data", "description": "Malware may compress data.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/compress.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/compress-data.md", "external_id": "C0024" } ], diff --git a/mbc/attack-pattern/attack-pattern--d26aaa4d-5143-4888-b81c-346d3b51641b.json b/mbc/attack-pattern/attack-pattern--d26aaa4d-5143-4888-b81c-346d3b51641b.json index 0a5f86a5..9eb54583 100644 --- a/mbc/attack-pattern/attack-pattern--d26aaa4d-5143-4888-b81c-346d3b51641b.json +++ b/mbc/attack-pattern/attack-pattern--d26aaa4d-5143-4888-b81c-346d3b51641b.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/create-file.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/create-file.md", "external_id": "C0016.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--d27a6bf4-7e7b-4007-9301-20eec9d8fe20.json b/mbc/attack-pattern/attack-pattern--d27a6bf4-7e7b-4007-9301-20eec9d8fe20.json index 60b01b94..02e837cf 100644 --- a/mbc/attack-pattern/attack-pattern--d27a6bf4-7e7b-4007-9301-20eec9d8fe20.json +++ b/mbc/attack-pattern/attack-pattern--d27a6bf4-7e7b-4007-9301-20eec9d8fe20.json @@ -8,7 +8,7 @@ "id": "attack-pattern--d27a6bf4-7e7b-4007-9301-20eec9d8fe20", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.981483Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.372896Z", "name": "Connect Socket::Socket Communication", "description": "A server or client connects via a TCP socket.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", "external_id": "C0001.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--d2dd9838-ea8f-4a2f-99f4-8a8a468110a4.json b/mbc/attack-pattern/attack-pattern--d2dd9838-ea8f-4a2f-99f4-8a8a468110a4.json index 8feabd7c..20055eb0 100644 --- a/mbc/attack-pattern/attack-pattern--d2dd9838-ea8f-4a2f-99f4-8a8a468110a4.json +++ b/mbc/attack-pattern/attack-pattern--d2dd9838-ea8f-4a2f-99f4-8a8a468110a4.json @@ -8,7 +8,7 @@ "id": "attack-pattern--d2dd9838-ea8f-4a2f-99f4-8a8a468110a4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.986482Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.382007Z", "name": "Tiger::Cryptographic Hash", "description": "Malware uses a Tiger hash.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/crypto-hash.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/cryptographic-hash.md", "external_id": "C0029.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--d320eec6-6fe3-4fd8-81f8-700742858f19.json b/mbc/attack-pattern/attack-pattern--d320eec6-6fe3-4fd8-81f8-700742858f19.json index c586b554..c443e5bf 100644 --- a/mbc/attack-pattern/attack-pattern--d320eec6-6fe3-4fd8-81f8-700742858f19.json +++ b/mbc/attack-pattern/attack-pattern--d320eec6-6fe3-4fd8-81f8-700742858f19.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/synchronization.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/synchronization.md", "external_id": "C0022.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--d3656287-db62-4856-860d-6b3ff60e23b2.json b/mbc/attack-pattern/attack-pattern--d3656287-db62-4856-860d-6b3ff60e23b2.json index 6866076d..2a0b5187 100644 --- a/mbc/attack-pattern/attack-pattern--d3656287-db62-4856-860d-6b3ff60e23b2.json +++ b/mbc/attack-pattern/attack-pattern--d3656287-db62-4856-860d-6b3ff60e23b2.json @@ -8,7 +8,7 @@ "id": "attack-pattern--d3656287-db62-4856-860d-6b3ff60e23b2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.489264Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.281218Z", "name": "Check File and Directory Artifacts", "description": "Virtual machines create files on the file system (e.g., VMware creates files in the installation directory C:\\Program Files\\VMware\\VMware Tools). Malware can check the different folders to find virtual machine artifacts (e.g., Virtualbox has the artifact VBoxMouse.sys).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.001" }, { diff --git a/mbc/attack-pattern/attack-pattern--d37365f4-63c4-4c3e-a81e-be518e7561f1.json b/mbc/attack-pattern/attack-pattern--d37365f4-63c4-4c3e-a81e-be518e7561f1.json index a3b8aac0..55b5fc0a 100644 --- a/mbc/attack-pattern/attack-pattern--d37365f4-63c4-4c3e-a81e-be518e7561f1.json +++ b/mbc/attack-pattern/attack-pattern--d37365f4-63c4-4c3e-a81e-be518e7561f1.json @@ -8,7 +8,7 @@ "id": "attack-pattern--d37365f4-63c4-4c3e-a81e-be518e7561f1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.990485Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.386298Z", "name": "RSA::Decrypt Data", "description": "Malware decrypts data encrypted with the RSA algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", "external_id": "C0031.010" } ], diff --git a/mbc/attack-pattern/attack-pattern--d447c221-2ab5-4378-bb19-78b97869fa58.json b/mbc/attack-pattern/attack-pattern--d447c221-2ab5-4378-bb19-78b97869fa58.json index 524c74f5..9d6f915e 100644 --- a/mbc/attack-pattern/attack-pattern--d447c221-2ab5-4378-bb19-78b97869fa58.json +++ b/mbc/attack-pattern/attack-pattern--d447c221-2ab5-4378-bb19-78b97869fa58.json @@ -8,7 +8,7 @@ "id": "attack-pattern--d447c221-2ab5-4378-bb19-78b97869fa58", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.990485Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.386793Z", "name": "Sosemanuk::Decrypt Data", "description": "Malware decrypts data encrypted with the Sosemanuk stream cipher.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", "external_id": "C0031.012" } ], diff --git a/mbc/attack-pattern/attack-pattern--d4aefa59-0817-4916-ad93-6ef174e070d3.json b/mbc/attack-pattern/attack-pattern--d4aefa59-0817-4916-ad93-6ef174e070d3.json index 165fb479..25bc0c65 100644 --- a/mbc/attack-pattern/attack-pattern--d4aefa59-0817-4916-ad93-6ef174e070d3.json +++ b/mbc/attack-pattern/attack-pattern--d4aefa59-0817-4916-ad93-6ef174e070d3.json @@ -8,7 +8,7 @@ "id": "attack-pattern--d4aefa59-0817-4916-ad93-6ef174e070d3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.751794Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.205462Z", "name": "Arbitrary Memory Corruption", "description": "Data is propagated by corrupting memory, for example overwriting a region of stack space where a file pointer is held.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-data-flow-analysis.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/data-flow-analysis-evasion.md", "external_id": "B0045.003" }, { diff --git a/mbc/attack-pattern/attack-pattern--8c5ccf4d-b443-4803-8e69-eb83b1564c48.json b/mbc/attack-pattern/attack-pattern--d4b4af24-91a5-4f21-82c6-7f67f316239f.json similarity index 84% rename from mbc/attack-pattern/attack-pattern--8c5ccf4d-b443-4803-8e69-eb83b1564c48.json rename to mbc/attack-pattern/attack-pattern--d4b4af24-91a5-4f21-82c6-7f67f316239f.json index ca919d48..8cde1fc7 100644 --- a/mbc/attack-pattern/attack-pattern--8c5ccf4d-b443-4803-8e69-eb83b1564c48.json +++ b/mbc/attack-pattern/attack-pattern--d4b4af24-91a5-4f21-82c6-7f67f316239f.json @@ -1,14 +1,14 @@ { "type": "bundle", - "id": "bundle--9b58d894-3c7e-4de4-9a04-c722e7934231", + "id": "bundle--d8000f15-19d2-472f-9d36-e96690ba0a72", "objects": [ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--8c5ccf4d-b443-4803-8e69-eb83b1564c48", + "id": "attack-pattern--d4b4af24-91a5-4f21-82c6-7f67f316239f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.798698Z", - "modified": "2022-02-05T00:37:22.601096Z", + "created": "2022-09-08T18:26:13.419767Z", + "modified": "2022-09-08T18:26:13.419767Z", "name": "Procedure Hooking", "description": "Intercepts and executes designated code in response to events such as messages, keystrokes, and mouse inputs.", "kill_chain_phases": [ @@ -40,8 +40,8 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/credential-access/hooking.md", - "external_id": "F0003.003" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hijack-execution-flow.md", + "external_id": "F0015.007" }, { "source_name": "external_source", diff --git a/mbc/attack-pattern/attack-pattern--d4b96b74-7cf9-46c2-8c09-ea8fd124b15a.json b/mbc/attack-pattern/attack-pattern--d4b96b74-7cf9-46c2-8c09-ea8fd124b15a.json index 52dd4939..a927c372 100644 --- a/mbc/attack-pattern/attack-pattern--d4b96b74-7cf9-46c2-8c09-ea8fd124b15a.json +++ b/mbc/attack-pattern/attack-pattern--d4b96b74-7cf9-46c2-8c09-ea8fd124b15a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--d4b96b74-7cf9-46c2-8c09-ea8fd124b15a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.849262Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.395976Z", "name": "Use API::Generate Pseudo-random Sequence", "description": "Malware generates a pseudo-random sequence using a Windows API.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/gen-random.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/generate-pseudorandom-sequence.md", "external_id": "C0021.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--d5762c67-a576-4aa8-aacd-3fba3a7f4599.json b/mbc/attack-pattern/attack-pattern--d5762c67-a576-4aa8-aacd-3fba3a7f4599.json index ce035f32..f90c9ca1 100644 --- a/mbc/attack-pattern/attack-pattern--d5762c67-a576-4aa8-aacd-3fba3a7f4599.json +++ b/mbc/attack-pattern/attack-pattern--d5762c67-a576-4aa8-aacd-3fba3a7f4599.json @@ -8,9 +8,9 @@ "id": "attack-pattern--d5762c67-a576-4aa8-aacd-3fba3a7f4599", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.877737Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.243519Z", "name": "Environmental Keys", - "description": "Malware reads certain attributes of the system (BIOS version string, hostname, MAC address, etc.) and encrypts/decrypts portions of its code or data using those attributes as input, thus preventing itself from being run on an unintended system (e.g., sandbox, emulator, etc.). Also see Deposited Keys Method.", + "description": "Malware reads certain attributes of the system (BIOS version string, hostname, MAC address, etc.) and encrypts/decrypts portions of its code or data using those attributes as input, thus preventing itself from being run on an unintended system (e.g., sandbox, emulator, etc.). Also see Deposited Keys Method. The subsequently defined ATT&CK sub-technique [Execution Guardrails: Environmental Keying (T1480.001)](https://attack.mitre.org/techniques/T1480/001/) is related to this MBC method.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md", "external_id": "B0025.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--d5e09700-cfae-43b7-831e-958a4e64251b.json b/mbc/attack-pattern/attack-pattern--d5e09700-cfae-43b7-831e-958a4e64251b.json index 714424ce..a67ba968 100644 --- a/mbc/attack-pattern/attack-pattern--d5e09700-cfae-43b7-831e-958a4e64251b.json +++ b/mbc/attack-pattern/attack-pattern--d5e09700-cfae-43b7-831e-958a4e64251b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--d5e09700-cfae-43b7-831e-958a4e64251b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.513264Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.306358Z", "name": "Modify PE Header", "description": "Any part of the header is changed or erased.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.014" } ], diff --git a/mbc/attack-pattern/attack-pattern--d6181cb9-7268-4ff7-99db-94df827e746e.json b/mbc/attack-pattern/attack-pattern--d6181cb9-7268-4ff7-99db-94df827e746e.json index 075d2038..003c1015 100644 --- a/mbc/attack-pattern/attack-pattern--d6181cb9-7268-4ff7-99db-94df827e746e.json +++ b/mbc/attack-pattern/attack-pattern--d6181cb9-7268-4ff7-99db-94df827e746e.json @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/screen-capture.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/screen-capture.md", "external_id": "E1113.m01" } ], diff --git a/mbc/attack-pattern/attack-pattern--d61dcb50-dcf8-408d-96e2-f3cd75f93be0.json b/mbc/attack-pattern/attack-pattern--d61dcb50-dcf8-408d-96e2-f3cd75f93be0.json index adecaf6a..a5a66e92 100644 --- a/mbc/attack-pattern/attack-pattern--d61dcb50-dcf8-408d-96e2-f3cd75f93be0.json +++ b/mbc/attack-pattern/attack-pattern--d61dcb50-dcf8-408d-96e2-f3cd75f93be0.json @@ -8,7 +8,7 @@ "id": "attack-pattern--d61dcb50-dcf8-408d-96e2-f3cd75f93be0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.520265Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.325285Z", "name": "Alternative ntdll.dll", "description": "A copy of ntdll.dll is dropped to the filesystem and then loaded. This alternative DLL is used to execute function calls to evade sandboxes which use hooking in the operating system's ntdll.dll.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", "external_id": "B0003.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--d61e7edf-865e-4d88-99cb-09dad9e44195.json b/mbc/attack-pattern/attack-pattern--d61e7edf-865e-4d88-99cb-09dad9e44195.json index 6534124f..b340485b 100644 --- a/mbc/attack-pattern/attack-pattern--d61e7edf-865e-4d88-99cb-09dad9e44195.json +++ b/mbc/attack-pattern/attack-pattern--d61e7edf-865e-4d88-99cb-09dad9e44195.json @@ -8,7 +8,7 @@ "id": "attack-pattern--d61e7edf-865e-4d88-99cb-09dad9e44195", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.657259Z", - "modified": "2022-02-05T00:37:22.616726Z", + "modified": "2022-09-08T18:26:13.430067Z", "name": "Unhook APIs", "description": "Security products may hook APIs to monitor the behavior of malware. To avoid being found, malware may load DLLs in memory and overwrite their bytes.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", "external_id": "F0004.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--d6e1b096-1595-47e7-8230-223aa9cad622.json b/mbc/attack-pattern/attack-pattern--d6e1b096-1595-47e7-8230-223aa9cad622.json index 51630084..40c6fc63 100644 --- a/mbc/attack-pattern/attack-pattern--d6e1b096-1595-47e7-8230-223aa9cad622.json +++ b/mbc/attack-pattern/attack-pattern--d6e1b096-1595-47e7-8230-223aa9cad622.json @@ -8,7 +8,7 @@ "id": "attack-pattern--d6e1b096-1595-47e7-8230-223aa9cad622", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.823261Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.368489Z", "name": "Read Pipe::Interprocess Communication", "kill_chain_phases": [ { @@ -19,7 +19,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/inter-process.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/interprocess-communication.md", "external_id": "C0003.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--d7183ad6-af24-4400-9539-f3a70be04a76.json b/mbc/attack-pattern/attack-pattern--d7183ad6-af24-4400-9539-f3a70be04a76.json index a25abf0d..944b48be 100644 --- a/mbc/attack-pattern/attack-pattern--d7183ad6-af24-4400-9539-f3a70be04a76.json +++ b/mbc/attack-pattern/attack-pattern--d7183ad6-af24-4400-9539-f3a70be04a76.json @@ -8,7 +8,7 @@ "id": "attack-pattern--d7183ad6-af24-4400-9539-f3a70be04a76", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.953485Z", - "modified": "2022-02-05T00:37:22.694887Z", + "modified": "2022-09-08T18:26:13.26805Z", "name": "Clipboard Modification", "description": "ATT&CK defines Clipboard Modification as a Mobile technique (Android platform). MBC extends it to the Windows platform.", "kill_chain_phases": [ @@ -20,13 +20,8 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/clipboard-mod.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/clipboard-modification.md", "external_id": "E1510" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1510/", - "external_id": "T1510" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--d71d433d-6815-4cca-940c-b21b05ab9a47.json b/mbc/attack-pattern/attack-pattern--d71d433d-6815-4cca-940c-b21b05ab9a47.json index 6139fd1a..dd025507 100644 --- a/mbc/attack-pattern/attack-pattern--d71d433d-6815-4cca-940c-b21b05ab9a47.json +++ b/mbc/attack-pattern/attack-pattern--d71d433d-6815-4cca-940c-b21b05ab9a47.json @@ -8,10 +8,22 @@ "id": "attack-pattern--d71d433d-6815-4cca-940c-b21b05ab9a47", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", + "modified": "2022-09-08T18:26:13.417979Z", "name": "Abuse Windows Function Calls", "description": "Malware abuses native Windows function calls to transfer execution to shellcode that it loads into memory. A pointer to the callback function is used to supply the memory address of the shellcode. Functions that can be abused include EnumResourceTypesA and EnumUILanguagesW.", "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + }, { "kill_chain_name": "mitre-mbc", "phase_name": "defense-evasion" @@ -28,7 +40,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hijack-execution-flow.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hijack-execution-flow.md", "external_id": "F0015.006" }, { diff --git a/mbc/attack-pattern/attack-pattern--d7c408e8-d813-46aa-8267-a76f8d53ec35.json b/mbc/attack-pattern/attack-pattern--d7c408e8-d813-46aa-8267-a76f8d53ec35.json index 3806e2ed..aee18071 100644 --- a/mbc/attack-pattern/attack-pattern--d7c408e8-d813-46aa-8267-a76f8d53ec35.json +++ b/mbc/attack-pattern/attack-pattern--d7c408e8-d813-46aa-8267-a76f8d53ec35.json @@ -8,7 +8,7 @@ "id": "attack-pattern--d7c408e8-d813-46aa-8267-a76f8d53ec35", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.510265Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.303621Z", "name": "Byte Stealing", "description": "Move or copy the first bytes / instructions of the original code elsewhere. AKA stolen bytes or code splicing. For example, a packer may incorporate the first few instructions of the original EntryPoint (EP) into its unpacking stub before the tail transition in order to confuse automated unpackers and novice analysts. This can make it harder for rebuilding and may bypass breakpoints if set prematurely.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--d83c8fbc-c7bf-4108-ba64-f1a9ac737da1.json b/mbc/attack-pattern/attack-pattern--d83c8fbc-c7bf-4108-ba64-f1a9ac737da1.json index 195093d0..584cf444 100644 --- a/mbc/attack-pattern/attack-pattern--d83c8fbc-c7bf-4108-ba64-f1a9ac737da1.json +++ b/mbc/attack-pattern/attack-pattern--d83c8fbc-c7bf-4108-ba64-f1a9ac737da1.json @@ -8,7 +8,7 @@ "id": "attack-pattern--d83c8fbc-c7bf-4108-ba64-f1a9ac737da1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.496265Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.286813Z", "name": "Instruction Testing - IN", "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.035" }, { diff --git a/mbc/attack-pattern/attack-pattern--d850864e-1db4-40f3-b891-b1db177d48b3.json b/mbc/attack-pattern/attack-pattern--d850864e-1db4-40f3-b891-b1db177d48b3.json index e9746d73..02cb416b 100644 --- a/mbc/attack-pattern/attack-pattern--d850864e-1db4-40f3-b891-b1db177d48b3.json +++ b/mbc/attack-pattern/attack-pattern--d850864e-1db4-40f3-b891-b1db177d48b3.json @@ -8,7 +8,7 @@ "id": "attack-pattern--d850864e-1db4-40f3-b891-b1db177d48b3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.917484Z", - "modified": "2022-02-05T00:37:22.632387Z", + "modified": "2022-09-08T18:26:13.414968Z", "name": "Attribute", "description": "Malware may change or choose an attribute to hide a file or directory.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hidden-files.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hidden-files-and-directories.md", "external_id": "F0005.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e.json b/mbc/attack-pattern/attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e.json index b6970199..fe36b377 100644 --- a/mbc/attack-pattern/attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e.json +++ b/mbc/attack-pattern/attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e.json @@ -8,7 +8,7 @@ "id": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.817261Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.367356Z", "name": "HTTP Communication", "description": "This micro-behavior is related to HTTP communication.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", "external_id": "C0002" } ], diff --git a/mbc/attack-pattern/attack-pattern--da0fe52b-e2c5-4574-a572-09c999c86b59.json b/mbc/attack-pattern/attack-pattern--da0fe52b-e2c5-4574-a572-09c999c86b59.json index 9add7c20..7c151291 100644 --- a/mbc/attack-pattern/attack-pattern--da0fe52b-e2c5-4574-a572-09c999c86b59.json +++ b/mbc/attack-pattern/attack-pattern--da0fe52b-e2c5-4574-a572-09c999c86b59.json @@ -8,7 +8,7 @@ "id": "attack-pattern--da0fe52b-e2c5-4574-a572-09c999c86b59", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.877737Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.243115Z", "name": "Deposited Keys", "description": "Parts of the code and/or data is encrypted or otherwise relies on data external to the file itself. For example, malware that contains code that is encrypted with a key that is downloaded from a server; malware that only runs if certain other software is installed on the system. Also see Environmental Keys Method.", "kill_chain_phases": [ @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md", "external_id": "B0025.008" } ], diff --git a/mbc/attack-pattern/attack-pattern--da7d23d7-ead0-4926-a7ee-be9ea77bb2cd.json b/mbc/attack-pattern/attack-pattern--da7d23d7-ead0-4926-a7ee-be9ea77bb2cd.json index ae4febec..c59ffc4f 100644 --- a/mbc/attack-pattern/attack-pattern--da7d23d7-ead0-4926-a7ee-be9ea77bb2cd.json +++ b/mbc/attack-pattern/attack-pattern--da7d23d7-ead0-4926-a7ee-be9ea77bb2cd.json @@ -8,7 +8,7 @@ "id": "attack-pattern--da7d23d7-ead0-4926-a7ee-be9ea77bb2cd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.551264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.207402Z", "name": "Variable Recomposition", "description": "Variables, often strings, are broken into multiple parts and store out of order, in different memory ranges, or both. They must then be recomposed before use.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-disassembler.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/disassembler-evasion.md", "external_id": "B0012.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--dad3c536-a9a6-492b-baae-4353f2c6f601.json b/mbc/attack-pattern/attack-pattern--dad3c536-a9a6-492b-baae-4353f2c6f601.json index f01439a9..0dbd9a59 100644 --- a/mbc/attack-pattern/attack-pattern--dad3c536-a9a6-492b-baae-4353f2c6f601.json +++ b/mbc/attack-pattern/attack-pattern--dad3c536-a9a6-492b-baae-4353f2c6f601.json @@ -8,7 +8,7 @@ "id": "attack-pattern--dad3c536-a9a6-492b-baae-4353f2c6f601", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.923443Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.407875Z", "name": "Encryption of Code", "description": "A file's executable code is encrypted, but not necessarily the file's data.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/obfuscate-files.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/obfuscated-files-or-information.md", "external_id": "E1027.m06" } ], diff --git a/mbc/attack-pattern/attack-pattern--db58e527-5e81-489f-b05a-537ea9b6bae9.json b/mbc/attack-pattern/attack-pattern--db58e527-5e81-489f-b05a-537ea9b6bae9.json index 37e10d3b..8e38b7ce 100644 --- a/mbc/attack-pattern/attack-pattern--db58e527-5e81-489f-b05a-537ea9b6bae9.json +++ b/mbc/attack-pattern/attack-pattern--db58e527-5e81-489f-b05a-537ea9b6bae9.json @@ -8,7 +8,7 @@ "id": "attack-pattern--db58e527-5e81-489f-b05a-537ea9b6bae9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.498264Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.287721Z", "name": "Instruction Testing - SIDT (red pill)", "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM. Red Pill is an anti-VM technique that executes the SIDT instruction to grab the value of the IDTR register. The virtual machine monitor must relocate the guest's IDTR to avoid conflict with the host's IDTR. Since the virtual machine monitor is not notified when the virtual machine runs the SIDT instruction, the IDTR for the virtual machine is returned.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.030" }, { diff --git a/mbc/attack-pattern/attack-pattern--dc49a540-64a4-47e7-8931-0ad5ce595cb7.json b/mbc/attack-pattern/attack-pattern--dc49a540-64a4-47e7-8931-0ad5ce595cb7.json index a0e5b917..a155ebcc 100644 --- a/mbc/attack-pattern/attack-pattern--dc49a540-64a4-47e7-8931-0ad5ce595cb7.json +++ b/mbc/attack-pattern/attack-pattern--dc49a540-64a4-47e7-8931-0ad5ce595cb7.json @@ -8,7 +8,7 @@ "id": "attack-pattern--dc49a540-64a4-47e7-8931-0ad5ce595cb7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.471262Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.318737Z", "name": "ProcessHeap", "description": "Process heaps are affected by debuggers. Malware can detect a debugger by checking heap header fields such as Flags (debugger present if value greater than 2) or ForceFlags (debugger present if value greater than 0).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.021" } ], diff --git a/mbc/attack-pattern/attack-pattern--dc5231d1-332e-45ab-9995-412a5da4c10d.json b/mbc/attack-pattern/attack-pattern--dc5231d1-332e-45ab-9995-412a5da4c10d.json index d89bfc92..a13d5cfe 100644 --- a/mbc/attack-pattern/attack-pattern--dc5231d1-332e-45ab-9995-412a5da4c10d.json +++ b/mbc/attack-pattern/attack-pattern--dc5231d1-332e-45ab-9995-412a5da4c10d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--dc5231d1-332e-45ab-9995-412a5da4c10d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.485265Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.298557Z", "name": "Self Check", "description": "Malware may check its own characteristics to determine whether it's running in a sandbox. For example, a malicious Office document might check its file name or VB project name.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", "external_id": "B0007.007" } ], diff --git a/mbc/attack-pattern/attack-pattern--dcd263ce-1f73-4f82-a7cf-5571498a8d36.json b/mbc/attack-pattern/attack-pattern--dcd263ce-1f73-4f82-a7cf-5571498a8d36.json index bd79e402..f7838e3a 100644 --- a/mbc/attack-pattern/attack-pattern--dcd263ce-1f73-4f82-a7cf-5571498a8d36.json +++ b/mbc/attack-pattern/attack-pattern--dcd263ce-1f73-4f82-a7cf-5571498a8d36.json @@ -8,7 +8,7 @@ "id": "attack-pattern--dcd263ce-1f73-4f82-a7cf-5571498a8d36", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.517264Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.309653Z", "name": "Stolen API Code", "description": "A variation of \"byte stealing\" where the first few instructions or bytes of an API are executed in user code, allowing the IAT to point into the middle of an API function. This confuses IAT rebuilders such as ImpRec and Scylla and may bypass breakpoints.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.027" } ], diff --git a/mbc/attack-pattern/attack-pattern--dcd29dd1-20d2-4387-90dd-95480c4e0f1c.json b/mbc/attack-pattern/attack-pattern--dcd29dd1-20d2-4387-90dd-95480c4e0f1c.json index c316bfa4..420bfa0a 100644 --- a/mbc/attack-pattern/attack-pattern--dcd29dd1-20d2-4387-90dd-95480c4e0f1c.json +++ b/mbc/attack-pattern/attack-pattern--dcd29dd1-20d2-4387-90dd-95480c4e0f1c.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/hardware/simulate-hardware.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/hardware/simulate-hardware.md", "external_id": "C0057.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--dcfb5c52-a6e0-4c64-a937-91d730cd7a5b.json b/mbc/attack-pattern/attack-pattern--dcfb5c52-a6e0-4c64-a937-91d730cd7a5b.json index a6c13464..e95d3d42 100644 --- a/mbc/attack-pattern/attack-pattern--dcfb5c52-a6e0-4c64-a937-91d730cd7a5b.json +++ b/mbc/attack-pattern/attack-pattern--dcfb5c52-a6e0-4c64-a937-91d730cd7a5b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--dcfb5c52-a6e0-4c64-a937-91d730cd7a5b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.47826Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.323294Z", "name": "Check Emulator-related Registry Keys", "description": "Emulators register artifacts in the registry, which can be detected by malware. For example, installation of QEMU results in the registry key: *HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0* with value=*Identifier* and data=*QEMU*, or registry key: *HARDWARE\\Description\\System* with value=*SystemBiosVersion* and data=*QEMU*.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-emulator.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-detection.md", "external_id": "B0004.003" }, { diff --git a/mbc/attack-pattern/attack-pattern--dd40dbb6-6220-4b7b-93e1-20fe081eb219.json b/mbc/attack-pattern/attack-pattern--dd40dbb6-6220-4b7b-93e1-20fe081eb219.json index 07f64582..33ba9da4 100644 --- a/mbc/attack-pattern/attack-pattern--dd40dbb6-6220-4b7b-93e1-20fe081eb219.json +++ b/mbc/attack-pattern/attack-pattern--dd40dbb6-6220-4b7b-93e1-20fe081eb219.json @@ -8,7 +8,7 @@ "id": "attack-pattern--dd40dbb6-6220-4b7b-93e1-20fe081eb219", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.496265Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.286198Z", "name": "Instruction Testing", "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.029" }, { diff --git a/mbc/attack-pattern/attack-pattern--dd5c1c28-0fa4-4c34-8008-7a2fba8a4a25.json b/mbc/attack-pattern/attack-pattern--dd5c1c28-0fa4-4c34-8008-7a2fba8a4a25.json index 4a949c21..2462cf7c 100644 --- a/mbc/attack-pattern/attack-pattern--dd5c1c28-0fa4-4c34-8008-7a2fba8a4a25.json +++ b/mbc/attack-pattern/attack-pattern--dd5c1c28-0fa4-4c34-8008-7a2fba8a4a25.json @@ -8,7 +8,7 @@ "id": "attack-pattern--dd5c1c28-0fa4-4c34-8008-7a2fba8a4a25", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.666262Z", - "modified": "2022-02-05T00:37:22.632387Z", + "modified": "2022-09-08T18:26:13.413949Z", "name": "Indicator Blocking", "description": "Malware blocks indicators or events that would indicate malicious activity. Methods relevant to the malware domain are below.", "kill_chain_phases": [ @@ -20,8 +20,24 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/indicator-blocking.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/indicator-blocking.md", "external_id": "F0006" + }, + { + "source_name": "external_source", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Conficker" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/en_us/research/18/k/trickbot-shows-off-new-trick-password-grabber-module.html" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--dd5fd5f1-cc85-409b-a4c0-96cea106cd82.json b/mbc/attack-pattern/attack-pattern--dd5fd5f1-cc85-409b-a4c0-96cea106cd82.json index fbd93609..9a7e5679 100644 --- a/mbc/attack-pattern/attack-pattern--dd5fd5f1-cc85-409b-a4c0-96cea106cd82.json +++ b/mbc/attack-pattern/attack-pattern--dd5fd5f1-cc85-409b-a4c0-96cea106cd82.json @@ -8,7 +8,7 @@ "id": "attack-pattern--dd5fd5f1-cc85-409b-a4c0-96cea106cd82", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.514301Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.307116Z", "name": "Parallel Threads", "description": "Use several parallel threads to make analysis harder.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.017" } ], diff --git a/mbc/attack-pattern/attack-pattern--dd600655-8b9a-4a67-be72-3088d96e0e5a.json b/mbc/attack-pattern/attack-pattern--dd600655-8b9a-4a67-be72-3088d96e0e5a.json index a8def974..ff84f1b8 100644 --- a/mbc/attack-pattern/attack-pattern--dd600655-8b9a-4a67-be72-3088d96e0e5a.json +++ b/mbc/attack-pattern/attack-pattern--dd600655-8b9a-4a67-be72-3088d96e0e5a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--dd600655-8b9a-4a67-be72-3088d96e0e5a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.727262Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.240923Z", "name": "Red Hat JBoss Enterprise Products", "kill_chain_phases": [ { @@ -23,7 +23,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/exploit-software.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/exploitation-for-client-execution.md", "external_id": "E1203.m04" } ], diff --git a/mbc/attack-pattern/attack-pattern--ded5f278-1acc-4f7b-be58-abc38e6b8436.json b/mbc/attack-pattern/attack-pattern--ded5f278-1acc-4f7b-be58-abc38e6b8436.json index e59dc12a..78c986fb 100644 --- a/mbc/attack-pattern/attack-pattern--ded5f278-1acc-4f7b-be58-abc38e6b8436.json +++ b/mbc/attack-pattern/attack-pattern--ded5f278-1acc-4f7b-be58-abc38e6b8436.json @@ -8,7 +8,7 @@ "id": "attack-pattern--ded5f278-1acc-4f7b-be58-abc38e6b8436", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.820261Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.378078Z", "name": "ICMP Communication", "description": "This micro-behavior is related to ICMP communication.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/icmp-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/icmp-communication.md", "external_id": "C0014" } ], diff --git a/mbc/attack-pattern/attack-pattern--e04595b9-234a-4495-a9ca-25c78e137291.json b/mbc/attack-pattern/attack-pattern--e04595b9-234a-4495-a9ca-25c78e137291.json index 9481c09c..d75a92be 100644 --- a/mbc/attack-pattern/attack-pattern--e04595b9-234a-4495-a9ca-25c78e137291.json +++ b/mbc/attack-pattern/attack-pattern--e04595b9-234a-4495-a9ca-25c78e137291.json @@ -8,7 +8,7 @@ "id": "attack-pattern--e04595b9-234a-4495-a9ca-25c78e137291", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.029444Z", - "modified": "2022-02-05T00:37:22.819853Z", + "modified": "2022-09-08T18:26:13.401839Z", "name": "Environment Variable", "description": "Malware modifies environment variables.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/enviro-var.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/environment-variable.md", "external_id": "C0034" } ], diff --git a/mbc/attack-pattern/attack-pattern--e0563aa9-70e1-41b8-ae78-0434ece93e36.json b/mbc/attack-pattern/attack-pattern--e0563aa9-70e1-41b8-ae78-0434ece93e36.json index 8f2cca6a..4fef9929 100644 --- a/mbc/attack-pattern/attack-pattern--e0563aa9-70e1-41b8-ae78-0434ece93e36.json +++ b/mbc/attack-pattern/attack-pattern--e0563aa9-70e1-41b8-ae78-0434ece93e36.json @@ -8,7 +8,7 @@ "id": "attack-pattern--e0563aa9-70e1-41b8-ae78-0434ece93e36", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.805261Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.378861Z", "name": "Resolve::DNS Communication", "description": "Resolves a domain.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/dns-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/dns-communication.md", "external_id": "C0011.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b.json b/mbc/attack-pattern/attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b.json index ab2d4e85..f4eaab6b 100644 --- a/mbc/attack-pattern/attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b.json +++ b/mbc/attack-pattern/attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/registry.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/registry.md", "external_id": "C0036" } ], diff --git a/mbc/attack-pattern/attack-pattern--e1be431c-d113-4b11-bfe1-ea117eefc3cf.json b/mbc/attack-pattern/attack-pattern--e1be431c-d113-4b11-bfe1-ea117eefc3cf.json new file mode 100644 index 00000000..1a0203a9 --- /dev/null +++ b/mbc/attack-pattern/attack-pattern--e1be431c-d113-4b11-bfe1-ea117eefc3cf.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--18a0540a-0a66-49a5-9833-ccccb56a7d46", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--e1be431c-d113-4b11-bfe1-ea117eefc3cf", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2022-09-08T18:26:13.397531Z", + "modified": "2022-09-08T18:26:13.397531Z", + "name": "Crypto Algorithm", + "description": "A known crypto algorithm is implemented in the code and it is unknown whether it is from a public crypto library.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/crypto-algorithm.md", + "external_id": "C0068" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/mbc/attack-pattern/attack-pattern--e1c3c48b-0b4d-418f-b7af-44715b214972.json b/mbc/attack-pattern/attack-pattern--e1c3c48b-0b4d-418f-b7af-44715b214972.json index 0351640c..80e949d4 100644 --- a/mbc/attack-pattern/attack-pattern--e1c3c48b-0b4d-418f-b7af-44715b214972.json +++ b/mbc/attack-pattern/attack-pattern--e1c3c48b-0b4d-418f-b7af-44715b214972.json @@ -8,7 +8,7 @@ "id": "attack-pattern--e1c3c48b-0b4d-418f-b7af-44715b214972", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.530265Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.30185Z", "name": "Undocumented Opcodes", "description": "Use rare or undocumented opcodes to block non-exhaustive emulators.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-emulator.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-evasion.md", "external_id": "B0005.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--e22860a9-1026-46ee-a75e-feedc26196d5.json b/mbc/attack-pattern/attack-pattern--e22860a9-1026-46ee-a75e-feedc26196d5.json index acfa8b63..f28e8111 100644 --- a/mbc/attack-pattern/attack-pattern--e22860a9-1026-46ee-a75e-feedc26196d5.json +++ b/mbc/attack-pattern/attack-pattern--e22860a9-1026-46ee-a75e-feedc26196d5.json @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", "external_id": "F0001.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--e23ee3ae-6960-4b56-b962-33184f999657.json b/mbc/attack-pattern/attack-pattern--e23ee3ae-6960-4b56-b962-33184f999657.json index 8988c40c..25eb580e 100644 --- a/mbc/attack-pattern/attack-pattern--e23ee3ae-6960-4b56-b962-33184f999657.json +++ b/mbc/attack-pattern/attack-pattern--e23ee3ae-6960-4b56-b962-33184f999657.json @@ -8,7 +8,7 @@ "id": "attack-pattern--e23ee3ae-6960-4b56-b962-33184f999657", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.688263Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.409489Z", "name": "Hook Injection via SetWindowsHooksEx", "description": "Malware can leverage hooking functionality to have its malicious DLL loaded upon an event getting triggered in a specific thread, which is usually done by calling SetWindowsHookEx to install a hook routine into the hook chain.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/process-inject.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/process-injection.md", "external_id": "E1055.m01" }, { diff --git a/mbc/attack-pattern/attack-pattern--e2558f71-7409-4203-bd5b-8a331f29327a.json b/mbc/attack-pattern/attack-pattern--e2558f71-7409-4203-bd5b-8a331f29327a.json index 05cb0923..1b807648 100644 --- a/mbc/attack-pattern/attack-pattern--e2558f71-7409-4203-bd5b-8a331f29327a.json +++ b/mbc/attack-pattern/attack-pattern--e2558f71-7409-4203-bd5b-8a331f29327a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--e2558f71-7409-4203-bd5b-8a331f29327a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.937479Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.208877Z", "name": "File and Directory Discovery", "description": "Malware may enumerate files and directories or may search for specific files or in specific locations.", "kill_chain_phases": [ @@ -20,13 +20,20 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/file-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/file-and-directory-discovery.md", "external_id": "E1083" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1083/", - "external_id": "T1083" + "source_name": "external_source", + "url": "https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/" + }, + { + "source_name": "external_source", + "url": "https://www.secureworks.com/research/cryptolocker-ransomware" + }, + { + "source_name": "external_source", + "url": "https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--e25edc0c-3631-4df8-a37f-4695d3cec86e.json b/mbc/attack-pattern/attack-pattern--e25edc0c-3631-4df8-a37f-4695d3cec86e.json index 7efc4d0a..53b368cc 100644 --- a/mbc/attack-pattern/attack-pattern--e25edc0c-3631-4df8-a37f-4695d3cec86e.json +++ b/mbc/attack-pattern/attack-pattern--e25edc0c-3631-4df8-a37f-4695d3cec86e.json @@ -8,7 +8,7 @@ "id": "attack-pattern--e25edc0c-3631-4df8-a37f-4695d3cec86e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.788262Z", - "modified": "2022-02-05T00:37:22.71051Z", + "modified": "2022-09-08T18:26:13.261108Z", "name": "Resource Hijacking", "description": "Uses system resources for other purposes; as a result, the system may not be available for intended uses.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/hijack-sys-resources.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/resource-hijacking.md", "external_id": "B0018" }, { @@ -32,9 +32,8 @@ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/wannacry-uiwix-ransomware-monero-mining-malware-follow-suit/" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1496/", - "external_id": "T1496" + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--e35d4dd6-591c-4f6d-b182-16adc70ce74f.json b/mbc/attack-pattern/attack-pattern--e35d4dd6-591c-4f6d-b182-16adc70ce74f.json index 562aefa2..cd68660b 100644 --- a/mbc/attack-pattern/attack-pattern--e35d4dd6-591c-4f6d-b182-16adc70ce74f.json +++ b/mbc/attack-pattern/attack-pattern--e35d4dd6-591c-4f6d-b182-16adc70ce74f.json @@ -8,7 +8,7 @@ "id": "attack-pattern--e35d4dd6-591c-4f6d-b182-16adc70ce74f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.515309Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.308112Z", "name": "Return Obfuscation", "description": "Overwrite the RET address on the stack or the code at the RET address. Variation seen that writes to the start-up code or main module that called the malware's WinMain or DllMain.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.021" } ], diff --git a/mbc/attack-pattern/attack-pattern--e365ec9c-2c0b-41fe-9a6a-f2b4042f37f3.json b/mbc/attack-pattern/attack-pattern--e365ec9c-2c0b-41fe-9a6a-f2b4042f37f3.json index 6d8f3320..ce33e84a 100644 --- a/mbc/attack-pattern/attack-pattern--e365ec9c-2c0b-41fe-9a6a-f2b4042f37f3.json +++ b/mbc/attack-pattern/attack-pattern--e365ec9c-2c0b-41fe-9a6a-f2b4042f37f3.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/covert-location.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/covert-location.md", "external_id": "B0040" } ], diff --git a/mbc/attack-pattern/attack-pattern--e393c36e-9939-44df-8f4a-8e7cb57c9b4e.json b/mbc/attack-pattern/attack-pattern--e393c36e-9939-44df-8f4a-8e7cb57c9b4e.json index 968940a1..8ed7a6c5 100644 --- a/mbc/attack-pattern/attack-pattern--e393c36e-9939-44df-8f4a-8e7cb57c9b4e.json +++ b/mbc/attack-pattern/attack-pattern--e393c36e-9939-44df-8f4a-8e7cb57c9b4e.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/open-process.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/open-process.md", "external_id": "C0065" } ], diff --git a/mbc/attack-pattern/attack-pattern--e399ce8e-2c1d-4bc4-9669-308cb99f1e10.json b/mbc/attack-pattern/attack-pattern--e399ce8e-2c1d-4bc4-9669-308cb99f1e10.json index fc7ed126..c0c9f633 100644 --- a/mbc/attack-pattern/attack-pattern--e399ce8e-2c1d-4bc4-9669-308cb99f1e10.json +++ b/mbc/attack-pattern/attack-pattern--e399ce8e-2c1d-4bc4-9669-308cb99f1e10.json @@ -8,7 +8,7 @@ "id": "attack-pattern--e399ce8e-2c1d-4bc4-9669-308cb99f1e10", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.993484Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.390839Z", "name": "Skipjack::Encrypt Data", "description": "Malware encrypts with the Skipjack block cipher algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", "external_id": "C0027.013" } ], diff --git a/mbc/attack-pattern/attack-pattern--e39e7007-c7b1-4a8c-a1c1-5f94ea3ae8fa.json b/mbc/attack-pattern/attack-pattern--e39e7007-c7b1-4a8c-a1c1-5f94ea3ae8fa.json index 30a0ca98..b1df6b72 100644 --- a/mbc/attack-pattern/attack-pattern--e39e7007-c7b1-4a8c-a1c1-5f94ea3ae8fa.json +++ b/mbc/attack-pattern/attack-pattern--e39e7007-c7b1-4a8c-a1c1-5f94ea3ae8fa.json @@ -8,7 +8,7 @@ "id": "attack-pattern--e39e7007-c7b1-4a8c-a1c1-5f94ea3ae8fa", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.562264Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.194924Z", "name": "Symbol Obfuscation", "description": "Remove or rename symbolic information commonly inserted by compilers for debugging purposes.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", "external_id": "B0032.018" } ], diff --git a/mbc/attack-pattern/attack-pattern--e3f453d4-03f3-4a8a-bfb1-d603016e234f.json b/mbc/attack-pattern/attack-pattern--e3f453d4-03f3-4a8a-bfb1-d603016e234f.json index e61db174..17957402 100644 --- a/mbc/attack-pattern/attack-pattern--e3f453d4-03f3-4a8a-bfb1-d603016e234f.json +++ b/mbc/attack-pattern/attack-pattern--e3f453d4-03f3-4a8a-bfb1-d603016e234f.json @@ -8,7 +8,7 @@ "id": "attack-pattern--e3f453d4-03f3-4a8a-bfb1-d603016e234f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.602268Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.221582Z", "name": "Screen Capture", "description": "Malware takes screen captures of the desktop.", "kill_chain_phases": [ @@ -24,13 +24,20 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/screen-capture.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/screen-capture.md", "external_id": "E1113" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1113/", - "external_id": "T1113" + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--e4678b94-bfec-402e-9682-17a32ae8c379.json b/mbc/attack-pattern/attack-pattern--e4678b94-bfec-402e-9682-17a32ae8c379.json index 3d7746c2..2d9b41bc 100644 --- a/mbc/attack-pattern/attack-pattern--e4678b94-bfec-402e-9682-17a32ae8c379.json +++ b/mbc/attack-pattern/attack-pattern--e4678b94-bfec-402e-9682-17a32ae8c379.json @@ -8,7 +8,7 @@ "id": "attack-pattern--e4678b94-bfec-402e-9682-17a32ae8c379", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.503263Z", - "modified": "2022-02-05T00:37:22.523012Z", + "modified": "2022-09-08T18:26:13.292416Z", "name": "Unique Hardware/Firmware Check - CPU Location", "description": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment. When an Operating System is virtualized, the CPU is relocated.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", "external_id": "B0009.027" }, { diff --git a/mbc/attack-pattern/attack-pattern--e57c3d95-67fc-4d26-a74e-12953fff494b.json b/mbc/attack-pattern/attack-pattern--e57c3d95-67fc-4d26-a74e-12953fff494b.json index 31ee7a1a..ccfd2c06 100644 --- a/mbc/attack-pattern/attack-pattern--e57c3d95-67fc-4d26-a74e-12953fff494b.json +++ b/mbc/attack-pattern/attack-pattern--e57c3d95-67fc-4d26-a74e-12953fff494b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--e57c3d95-67fc-4d26-a74e-12953fff494b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.824262Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.368972Z", "name": "Interprocess Communication", "description": "The Interprocess Communication micro-behavior focuses on interprocess communication.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/inter-process.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/interprocess-communication.md", "external_id": "C0003" } ], diff --git a/mbc/attack-pattern/attack-pattern--e5fd1ce1-e1a7-4f9c-b757-58b6895fef2d.json b/mbc/attack-pattern/attack-pattern--e5fd1ce1-e1a7-4f9c-b757-58b6895fef2d.json index 6a09fbbf..d5cffd85 100644 --- a/mbc/attack-pattern/attack-pattern--e5fd1ce1-e1a7-4f9c-b757-58b6895fef2d.json +++ b/mbc/attack-pattern/attack-pattern--e5fd1ce1-e1a7-4f9c-b757-58b6895fef2d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--e5fd1ce1-e1a7-4f9c-b757-58b6895fef2d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.989483Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.385545Z", "name": "HC-256::Decrypt Data", "description": "Malware decrypts data encrypted with the HC-256 algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", "external_id": "C0031.007" } ], diff --git a/mbc/attack-pattern/attack-pattern--e60f2ef0-615c-4158-92f6-4db808bc116d.json b/mbc/attack-pattern/attack-pattern--e60f2ef0-615c-4158-92f6-4db808bc116d.json index acc8326b..550949ad 100644 --- a/mbc/attack-pattern/attack-pattern--e60f2ef0-615c-4158-92f6-4db808bc116d.json +++ b/mbc/attack-pattern/attack-pattern--e60f2ef0-615c-4158-92f6-4db808bc116d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--e60f2ef0-615c-4158-92f6-4db808bc116d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.537265Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.275982Z", "name": "Hide virtual memory", "description": "Hide arbitrary segments of virtual memory.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", "external_id": "B0006.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--e72b1f9b-69a5-44fa-8de6-fa7d4ccc726c.json b/mbc/attack-pattern/attack-pattern--e72b1f9b-69a5-44fa-8de6-fa7d4ccc726c.json index ccec4a4d..180f0bb8 100644 --- a/mbc/attack-pattern/attack-pattern--e72b1f9b-69a5-44fa-8de6-fa7d4ccc726c.json +++ b/mbc/attack-pattern/attack-pattern--e72b1f9b-69a5-44fa-8de6-fa7d4ccc726c.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/registry.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/registry.md", "external_id": "C0036.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--e7d60710-0081-4d47-9fd3-3e2d410828e7.json b/mbc/attack-pattern/attack-pattern--e7d60710-0081-4d47-9fd3-3e2d410828e7.json index 2da2f582..a238f526 100644 --- a/mbc/attack-pattern/attack-pattern--e7d60710-0081-4d47-9fd3-3e2d410828e7.json +++ b/mbc/attack-pattern/attack-pattern--e7d60710-0081-4d47-9fd3-3e2d410828e7.json @@ -8,7 +8,7 @@ "id": "attack-pattern--e7d60710-0081-4d47-9fd3-3e2d410828e7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.922997Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.40666Z", "name": "Encoding-Standard Algorithm", "description": "A standard algorithm (e.g., base64) is used to encode a malware sample, file, or other information.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/obfuscate-files.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/obfuscated-files-or-information.md", "external_id": "E1027.m02" } ], diff --git a/mbc/attack-pattern/attack-pattern--e82333e9-4719-464b-87d9-164c6b00cb5d.json b/mbc/attack-pattern/attack-pattern--e82333e9-4719-464b-87d9-164c6b00cb5d.json index a7453319..4ed64995 100644 --- a/mbc/attack-pattern/attack-pattern--e82333e9-4719-464b-87d9-164c6b00cb5d.json +++ b/mbc/attack-pattern/attack-pattern--e82333e9-4719-464b-87d9-164c6b00cb5d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--e82333e9-4719-464b-87d9-164c6b00cb5d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.705262Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.214168Z", "name": "Known File Location", "description": "Malware may detect an analysis tool by the presence of a file in a known location.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", "external_id": "B0013.008" } ], diff --git a/mbc/attack-pattern/attack-pattern--e84f764e-ace1-4149-b73d-664b17954d7b.json b/mbc/attack-pattern/attack-pattern--e84f764e-ace1-4149-b73d-664b17954d7b.json index f942938c..4a62b684 100644 --- a/mbc/attack-pattern/attack-pattern--e84f764e-ace1-4149-b73d-664b17954d7b.json +++ b/mbc/attack-pattern/attack-pattern--e84f764e-ace1-4149-b73d-664b17954d7b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--e84f764e-ace1-4149-b73d-664b17954d7b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.994484Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.392412Z", "name": "Twofish::Encrypt Data", "description": "Malware encrypts with the Twofish algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", "external_id": "C0027.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--e85ffef6-8593-4bff-a6f0-d54b2e64fc70.json b/mbc/attack-pattern/attack-pattern--e85ffef6-8593-4bff-a6f0-d54b2e64fc70.json index 56c6c6f0..b84cec2d 100644 --- a/mbc/attack-pattern/attack-pattern--e85ffef6-8593-4bff-a6f0-d54b2e64fc70.json +++ b/mbc/attack-pattern/attack-pattern--e85ffef6-8593-4bff-a6f0-d54b2e64fc70.json @@ -8,7 +8,7 @@ "id": "attack-pattern--e85ffef6-8593-4bff-a6f0-d54b2e64fc70", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.463305Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.314478Z", "name": "Memory Breakpoints", "description": "(PAGE_GUARD); Guard pages trigger an exception the first time they are accessed and can be used to detect a debugger. See for details.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.009" }, { diff --git a/mbc/attack-pattern/attack-pattern--e97aa9eb-a7d6-4c4a-810f-140f1dda08ca.json b/mbc/attack-pattern/attack-pattern--e97aa9eb-a7d6-4c4a-810f-140f1dda08ca.json index 9bea91e9..ff33464d 100644 --- a/mbc/attack-pattern/attack-pattern--e97aa9eb-a7d6-4c4a-810f-140f1dda08ca.json +++ b/mbc/attack-pattern/attack-pattern--e97aa9eb-a7d6-4c4a-810f-140f1dda08ca.json @@ -8,7 +8,7 @@ "id": "attack-pattern--e97aa9eb-a7d6-4c4a-810f-140f1dda08ca", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.463305Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.314773Z", "name": "Memory Write Watching", "kill_chain_phases": [ { @@ -19,7 +19,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.010" }, { diff --git a/mbc/attack-pattern/attack-pattern--eab3d576-e947-486b-857c-ffa680b30050.json b/mbc/attack-pattern/attack-pattern--eab3d576-e947-486b-857c-ffa680b30050.json index eb36752c..2774215f 100644 --- a/mbc/attack-pattern/attack-pattern--eab3d576-e947-486b-857c-ffa680b30050.json +++ b/mbc/attack-pattern/attack-pattern--eab3d576-e947-486b-857c-ffa680b30050.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/indicator-blocking.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/indicator-blocking.md", "external_id": "F0006.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--ebb8ef31-6c69-4dac-9b99-a69e8c76fcd3.json b/mbc/attack-pattern/attack-pattern--ebb8ef31-6c69-4dac-9b99-a69e8c76fcd3.json index 4dd3938a..c318011f 100644 --- a/mbc/attack-pattern/attack-pattern--ebb8ef31-6c69-4dac-9b99-a69e8c76fcd3.json +++ b/mbc/attack-pattern/attack-pattern--ebb8ef31-6c69-4dac-9b99-a69e8c76fcd3.json @@ -8,7 +8,7 @@ "id": "attack-pattern--ebb8ef31-6c69-4dac-9b99-a69e8c76fcd3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.814267Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.366556Z", "name": "IWebBrowser::HTTP Communication", "description": "The IWebBrowser interface exposes methods and properties implemented by the WebBrowser control or implemented by an instance of the InternetExplorer application. Specific methods and properties can be captured: e.g., COMMUNICATION::HTTP Communication::IWebBrowser.get_Document.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", "external_id": "C0002.010" } ], diff --git a/mbc/attack-pattern/attack-pattern--ebdd8ba8-4235-4ee3-8866-a9d33f9dd11e.json b/mbc/attack-pattern/attack-pattern--ebdd8ba8-4235-4ee3-8866-a9d33f9dd11e.json index 741b31a8..df034e3f 100644 --- a/mbc/attack-pattern/attack-pattern--ebdd8ba8-4235-4ee3-8866-a9d33f9dd11e.json +++ b/mbc/attack-pattern/attack-pattern--ebdd8ba8-4235-4ee3-8866-a9d33f9dd11e.json @@ -8,7 +8,7 @@ "id": "attack-pattern--ebdd8ba8-4235-4ee3-8866-a9d33f9dd11e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.783046Z", - "modified": "2022-02-05T00:37:22.601096Z", + "modified": "2022-09-08T18:26:13.231139Z", "name": "Start Interactive Shell", "description": "Start an interactive shell using a built-in program (e.g. cmd.exe, PowerShell, bash). This is often implemented with polling the network connection from the controller for text commands to redirect to the shell's stdin and polling the shell's stdout and stderr to redirect over the network to the controller. This differs from Execute Shell Command because the shell process runs across multiple iterations of the recv-command(s)-send-result loop.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", "external_id": "B0030.016" } ], diff --git a/mbc/attack-pattern/attack-pattern--ec7f9541-06af-4db7-a9c2-183b513f144a.json b/mbc/attack-pattern/attack-pattern--ec7f9541-06af-4db7-a9c2-183b513f144a.json index b84d8f3c..11b22a66 100644 --- a/mbc/attack-pattern/attack-pattern--ec7f9541-06af-4db7-a9c2-183b513f144a.json +++ b/mbc/attack-pattern/attack-pattern--ec7f9541-06af-4db7-a9c2-183b513f144a.json @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hide-artifacts.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hide-artifacts.md", "external_id": "E1564.m02" } ], diff --git a/mbc/attack-pattern/attack-pattern--ecf1cd8c-ffef-40bd-a2e3-441e77a84a77.json b/mbc/attack-pattern/attack-pattern--ecf1cd8c-ffef-40bd-a2e3-441e77a84a77.json index 3ff07b97..a1026155 100644 --- a/mbc/attack-pattern/attack-pattern--ecf1cd8c-ffef-40bd-a2e3-441e77a84a77.json +++ b/mbc/attack-pattern/attack-pattern--ecf1cd8c-ffef-40bd-a2e3-441e77a84a77.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/create-process.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/create-process.md", "external_id": "C0017.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--eee013e1-4cfd-42f9-9f46-71f4b1598ef3.json b/mbc/attack-pattern/attack-pattern--eee013e1-4cfd-42f9-9f46-71f4b1598ef3.json index 8fbad687..8f261888 100644 --- a/mbc/attack-pattern/attack-pattern--eee013e1-4cfd-42f9-9f46-71f4b1598ef3.json +++ b/mbc/attack-pattern/attack-pattern--eee013e1-4cfd-42f9-9f46-71f4b1598ef3.json @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/cryptocurrency.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/cryptocurrency.md", "external_id": "B0028.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--ef5fd901-d515-4842-9119-c330c900e2e1.json b/mbc/attack-pattern/attack-pattern--ef5fd901-d515-4842-9119-c330c900e2e1.json index 4c8205db..f30bfe71 100644 --- a/mbc/attack-pattern/attack-pattern--ef5fd901-d515-4842-9119-c330c900e2e1.json +++ b/mbc/attack-pattern/attack-pattern--ef5fd901-d515-4842-9119-c330c900e2e1.json @@ -8,7 +8,7 @@ "id": "attack-pattern--ef5fd901-d515-4842-9119-c330c900e2e1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.005479Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.331832Z", "name": "Decompress Data", "description": "Malware may decompress data.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/decompress.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/decompress-data.md", "external_id": "C0025" } ], diff --git a/mbc/attack-pattern/attack-pattern--f05383f9-1d15-4eb9-97a4-13812f310acd.json b/mbc/attack-pattern/attack-pattern--f05383f9-1d15-4eb9-97a4-13812f310acd.json index ddcf3c9e..a9825a50 100644 --- a/mbc/attack-pattern/attack-pattern--f05383f9-1d15-4eb9-97a4-13812f310acd.json +++ b/mbc/attack-pattern/attack-pattern--f05383f9-1d15-4eb9-97a4-13812f310acd.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/polymorphic-code.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/polymorphic-code.md", "external_id": "B0029" }, { diff --git a/mbc/attack-pattern/attack-pattern--f0df8409-6168-481b-97a9-eb15c77c1317.json b/mbc/attack-pattern/attack-pattern--f0df8409-6168-481b-97a9-eb15c77c1317.json index a6988283..9ae64ec4 100644 --- a/mbc/attack-pattern/attack-pattern--f0df8409-6168-481b-97a9-eb15c77c1317.json +++ b/mbc/attack-pattern/attack-pattern--f0df8409-6168-481b-97a9-eb15c77c1317.json @@ -8,7 +8,7 @@ "id": "attack-pattern--f0df8409-6168-481b-97a9-eb15c77c1317", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.507263Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.279095Z", "name": "Multiple Stages of Loaders", "description": "Multiple stages of loaders are used with an encoded payload.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-capture.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/capture-evasion.md", "external_id": "B0036.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--f1212d9e-3af6-4ef4-a19e-ff2793564ffd.json b/mbc/attack-pattern/attack-pattern--f1212d9e-3af6-4ef4-a19e-ff2793564ffd.json index 3b91b048..60cbc4be 100644 --- a/mbc/attack-pattern/attack-pattern--f1212d9e-3af6-4ef4-a19e-ff2793564ffd.json +++ b/mbc/attack-pattern/attack-pattern--f1212d9e-3af6-4ef4-a19e-ff2793564ffd.json @@ -8,7 +8,7 @@ "id": "attack-pattern--f1212d9e-3af6-4ef4-a19e-ff2793564ffd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.849262Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.396248Z", "name": "rand::Generate Pseudo-random Sequence", "description": "Malware generates a pseudo-random sequence using rand.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/gen-random.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/generate-pseudorandom-sequence.md", "external_id": "C0021.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--f1b3a223-fa61-4341-9d0c-9f71b399ee00.json b/mbc/attack-pattern/attack-pattern--f1b3a223-fa61-4341-9d0c-9f71b399ee00.json index 089c97c5..9592b521 100644 --- a/mbc/attack-pattern/attack-pattern--f1b3a223-fa61-4341-9d0c-9f71b399ee00.json +++ b/mbc/attack-pattern/attack-pattern--f1b3a223-fa61-4341-9d0c-9f71b399ee00.json @@ -8,7 +8,7 @@ "id": "attack-pattern--f1b3a223-fa61-4341-9d0c-9f71b399ee00", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.759262Z", - "modified": "2022-02-05T00:37:22.694887Z", + "modified": "2022-09-08T18:26:13.272067Z", "name": "Encryption", "description": "Data is encrypted.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/data-encrypted.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/archive-collected-data.md", "external_id": "E1560.m02" } ], diff --git a/mbc/attack-pattern/attack-pattern--f1e778ba-e457-445f-888f-a3ee4e5dbeef.json b/mbc/attack-pattern/attack-pattern--f1e778ba-e457-445f-888f-a3ee4e5dbeef.json index 210be9ab..689adc81 100644 --- a/mbc/attack-pattern/attack-pattern--f1e778ba-e457-445f-888f-a3ee4e5dbeef.json +++ b/mbc/attack-pattern/attack-pattern--f1e778ba-e457-445f-888f-a3ee4e5dbeef.json @@ -8,7 +8,7 @@ "id": "attack-pattern--f1e778ba-e457-445f-888f-a3ee4e5dbeef", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.711263Z", - "modified": "2022-02-05T00:37:22.663601Z", + "modified": "2022-09-08T18:26:13.212069Z", "name": "Self Discovery", "description": "Malware may gather information about itself, such as its filename or size on disk.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/self-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/self-discovery.md", "external_id": "B0038" } ], diff --git a/mbc/attack-pattern/attack-pattern--f1e8e35a-e893-403a-b34c-1b5d54945764.json b/mbc/attack-pattern/attack-pattern--f1e8e35a-e893-403a-b34c-1b5d54945764.json index 2b4972e3..cf7a66b9 100644 --- a/mbc/attack-pattern/attack-pattern--f1e8e35a-e893-403a-b34c-1b5d54945764.json +++ b/mbc/attack-pattern/attack-pattern--f1e8e35a-e893-403a-b34c-1b5d54945764.json @@ -8,7 +8,7 @@ "id": "attack-pattern--f1e8e35a-e893-403a-b34c-1b5d54945764", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.716259Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.213065Z", "name": "Generate Windows Exception", "description": "Malware may trigger an exception as a way of gathering system details.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/system-info-discover.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/system-information-discovery.md", "external_id": "E1082.m01" } ], diff --git a/mbc/attack-pattern/attack-pattern--f1f9a410-ce13-4c3d-8728-69e517d71fb9.json b/mbc/attack-pattern/attack-pattern--f1f9a410-ce13-4c3d-8728-69e517d71fb9.json index 9e375386..47883b13 100644 --- a/mbc/attack-pattern/attack-pattern--f1f9a410-ce13-4c3d-8728-69e517d71fb9.json +++ b/mbc/attack-pattern/attack-pattern--f1f9a410-ce13-4c3d-8728-69e517d71fb9.json @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hide-artifacts.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hide-artifacts.md", "external_id": "E1564.m01" } ], diff --git a/mbc/attack-pattern/attack-pattern--f21fda77-e6ff-4351-87d9-0e2f5780a1c3.json b/mbc/attack-pattern/attack-pattern--f21fda77-e6ff-4351-87d9-0e2f5780a1c3.json index e4db449f..11693c8a 100644 --- a/mbc/attack-pattern/attack-pattern--f21fda77-e6ff-4351-87d9-0e2f5780a1c3.json +++ b/mbc/attack-pattern/attack-pattern--f21fda77-e6ff-4351-87d9-0e2f5780a1c3.json @@ -8,7 +8,7 @@ "id": "attack-pattern--f21fda77-e6ff-4351-87d9-0e2f5780a1c3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.035443Z", - "modified": "2022-02-05T00:37:22.819853Z", + "modified": "2022-09-08T18:26:13.360512Z", "name": "Create Mutex", "description": "Malware creates a mutex.", "kill_chain_phases": [ @@ -20,8 +20,16 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/create-mutex.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/create-mutex.md", "external_id": "C0042" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a.json b/mbc/attack-pattern/attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a.json index ca4ca756..4adbf458 100644 --- a/mbc/attack-pattern/attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a.json +++ b/mbc/attack-pattern/attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.916486Z", - "modified": "2022-02-05T00:37:22.632387Z", + "modified": "2022-09-08T18:26:13.430885Z", "name": "Disable or Evade Security Tools", "description": "Malware may disable or evade security tools to avoid detection. Security tools include OS security features and updating tools, anti-virus (AV) tools, firewalls, tool components providing security related logging and/or reporting, and Antimalware Scan Interface (AMSI) related capabilities.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", "external_id": "F0004" }, { diff --git a/mbc/attack-pattern/attack-pattern--f277deb3-f676-4536-b7c0-8cc76354b631.json b/mbc/attack-pattern/attack-pattern--f277deb3-f676-4536-b7c0-8cc76354b631.json index 5fc6d66f..cfff5a6a 100644 --- a/mbc/attack-pattern/attack-pattern--f277deb3-f676-4536-b7c0-8cc76354b631.json +++ b/mbc/attack-pattern/attack-pattern--f277deb3-f676-4536-b7c0-8cc76354b631.json @@ -8,7 +8,7 @@ "id": "attack-pattern--f277deb3-f676-4536-b7c0-8cc76354b631", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.674263Z", - "modified": "2022-02-05T00:37:22.694887Z", + "modified": "2022-09-08T18:26:13.27131Z", "name": "Encoding", "description": "Data is encoded.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/data-encrypted.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/archive-collected-data.md", "external_id": "E1560.m01" } ], diff --git a/mbc/attack-pattern/attack-pattern--f286389b-6374-4b58-ae99-975a32ad18ce.json b/mbc/attack-pattern/attack-pattern--f286389b-6374-4b58-ae99-975a32ad18ce.json index d8f21485..b97a7245 100644 --- a/mbc/attack-pattern/attack-pattern--f286389b-6374-4b58-ae99-975a32ad18ce.json +++ b/mbc/attack-pattern/attack-pattern--f286389b-6374-4b58-ae99-975a32ad18ce.json @@ -8,7 +8,7 @@ "id": "attack-pattern--f286389b-6374-4b58-ae99-975a32ad18ce", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.522264Z", - "modified": "2022-02-05T00:37:22.55426Z", + "modified": "2022-09-08T18:26:13.32674Z", "name": "Demo Mode", "description": "Inclusion of a demo binary/mode that is executed when token is absent or not privileged enough.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", "external_id": "B0003.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--f30b55fa-0ddf-49d9-884b-8cdb9e567758.json b/mbc/attack-pattern/attack-pattern--f30b55fa-0ddf-49d9-884b-8cdb9e567758.json index 9dca4efb..af34fea1 100644 --- a/mbc/attack-pattern/attack-pattern--f30b55fa-0ddf-49d9-884b-8cdb9e567758.json +++ b/mbc/attack-pattern/attack-pattern--f30b55fa-0ddf-49d9-884b-8cdb9e567758.json @@ -8,7 +8,7 @@ "id": "attack-pattern--f30b55fa-0ddf-49d9-884b-8cdb9e567758", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.805261Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.379483Z", "name": "Resolve TLD::DNS Communication", "description": "Resolves top level domain.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/dns-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/dns-communication.md", "external_id": "C0011.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--f4d0e9ac-c868-42fa-9b1f-0d0bee913da1.json b/mbc/attack-pattern/attack-pattern--f4d0e9ac-c868-42fa-9b1f-0d0bee913da1.json index 124e44d9..1c8fe5de 100644 --- a/mbc/attack-pattern/attack-pattern--f4d0e9ac-c868-42fa-9b1f-0d0bee913da1.json +++ b/mbc/attack-pattern/attack-pattern--f4d0e9ac-c868-42fa-9b1f-0d0bee913da1.json @@ -8,7 +8,7 @@ "id": "attack-pattern--f4d0e9ac-c868-42fa-9b1f-0d0bee913da1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.980486Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.371325Z", "name": "Set Socket Config::Socket Communication", "description": "Configure socket.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", "external_id": "C0001.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--f4ee9b7f-24f9-4c1c-9f4d-54d3e6eb47da.json b/mbc/attack-pattern/attack-pattern--f4ee9b7f-24f9-4c1c-9f4d-54d3e6eb47da.json index 90958ed2..c3eaaa02 100644 --- a/mbc/attack-pattern/attack-pattern--f4ee9b7f-24f9-4c1c-9f4d-54d3e6eb47da.json +++ b/mbc/attack-pattern/attack-pattern--f4ee9b7f-24f9-4c1c-9f4d-54d3e6eb47da.json @@ -8,7 +8,7 @@ "id": "attack-pattern--f4ee9b7f-24f9-4c1c-9f4d-54d3e6eb47da", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.993484Z", - "modified": "2022-02-05T00:37:22.773011Z", + "modified": "2022-09-08T18:26:13.389965Z", "name": "RC4::Encrypt Data", "description": "Malware encrypts with the RC4 algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", "external_id": "C0027.009" } ], diff --git a/mbc/attack-pattern/attack-pattern--f50e1610-ac57-4256-85b8-4f16db37b184.json b/mbc/attack-pattern/attack-pattern--f50e1610-ac57-4256-85b8-4f16db37b184.json index caa0f568..6275f8a0 100644 --- a/mbc/attack-pattern/attack-pattern--f50e1610-ac57-4256-85b8-4f16db37b184.json +++ b/mbc/attack-pattern/attack-pattern--f50e1610-ac57-4256-85b8-4f16db37b184.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/delete-file.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/delete-file.md", "external_id": "C0047" } ], diff --git a/mbc/attack-pattern/attack-pattern--f5f683c9-7cc4-41b9-a607-16e3c09461f4.json b/mbc/attack-pattern/attack-pattern--f5f683c9-7cc4-41b9-a607-16e3c09461f4.json index a588aebf..6b276fff 100644 --- a/mbc/attack-pattern/attack-pattern--f5f683c9-7cc4-41b9-a607-16e3c09461f4.json +++ b/mbc/attack-pattern/attack-pattern--f5f683c9-7cc4-41b9-a607-16e3c09461f4.json @@ -8,7 +8,7 @@ "id": "attack-pattern--f5f683c9-7cc4-41b9-a607-16e3c09461f4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.923443Z", - "modified": "2022-02-05T00:37:22.648018Z", + "modified": "2022-09-08T18:26:13.408178Z", "name": "Encryption of Data", "description": "A file's data is encrypted, but not necessarily the file's code.", "kill_chain_phases": [ @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/obfuscate-files.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/obfuscated-files-or-information.md", "external_id": "E1027.m07" } ], diff --git a/mbc/attack-pattern/attack-pattern--f60a86ef-7e8a-4a7b-91fa-64a4c137068c.json b/mbc/attack-pattern/attack-pattern--f60a86ef-7e8a-4a7b-91fa-64a4c137068c.json index 13687bec..1d4b5905 100644 --- a/mbc/attack-pattern/attack-pattern--f60a86ef-7e8a-4a7b-91fa-64a4c137068c.json +++ b/mbc/attack-pattern/attack-pattern--f60a86ef-7e8a-4a7b-91fa-64a4c137068c.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/wininet.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/wininet.md", "external_id": "C0005.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--f62b419a-6b84-4bc4-865c-b58abc012795.json b/mbc/attack-pattern/attack-pattern--f62b419a-6b84-4bc4-865c-b58abc012795.json index 4b623446..0c8922b4 100644 --- a/mbc/attack-pattern/attack-pattern--f62b419a-6b84-4bc4-865c-b58abc012795.json +++ b/mbc/attack-pattern/attack-pattern--f62b419a-6b84-4bc4-865c-b58abc012795.json @@ -8,7 +8,7 @@ "id": "attack-pattern--f62b419a-6b84-4bc4-865c-b58abc012795", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.990485Z", - "modified": "2022-02-05T00:37:22.757347Z", + "modified": "2022-09-08T18:26:13.386033Z", "name": "RC6::Decrypt Data", "description": "Malware decrypts data encrypted with the RC6 algorithm.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", "external_id": "C0031.009" } ], diff --git a/mbc/attack-pattern/attack-pattern--f65d15c6-c325-42f5-a824-9ff3089f751f.json b/mbc/attack-pattern/attack-pattern--f65d15c6-c325-42f5-a824-9ff3089f751f.json index 6ea48e0f..3cb65f01 100644 --- a/mbc/attack-pattern/attack-pattern--f65d15c6-c325-42f5-a824-9ff3089f751f.json +++ b/mbc/attack-pattern/attack-pattern--f65d15c6-c325-42f5-a824-9ff3089f751f.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/memory/free-memory.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/memory/free-memory.md", "external_id": "C0044" } ], diff --git a/mbc/attack-pattern/attack-pattern--f78bf329-48e4-4f8c-9468-0f8cd2ec08b5.json b/mbc/attack-pattern/attack-pattern--f78bf329-48e4-4f8c-9468-0f8cd2ec08b5.json index a4a94d02..b0d4a36b 100644 --- a/mbc/attack-pattern/attack-pattern--f78bf329-48e4-4f8c-9468-0f8cd2ec08b5.json +++ b/mbc/attack-pattern/attack-pattern--f78bf329-48e4-4f8c-9468-0f8cd2ec08b5.json @@ -8,7 +8,7 @@ "id": "attack-pattern--f78bf329-48e4-4f8c-9468-0f8cd2ec08b5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.751794Z", - "modified": "2022-02-05T00:37:22.569857Z", + "modified": "2022-09-08T18:26:13.205746Z", "name": "Data Flow Analysis Evasion", "description": "Malware code evades data flow analysis (also known as information flow analysis and taint-tracking).", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-data-flow-analysis.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/data-flow-analysis-evasion.md", "external_id": "B0045" }, { diff --git a/mbc/attack-pattern/attack-pattern--f7d5a289-5ab3-4b74-912a-c7ab2748770c.json b/mbc/attack-pattern/attack-pattern--f7d5a289-5ab3-4b74-912a-c7ab2748770c.json index fa181d82..f5a33dca 100644 --- a/mbc/attack-pattern/attack-pattern--f7d5a289-5ab3-4b74-912a-c7ab2748770c.json +++ b/mbc/attack-pattern/attack-pattern--f7d5a289-5ab3-4b74-912a-c7ab2748770c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--f7d5a289-5ab3-4b74-912a-c7ab2748770c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.479261Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.324112Z", "name": "Failed Network Connections", "description": "Some emulated systems fail to handle some network communications; such failures will indicate the emulated environment.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-emulator.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-detection.md", "external_id": "B0004.004" } ], diff --git a/mbc/attack-pattern/attack-pattern--f7edbfa2-7ebf-4e66-bad5-a13150f5ce7a.json b/mbc/attack-pattern/attack-pattern--f7edbfa2-7ebf-4e66-bad5-a13150f5ce7a.json index f9cd5770..3c344447 100644 --- a/mbc/attack-pattern/attack-pattern--f7edbfa2-7ebf-4e66-bad5-a13150f5ce7a.json +++ b/mbc/attack-pattern/attack-pattern--f7edbfa2-7ebf-4e66-bad5-a13150f5ce7a.json @@ -24,7 +24,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/cryptocurrency.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/cryptocurrency.md", "external_id": "B0028.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--f867931f-8c8a-4b28-bc5b-0482852124b6.json b/mbc/attack-pattern/attack-pattern--f867931f-8c8a-4b28-bc5b-0482852124b6.json index 14c382a6..68ceee6e 100644 --- a/mbc/attack-pattern/attack-pattern--f867931f-8c8a-4b28-bc5b-0482852124b6.json +++ b/mbc/attack-pattern/attack-pattern--f867931f-8c8a-4b28-bc5b-0482852124b6.json @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/synchronization.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/synchronization.md", "external_id": "C0022" } ], diff --git a/mbc/attack-pattern/attack-pattern--f919567a-9038-415c-a76b-10c702d929b0.json b/mbc/attack-pattern/attack-pattern--f919567a-9038-415c-a76b-10c702d929b0.json index 0c453bd8..557884c0 100644 --- a/mbc/attack-pattern/attack-pattern--f919567a-9038-415c-a76b-10c702d929b0.json +++ b/mbc/attack-pattern/attack-pattern--f919567a-9038-415c-a76b-10c702d929b0.json @@ -8,9 +8,9 @@ "id": "attack-pattern--f919567a-9038-415c-a76b-10c702d929b0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.038481Z", - "modified": "2022-02-05T00:37:22.819853Z", + "modified": "2022-09-08T18:26:13.357284Z", "name": "Resume Thread", - "description": "Malware typically resumes a thread in order to execute previously injected code (e.g., in the course of the [Process Injection::Process Hollowing](https://github.com/MBCProject/mbc-markdown/blob/v2.2/https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/process-inject.md)).", + "description": "Malware typically resumes a thread in order to execute previously injected code (e.g., in the course of the [Process Injection::Process Hollowing](https://github.com/MBCProject/mbc-markdown/blob/v2.3/https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/process-injection.md)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/resume-thread.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/resume-thread.md", "external_id": "C0054" } ], diff --git a/mbc/attack-pattern/attack-pattern--f93d127d-164b-47c1-81e9-e7011cb478f8.json b/mbc/attack-pattern/attack-pattern--f93d127d-164b-47c1-81e9-e7011cb478f8.json index de91da13..a3acaae4 100644 --- a/mbc/attack-pattern/attack-pattern--f93d127d-164b-47c1-81e9-e7011cb478f8.json +++ b/mbc/attack-pattern/attack-pattern--f93d127d-164b-47c1-81e9-e7011cb478f8.json @@ -8,7 +8,7 @@ "id": "attack-pattern--f93d127d-164b-47c1-81e9-e7011cb478f8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.80426Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.37857Z", "name": "DDNS Domain Connect::DNS Communication", "description": "Connects to dynamic DNS domain.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/dns-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/dns-communication.md", "external_id": "C0011.003" } ], diff --git a/mbc/attack-pattern/attack-pattern--fb0ec928-14d1-49f3-9897-14e3613b4ad7.json b/mbc/attack-pattern/attack-pattern--fb0ec928-14d1-49f3-9897-14e3613b4ad7.json index aef026e6..2b883cae 100644 --- a/mbc/attack-pattern/attack-pattern--fb0ec928-14d1-49f3-9897-14e3613b4ad7.json +++ b/mbc/attack-pattern/attack-pattern--fb0ec928-14d1-49f3-9897-14e3613b4ad7.json @@ -8,7 +8,7 @@ "id": "attack-pattern--fb0ec928-14d1-49f3-9897-14e3613b4ad7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.462262Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.314204Z", "name": "IsDebuggerPresent", "description": "The kernel32!IsDebuggerPresent API function call checks the PEB BeingDebugged flag to see if the calling process is being debugged. It returns 1 if the process is being debugged, 0 otherwise. This is one of the most common ways of debugger detection.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.008" } ], diff --git a/mbc/attack-pattern/attack-pattern--fb6ca685-805a-467b-8f10-460f41360731.json b/mbc/attack-pattern/attack-pattern--fb6ca685-805a-467b-8f10-460f41360731.json index e33b787a..40811672 100644 --- a/mbc/attack-pattern/attack-pattern--fb6ca685-805a-467b-8f10-460f41360731.json +++ b/mbc/attack-pattern/attack-pattern--fb6ca685-805a-467b-8f10-460f41360731.json @@ -8,7 +8,7 @@ "id": "attack-pattern--fb6ca685-805a-467b-8f10-460f41360731", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.01448Z", - "modified": "2022-02-05T00:37:22.788643Z", + "modified": "2022-09-08T18:26:13.345199Z", "name": "Delete Directory", "description": "Malware deletes a directory.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/delete-dir.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/delete-directory.md", "external_id": "C0048" } ], diff --git a/mbc/attack-pattern/attack-pattern--fbaedc87-7d0b-447c-a9e5-0f6c2658770a.json b/mbc/attack-pattern/attack-pattern--fbaedc87-7d0b-447c-a9e5-0f6c2658770a.json index 0592eeb1..d49106cd 100644 --- a/mbc/attack-pattern/attack-pattern--fbaedc87-7d0b-447c-a9e5-0f6c2658770a.json +++ b/mbc/attack-pattern/attack-pattern--fbaedc87-7d0b-447c-a9e5-0f6c2658770a.json @@ -8,7 +8,7 @@ "id": "attack-pattern--fbaedc87-7d0b-447c-a9e5-0f6c2658770a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.721261Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.245148Z", "name": "Suicide Exit", "description": "Malware terminates its execution based on a trigger condition or value (or because it has completed).", "kill_chain_phases": [ @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md", "external_id": "B0025.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--fd682f82-1a49-4f4f-8ff8-18ef8c3d0f8b.json b/mbc/attack-pattern/attack-pattern--fd682f82-1a49-4f4f-8ff8-18ef8c3d0f8b.json index 471f838a..a48480cf 100644 --- a/mbc/attack-pattern/attack-pattern--fd682f82-1a49-4f4f-8ff8-18ef8c3d0f8b.json +++ b/mbc/attack-pattern/attack-pattern--fd682f82-1a49-4f4f-8ff8-18ef8c3d0f8b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--fd682f82-1a49-4f4f-8ff8-18ef8c3d0f8b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.823261Z", - "modified": "2022-02-05T00:37:22.741756Z", + "modified": "2022-09-08T18:26:13.368213Z", "name": "Create Pipe::Interprocess Communication", "kill_chain_phases": [ { @@ -19,7 +19,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/inter-process.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/interprocess-communication.md", "external_id": "C0003.001" } ], diff --git a/mbc/attack-pattern/attack-pattern--fd9f551a-f0ef-42e2-bf82-acdf1062852b.json b/mbc/attack-pattern/attack-pattern--fd9f551a-f0ef-42e2-bf82-acdf1062852b.json index 5b6274e4..d328904e 100644 --- a/mbc/attack-pattern/attack-pattern--fd9f551a-f0ef-42e2-bf82-acdf1062852b.json +++ b/mbc/attack-pattern/attack-pattern--fd9f551a-f0ef-42e2-bf82-acdf1062852b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--fd9f551a-f0ef-42e2-bf82-acdf1062852b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.877737Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.244845Z", "name": "Secure Triggers", "description": "Code and/or data is encrypted until the underlying system satisfies a preselected condition unknown to the analyst (this is a form of Deposited Keys).", "kill_chain_phases": [ @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md", "external_id": "B0025.005" } ], diff --git a/mbc/attack-pattern/attack-pattern--fdc4b63d-2ee4-49af-b2d4-2defeff3d87d.json b/mbc/attack-pattern/attack-pattern--fdc4b63d-2ee4-49af-b2d4-2defeff3d87d.json index 867130b1..872c9e8a 100644 --- a/mbc/attack-pattern/attack-pattern--fdc4b63d-2ee4-49af-b2d4-2defeff3d87d.json +++ b/mbc/attack-pattern/attack-pattern--fdc4b63d-2ee4-49af-b2d4-2defeff3d87d.json @@ -8,7 +8,7 @@ "id": "attack-pattern--fdc4b63d-2ee4-49af-b2d4-2defeff3d87d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.877737Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.245476Z", "name": "Token Check", "description": "Presence check to allow the program to run (ex: dongle, CD/DVD, key, file, network, etc.). If the token is specific to a hardware element (ex: disk, OS, CPU, NIC MAC, etc.), it is considered fingerprinting.", "kill_chain_phases": [ @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md", "external_id": "B0025.006" } ], diff --git a/mbc/attack-pattern/attack-pattern--fdd6cb04-8d0a-4808-b50a-0e7f8061b42b.json b/mbc/attack-pattern/attack-pattern--fdd6cb04-8d0a-4808-b50a-0e7f8061b42b.json index 00cbcdc0..d18dbc8c 100644 --- a/mbc/attack-pattern/attack-pattern--fdd6cb04-8d0a-4808-b50a-0e7f8061b42b.json +++ b/mbc/attack-pattern/attack-pattern--fdd6cb04-8d0a-4808-b50a-0e7f8061b42b.json @@ -8,7 +8,7 @@ "id": "attack-pattern--fdd6cb04-8d0a-4808-b50a-0e7f8061b42b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:32.042481Z", - "modified": "2022-02-05T00:37:22.835477Z", + "modified": "2022-09-08T18:26:13.353915Z", "name": "Allocate Thread Local Storage", "description": "Malware allocates thread local storage.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/thread-storage-allocate.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/allocate-thread-local-storage.md", "external_id": "C0040" } ], diff --git a/mbc/attack-pattern/attack-pattern--fe31be5f-2912-4056-b70b-62988d5c3829.json b/mbc/attack-pattern/attack-pattern--fe31be5f-2912-4056-b70b-62988d5c3829.json index 276dead3..4bbac516 100644 --- a/mbc/attack-pattern/attack-pattern--fe31be5f-2912-4056-b70b-62988d5c3829.json +++ b/mbc/attack-pattern/attack-pattern--fe31be5f-2912-4056-b70b-62988d5c3829.json @@ -8,7 +8,7 @@ "id": "attack-pattern--fe31be5f-2912-4056-b70b-62988d5c3829", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.877737Z", - "modified": "2022-02-05T00:37:22.679223Z", + "modified": "2022-09-08T18:26:13.2445Z", "name": "Runs as Service", "description": "The malware must be run as a service, which can make behavioral analysis and debugging more difficult. The service may be set up by the malware. Alternatively, the malware may not contain any code to create a new service or modify an existing service, in which case, the service may be set up by another program or manually.", "kill_chain_phases": [ @@ -28,13 +28,12 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md", "external_id": "B0025.007" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1480", - "external_id": "T1480" + "source_name": "external_source", + "url": "https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaign-sandbox-evasion-techniques" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--fe39ee83-4f97-4989-b1f4-11a95d36b9d2.json b/mbc/attack-pattern/attack-pattern--fe39ee83-4f97-4989-b1f4-11a95d36b9d2.json index 145d9d91..62b3a1c7 100644 --- a/mbc/attack-pattern/attack-pattern--fe39ee83-4f97-4989-b1f4-11a95d36b9d2.json +++ b/mbc/attack-pattern/attack-pattern--fe39ee83-4f97-4989-b1f4-11a95d36b9d2.json @@ -8,7 +8,7 @@ "id": "attack-pattern--fe39ee83-4f97-4989-b1f4-11a95d36b9d2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.475261Z", - "modified": "2022-02-05T00:37:22.507385Z", + "modified": "2022-09-08T18:26:13.321386Z", "name": "Timing/Delay Check QueryPerformanceCounter", "description": "Malware uses QueryPerformanceCounter in a timing/delay check.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.033" } ], diff --git a/mbc/attack-pattern/attack-pattern--fe662062-536d-43ca-912b-534a2936ddad.json b/mbc/attack-pattern/attack-pattern--fe662062-536d-43ca-912b-534a2936ddad.json index 80d0e8ec..ec5ca8cc 100644 --- a/mbc/attack-pattern/attack-pattern--fe662062-536d-43ca-912b-534a2936ddad.json +++ b/mbc/attack-pattern/attack-pattern--fe662062-536d-43ca-912b-534a2936ddad.json @@ -8,7 +8,7 @@ "id": "attack-pattern--fe662062-536d-43ca-912b-534a2936ddad", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2021-02-10T06:49:31.971484Z", - "modified": "2022-02-05T00:37:22.726134Z", + "modified": "2022-09-08T18:26:13.376715Z", "name": "WinINet::FTP Communication", "description": "Send FTP command via WinINet.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/ftp-comm.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/ftp-communication.md", "external_id": "C0004.002" } ], diff --git a/mbc/attack-pattern/attack-pattern--fecc2029-1268-4e13-b4b7-2b9f00c84972.json b/mbc/attack-pattern/attack-pattern--fecc2029-1268-4e13-b4b7-2b9f00c84972.json index 1f756943..f98db69e 100644 --- a/mbc/attack-pattern/attack-pattern--fecc2029-1268-4e13-b4b7-2b9f00c84972.json +++ b/mbc/attack-pattern/attack-pattern--fecc2029-1268-4e13-b4b7-2b9f00c84972.json @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", "external_id": "F0001.009" } ], diff --git a/mbc/attack-pattern/attack-pattern--ff66c503-48b3-4f2b-a462-f54258d2cfca.json b/mbc/attack-pattern/attack-pattern--ff66c503-48b3-4f2b-a462-f54258d2cfca.json index bc486838..f0b607f7 100644 --- a/mbc/attack-pattern/attack-pattern--ff66c503-48b3-4f2b-a462-f54258d2cfca.json +++ b/mbc/attack-pattern/attack-pattern--ff66c503-48b3-4f2b-a462-f54258d2cfca.json @@ -8,7 +8,7 @@ "id": "attack-pattern--ff66c503-48b3-4f2b-a462-f54258d2cfca", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.514301Z", - "modified": "2022-02-05T00:37:22.538637Z", + "modified": "2022-09-08T18:26:13.307628Z", "name": "Pre-Debug", "description": "Prevents debugger from attaching to process or to break until after the code of interest has been executed.", "kill_chain_phases": [ @@ -20,7 +20,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", "external_id": "B0002.019" } ], diff --git a/mbc/attack-pattern/attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c.json b/mbc/attack-pattern/attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c.json index 24cac6aa..5b9ce553 100644 --- a/mbc/attack-pattern/attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c.json +++ b/mbc/attack-pattern/attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c.json @@ -8,7 +8,7 @@ "id": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.584261Z", - "modified": "2022-02-05T00:37:22.585511Z", + "modified": "2022-09-08T18:26:13.201233Z", "name": "Software Packing", "description": "This code characteristic - Software Packing - can make static and behavioral analysis difficult and includes packing with software protectors, such as Themida and Armadillo [[1]](#1). Methods related to anti-analysis are below. This behavior covers both characteristics of the malware (i.e., how it is packed) as well as behaviors of the malware (e.g., the malware packs another executable file).", "kill_chain_phases": [ @@ -28,7 +28,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", "external_id": "F0001" }, { @@ -44,6 +44,26 @@ { "source_name": "external_source", "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" + }, + { + "source_name": "external_source", + "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" + }, + { + "source_name": "external_source", + "url": "http://www.csl.sri.com/users/vinod/papers/Conficker/" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" + }, + { + "source_name": "external_source", + "url": "https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" + }, + { + "source_name": "external_source", + "url": "https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" } ], "object_marking_refs": [ diff --git a/mbc/attack-pattern/attack-pattern--ff838892-3d1a-46ba-a3f5-5787e0e82830.json b/mbc/attack-pattern/attack-pattern--ff838892-3d1a-46ba-a3f5-5787e0e82830.json index f4ac54fe..e41f5187 100644 --- a/mbc/attack-pattern/attack-pattern--ff838892-3d1a-46ba-a3f5-5787e0e82830.json +++ b/mbc/attack-pattern/attack-pattern--ff838892-3d1a-46ba-a3f5-5787e0e82830.json @@ -8,7 +8,7 @@ "id": "attack-pattern--ff838892-3d1a-46ba-a3f5-5787e0e82830", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:49:59.470264Z", - "modified": "2022-02-05T00:37:22.491757Z", + "modified": "2022-09-08T18:26:13.318438Z", "name": "Process Jobs", "kill_chain_phases": [ { @@ -19,7 +19,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", "external_id": "B0001.020" }, { diff --git a/mbc/malware/malware--0c0d59b7-4ff0-4a09-9c64-558334485ece.json b/mbc/malware/malware--0c0d59b7-4ff0-4a09-9c64-558334485ece.json index 28951b5c..defb87e6 100644 --- a/mbc/malware/malware--0c0d59b7-4ff0-4a09-9c64-558334485ece.json +++ b/mbc/malware/malware--0c0d59b7-4ff0-4a09-9c64-558334485ece.json @@ -8,7 +8,7 @@ "id": "malware--0c0d59b7-4ff0-4a09-9c64-558334485ece", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.331252Z", - "modified": "2022-02-05T00:37:25.938478Z", + "modified": "2022-09-08T18:26:14.315006Z", "name": "DNSChanger", "description": "Used to change DNS settings to generate fraudulent advertising revenue.", "malware_types": [ @@ -18,7 +18,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/dnschanger.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/dnschanger.md", "external_id": "X0005" }, { @@ -29,10 +29,7 @@ "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2011" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--19d14868-ff81-4c8c-9a6a-c57baf7e7f52.json b/mbc/malware/malware--19d14868-ff81-4c8c-9a6a-c57baf7e7f52.json index 31a6c135..833f540f 100644 --- a/mbc/malware/malware--19d14868-ff81-4c8c-9a6a-c57baf7e7f52.json +++ b/mbc/malware/malware--19d14868-ff81-4c8c-9a6a-c57baf7e7f52.json @@ -8,7 +8,7 @@ "id": "malware--19d14868-ff81-4c8c-9a6a-c57baf7e7f52", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.330254Z", - "modified": "2022-02-05T00:37:25.92289Z", + "modified": "2022-09-08T18:26:14.314517Z", "name": "Dark Comet", "description": "A Remote Access Trojan (RAT) that allows a user to control the system via a GUI. It has many features which allows a user to use it as administrative remote help tool; however, DarkComet has many features which can be used maliciously. DarkComet is commonly used to spy on the victims by taking screen captures, key-logging, or password stealing.", "malware_types": [ @@ -18,21 +18,22 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/dark-comet.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/dark-comet.md", "external_id": "X0004" }, { "source_name": "external_source", "url": "https://en.wikipedia.org/wiki/DarkComet" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2008" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--2640ed9a-24d9-4975-90c2-c8ab94d544e3.json b/mbc/malware/malware--2640ed9a-24d9-4975-90c2-c8ab94d544e3.json index e10413da..5fc587be 100644 --- a/mbc/malware/malware--2640ed9a-24d9-4975-90c2-c8ab94d544e3.json +++ b/mbc/malware/malware--2640ed9a-24d9-4975-90c2-c8ab94d544e3.json @@ -8,7 +8,7 @@ "id": "malware--2640ed9a-24d9-4975-90c2-c8ab94d544e3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.361255Z", - "modified": "2022-02-05T00:37:25.969727Z", + "modified": "2022-09-08T18:26:14.327796Z", "name": "Stuxnet", "description": "A malicious worm targeting SCADA systems.", "malware_types": [ @@ -18,33 +18,18 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/stuxnet.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/stuxnet.md", "external_id": "X0019" }, { "source_name": "external_source", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" - }, - { - "source_name": "external_source", - "url": "https://www.bbc.com/timelines/zc6fbk7" - }, - { - "source_name": "external_source", - "url": "https://en.wikipedia.org/wiki/Stuxnet" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_aliases": [ - "Rootkit.Tmphider", - "W32.Temphid" - ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2010" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e.json b/mbc/malware/malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e.json index f14bac6f..c269debe 100644 --- a/mbc/malware/malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e.json +++ b/mbc/malware/malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e.json @@ -8,7 +8,7 @@ "id": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.367256Z", - "modified": "2022-02-05T00:37:25.969727Z", + "modified": "2022-09-08T18:26:14.316006Z", "name": "TrickBot", "description": "Trojan spyware program that has mainly been used for targeting banking sites. TrickBot is written in the C++ programming language.", "malware_types": [ @@ -18,17 +18,38 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/trickbot.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/trickbot.md", "external_id": "X0025" + }, + { + "source_name": "external_source", + "url": "https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.cybereason.com/blog/research/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/en_us/research/18/k/trickbot-shows-off-new-trick-password-grabber-module.html" + }, + { + "source_name": "external_source", + "url": "https://www.bitdefender.com/blog/labs/trickbot-is-dead-long-live-trickbot/" + }, + { + "source_name": "external_source", + "url": "https://eclypsium.com/wp-content/uploads/2020/12/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.joesecurity.org/blog/498839998833561473" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2016" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--2def59e9-a1ba-4c23-9f7d-437935d1e965.json b/mbc/malware/malware--2def59e9-a1ba-4c23-9f7d-437935d1e965.json index 7c63743b..b48f8f09 100644 --- a/mbc/malware/malware--2def59e9-a1ba-4c23-9f7d-437935d1e965.json +++ b/mbc/malware/malware--2def59e9-a1ba-4c23-9f7d-437935d1e965.json @@ -8,7 +8,7 @@ "id": "malware--2def59e9-a1ba-4c23-9f7d-437935d1e965", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.336251Z", - "modified": "2022-02-05T00:37:25.938478Z", + "modified": "2022-09-08T18:26:14.319188Z", "name": "Geneio", "description": "Geneio is a byproduct of the DYLD_PRINT_TIFILE vulnerability. Geneio can gain access to the MAC Keychain and persist until removed by the user.", "malware_types": [ @@ -18,7 +18,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/geneio.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/geneio.md", "external_id": "X0007" }, { @@ -27,7 +27,7 @@ }, { "source_name": "external_source", - "url": "https://support.norton.com/sp/en/us/home/current/solutions/v103415336_EndUserProfile_en_us" + "url": "https://macpaw.com/how-to/remove-genieo-malware-mac" }, { "source_name": "external_source", @@ -37,10 +37,7 @@ "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "OS X" - ], - "x_mitre_year": "2015" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--30666a55-e3de-40ff-a680-8bca9c163cb0.json b/mbc/malware/malware--30666a55-e3de-40ff-a680-8bca9c163cb0.json index f96ff1d0..1dc3ba73 100644 --- a/mbc/malware/malware--30666a55-e3de-40ff-a680-8bca9c163cb0.json +++ b/mbc/malware/malware--30666a55-e3de-40ff-a680-8bca9c163cb0.json @@ -8,7 +8,7 @@ "id": "malware--30666a55-e3de-40ff-a680-8bca9c163cb0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.355256Z", - "modified": "2022-02-05T00:37:25.954104Z", + "modified": "2022-09-08T18:26:14.315491Z", "name": "Rombertik", "description": "This family of malware steals data the user enters into a browser and uses a variety of behaviors to hinder analysis.", "malware_types": [ @@ -18,21 +18,18 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/rombertik.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/rombertik.md", "external_id": "X0031" }, { "source_name": "external_source", - "url": "http://labs.lastline.com/exposing-rombertik-turning-the-tables-on-evasive-malware" + "url": "https://blogs.cisco.com/security/talos/rombertik" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2015" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--31e78af0-0509-4f7b-b304-77a8e5bf7ead.json b/mbc/malware/malware--31e78af0-0509-4f7b-b304-77a8e5bf7ead.json index 5b2d5bb1..18425c21 100644 --- a/mbc/malware/malware--31e78af0-0509-4f7b-b304-77a8e5bf7ead.json +++ b/mbc/malware/malware--31e78af0-0509-4f7b-b304-77a8e5bf7ead.json @@ -8,7 +8,7 @@ "id": "malware--31e78af0-0509-4f7b-b304-77a8e5bf7ead", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.370254Z", - "modified": "2022-02-05T00:37:25.969727Z", + "modified": "2022-09-08T18:26:14.316788Z", "name": "Ursnif", "description": "A banking trojan that uses malware macros to evade sandbox detection. Variant of Gozi.", "malware_types": [ @@ -18,25 +18,34 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/ursnif.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/ursnif.md", "external_id": "X0022" }, { "source_name": "external_source", - "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" + "url": "https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaign-sandbox-evasion-techniques" + }, + { + "source_name": "external_source", + "url": "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_aliases": [ - "Dreambot", - "Gozi" - ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2016" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--36e75009-8fd6-467a-aa8c-c6a4d3511dfa.json b/mbc/malware/malware--36e75009-8fd6-467a-aa8c-c6a4d3511dfa.json index dfa5a330..b71da808 100644 --- a/mbc/malware/malware--36e75009-8fd6-467a-aa8c-c6a4d3511dfa.json +++ b/mbc/malware/malware--36e75009-8fd6-467a-aa8c-c6a4d3511dfa.json @@ -8,7 +8,7 @@ "id": "malware--36e75009-8fd6-467a-aa8c-c6a4d3511dfa", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.345255Z", - "modified": "2022-02-05T00:37:25.938478Z", + "modified": "2022-09-08T18:26:14.329763Z", "name": "Kraken", "description": "A family of bots.", "malware_types": [ @@ -18,7 +18,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/kraken.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/kraken.md", "external_id": "X0010" }, { @@ -29,13 +29,7 @@ "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_aliases": [ - "Bobax" - ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2008" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--4188f951-4400-406c-8281-509395fc8e11.json b/mbc/malware/malware--4188f951-4400-406c-8281-509395fc8e11.json index 2cd7440a..ae00b5e7 100644 --- a/mbc/malware/malware--4188f951-4400-406c-8281-509395fc8e11.json +++ b/mbc/malware/malware--4188f951-4400-406c-8281-509395fc8e11.json @@ -8,7 +8,7 @@ "id": "malware--4188f951-4400-406c-8281-509395fc8e11", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.326252Z", - "modified": "2022-02-05T00:37:25.92289Z", + "modified": "2022-09-08T18:26:14.322759Z", "name": "CryptoLocker", "description": "CryptoLocker is a family of ransomware.", "malware_types": [ @@ -18,25 +18,18 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/cryptolocker.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/cryptolocker.md", "external_id": "X0030" }, { "source_name": "external_source", - "url": "https://en.wikipedia.org/wiki/CryptoLocker" - }, - { - "source_name": "external_source", - "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/" + "url": "https://www.secureworks.com/research/cryptolocker-ransomware" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2013" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--49b9796a-27fd-414e-a87d-b071aaff295b.json b/mbc/malware/malware--49b9796a-27fd-414e-a87d-b071aaff295b.json index bcbdaa66..9ccfc631 100644 --- a/mbc/malware/malware--49b9796a-27fd-414e-a87d-b071aaff295b.json +++ b/mbc/malware/malware--49b9796a-27fd-414e-a87d-b071aaff295b.json @@ -8,7 +8,7 @@ "id": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.352256Z", - "modified": "2022-02-05T00:37:25.954104Z", + "modified": "2022-09-08T18:26:14.32216Z", "name": "Poison-Ivy", "description": "Remote Access Trojan (RAT).", "malware_types": [ @@ -18,21 +18,30 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/poison-ivy.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/poison-ivy.md", "external_id": "X0014" }, { "source_name": "external_source", - "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + "url": "https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/poisonivy" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2005" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--4fe657cf-373f-4a71-a2b8-8de5c109eef9.json b/mbc/malware/malware--4fe657cf-373f-4a71-a2b8-8de5c109eef9.json index 7163d389..ed4e4a61 100644 --- a/mbc/malware/malware--4fe657cf-373f-4a71-a2b8-8de5c109eef9.json +++ b/mbc/malware/malware--4fe657cf-373f-4a71-a2b8-8de5c109eef9.json @@ -8,7 +8,7 @@ "id": "malware--4fe657cf-373f-4a71-a2b8-8de5c109eef9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.325252Z", - "modified": "2022-02-05T00:37:25.92289Z", + "modified": "2022-09-08T18:26:14.324734Z", "name": "Conficker", "description": "A worm targeting Microsoft Windows operations systems.", "malware_types": [ @@ -18,7 +18,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/conficker.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/conficker.md", "external_id": "X0003" }, { @@ -33,15 +33,7 @@ "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_aliases": [ - "Downup", - "Downadup", - "Kido" - ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2008" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--508cadaa-4fd5-4105-803e-8944e388ee45.json b/mbc/malware/malware--508cadaa-4fd5-4105-803e-8944e388ee45.json index 90743cc9..f1aa7f3b 100644 --- a/mbc/malware/malware--508cadaa-4fd5-4105-803e-8944e388ee45.json +++ b/mbc/malware/malware--508cadaa-4fd5-4105-803e-8944e388ee45.json @@ -8,7 +8,7 @@ "id": "malware--508cadaa-4fd5-4105-803e-8944e388ee45", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.349255Z", - "modified": "2022-02-05T00:37:25.954104Z", + "modified": "2022-09-08T18:26:14.330263Z", "name": "MazarBot", "description": "Targets Android phones via a poisoned text message.", "malware_types": [ @@ -18,7 +18,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/mazarbot.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/mazarbot.md", "external_id": "X0012" }, { @@ -28,15 +28,16 @@ { "source_name": "external_source", "url": "https://www.player.one/new-android-sms-malware-can-completely-own-your-phone-just-one-text-how-avoid-mazar-512363" + }, + { + "source_name": "external_source", + "url": "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Android" - ], - "x_mitre_year": "2016" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--542141d9-e98d-4d4a-9b15-dfc3f8933e48.json b/mbc/malware/malware--542141d9-e98d-4d4a-9b15-dfc3f8933e48.json index 5caabcec..5ce045ae 100644 --- a/mbc/malware/malware--542141d9-e98d-4d4a-9b15-dfc3f8933e48.json +++ b/mbc/malware/malware--542141d9-e98d-4d4a-9b15-dfc3f8933e48.json @@ -8,7 +8,7 @@ "id": "malware--542141d9-e98d-4d4a-9b15-dfc3f8933e48", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.347255Z", - "modified": "2022-02-05T00:37:25.938478Z", + "modified": "2022-09-08T18:26:14.330783Z", "name": "Locky Bart", "description": "Locky Bart is ransomware.", "malware_types": [ @@ -18,7 +18,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/locky-bart.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/locky-bart.md", "external_id": "X0011" }, { @@ -29,10 +29,7 @@ "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2017" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--549d1c35-f214-4760-ab97-2142c66cf111.json b/mbc/malware/malware--549d1c35-f214-4760-ab97-2142c66cf111.json index bd2cdf0f..6d128c61 100644 --- a/mbc/malware/malware--549d1c35-f214-4760-ab97-2142c66cf111.json +++ b/mbc/malware/malware--549d1c35-f214-4760-ab97-2142c66cf111.json @@ -8,7 +8,7 @@ "id": "malware--549d1c35-f214-4760-ab97-2142c66cf111", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.328253Z", - "modified": "2022-02-05T00:37:25.92289Z", + "modified": "2022-09-08T18:26:14.32376Z", "name": "CryptoWall", "description": "CryptoWall is a family of ransomware.", "malware_types": [ @@ -18,25 +18,18 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/cryptowall.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/cryptowall.md", "external_id": "X0029" }, { "source_name": "external_source", "url": "https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/" - }, - { - "source_name": "external_source", - "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2014" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--5dcefe05-4ead-4f84-9919-ebefe968df27.json b/mbc/malware/malware--5dcefe05-4ead-4f84-9919-ebefe968df27.json index d7a446d9..ec9fe43d 100644 --- a/mbc/malware/malware--5dcefe05-4ead-4f84-9919-ebefe968df27.json +++ b/mbc/malware/malware--5dcefe05-4ead-4f84-9919-ebefe968df27.json @@ -8,7 +8,7 @@ "id": "malware--5dcefe05-4ead-4f84-9919-ebefe968df27", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.369255Z", - "modified": "2022-02-05T00:37:25.969727Z", + "modified": "2022-09-08T18:26:14.325734Z", "name": "UP007 Malware Family", "description": "Description.", "malware_types": [ @@ -18,7 +18,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/up007.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/up007.md", "external_id": "X0033" }, { @@ -29,10 +29,7 @@ "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2016" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--5fe2035d-58a0-4cd6-9561-cf4442871a10.json b/mbc/malware/malware--5fe2035d-58a0-4cd6-9561-cf4442871a10.json index fc6c18a8..cd72d125 100644 --- a/mbc/malware/malware--5fe2035d-58a0-4cd6-9561-cf4442871a10.json +++ b/mbc/malware/malware--5fe2035d-58a0-4cd6-9561-cf4442871a10.json @@ -8,7 +8,7 @@ "id": "malware--5fe2035d-58a0-4cd6-9561-cf4442871a10", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.332252Z", - "modified": "2022-02-05T00:37:25.938478Z", + "modified": "2022-09-08T18:26:14.326183Z", "name": "Emotet", "description": "Emotet is a banking trojan.", "malware_types": [ @@ -18,28 +18,30 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/emotet.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/emotet.md", "external_id": "X0028" }, { "source_name": "external_source", - "url": "https://cofense.com/dark-realm-shifting-ways-geodo-malware" + "url": "https://cofense.com/recent-geodo-malware-campaigns-feature-heavily-obfuscated-macros/" }, { "source_name": "external_source", - "url": "https://cofense.com/recent-geodo-malware-campaigns-feature-heavily-obfuscated-macros/" + "url": "https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1" + }, + { + "source_name": "external_source", + "url": "https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_aliases": [ - "Geodo" - ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2018" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--6875c768-4212-474d-85dc-1e89c62e9a65.json b/mbc/malware/malware--6875c768-4212-474d-85dc-1e89c62e9a65.json index deb85333..035cae4c 100644 --- a/mbc/malware/malware--6875c768-4212-474d-85dc-1e89c62e9a65.json +++ b/mbc/malware/malware--6875c768-4212-474d-85dc-1e89c62e9a65.json @@ -8,7 +8,7 @@ "id": "malware--6875c768-4212-474d-85dc-1e89c62e9a65", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.363292Z", - "modified": "2022-02-05T00:37:25.969727Z", + "modified": "2022-09-08T18:26:14.328802Z", "name": "SYNful Knock", "description": "A modification of the router's firmware images used to maintain persistence.", "malware_types": [ @@ -18,21 +18,18 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/synful-knock.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/synful-knock.md", "external_id": "X0020" }, { "source_name": "external_source", - "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html" + "url": "https://www.mandiant.com/resources/synful-knock-acis" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Cisco" - ], - "x_mitre_year": "2015" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--6a1bde20-a344-4738-9df5-b568fa4b5f33.json b/mbc/malware/malware--6a1bde20-a344-4738-9df5-b568fa4b5f33.json index e4ebdd70..c64af110 100644 --- a/mbc/malware/malware--6a1bde20-a344-4738-9df5-b568fa4b5f33.json +++ b/mbc/malware/malware--6a1bde20-a344-4738-9df5-b568fa4b5f33.json @@ -8,7 +8,7 @@ "id": "malware--6a1bde20-a344-4738-9df5-b568fa4b5f33", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.342252Z", - "modified": "2022-02-05T00:37:25.938478Z", + "modified": "2022-09-08T18:26:14.329281Z", "name": "Hupigon", "description": "A family of backdoors.", "malware_types": [ @@ -18,28 +18,22 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/hupigon.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/hupigon.md", "external_id": "X0008" }, { "source_name": "external_source", "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HUPIGON" + }, + { + "source_name": "external_source", + "url": "https://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_aliases": [ - "Delf", - "Emerleox", - "Logsnif", - "Graybird", - "Pcclient" - ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2013" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--8297b846-885e-4751-9e2b-d777ae7d21e3.json b/mbc/malware/malware--8297b846-885e-4751-9e2b-d777ae7d21e3.json index 4badb2cd..b7ab7ebf 100644 --- a/mbc/malware/malware--8297b846-885e-4751-9e2b-d777ae7d21e3.json +++ b/mbc/malware/malware--8297b846-885e-4751-9e2b-d777ae7d21e3.json @@ -8,7 +8,7 @@ "id": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.372256Z", - "modified": "2022-02-05T00:37:25.969727Z", + "modified": "2022-09-08T18:26:14.331246Z", "name": "WebCobra", "description": "Cryptojacking malware.", "malware_types": [ @@ -18,7 +18,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/webcobra.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/webcobra.md", "external_id": "X0023" }, { @@ -33,10 +33,7 @@ "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2018" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--86cfa430-ca3b-4322-bdfe-989aca5305f0.json b/mbc/malware/malware--86cfa430-ca3b-4322-bdfe-989aca5305f0.json index b86660b7..b80c51a9 100644 --- a/mbc/malware/malware--86cfa430-ca3b-4322-bdfe-989aca5305f0.json +++ b/mbc/malware/malware--86cfa430-ca3b-4322-bdfe-989aca5305f0.json @@ -8,7 +8,7 @@ "id": "malware--86cfa430-ca3b-4322-bdfe-989aca5305f0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.334253Z", - "modified": "2022-02-05T00:37:25.938478Z", + "modified": "2022-09-08T18:26:14.328334Z", "name": "Gamut", "description": "A spamming botnet.", "malware_types": [ @@ -18,7 +18,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/gamut.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/gamut.md", "external_id": "X0006" }, { @@ -29,13 +29,7 @@ "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_aliases": [ - "Bobax" - ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2014" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--92f9ba45-2fb3-4d97-9865-eda477e7b779.json b/mbc/malware/malware--92f9ba45-2fb3-4d97-9865-eda477e7b779.json index bd3ccfa6..d857eaed 100644 --- a/mbc/malware/malware--92f9ba45-2fb3-4d97-9865-eda477e7b779.json +++ b/mbc/malware/malware--92f9ba45-2fb3-4d97-9865-eda477e7b779.json @@ -8,7 +8,7 @@ "id": "malware--92f9ba45-2fb3-4d97-9865-eda477e7b779", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.340252Z", - "modified": "2022-02-05T00:37:25.938478Z", + "modified": "2022-09-08T18:26:14.327217Z", "name": "Heriplor", "description": "This Trojan is associated with the Energetic Bear group [[1]](#1).", "malware_types": [ @@ -18,21 +18,22 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/heriplor.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/heriplor.md", "external_id": "X0026" }, { "source_name": "external_source", - "url": "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html" + "url": "https://insights.sei.cmu.edu/blog/api-hashing-tool-imagine-that/" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_heriplor.a" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2012" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--a456fdcd-68f2-46fb-adb0-97c6817338c9.json b/mbc/malware/malware--a456fdcd-68f2-46fb-adb0-97c6817338c9.json index c98223c1..cf838269 100644 --- a/mbc/malware/malware--a456fdcd-68f2-46fb-adb0-97c6817338c9.json +++ b/mbc/malware/malware--a456fdcd-68f2-46fb-adb0-97c6817338c9.json @@ -8,7 +8,7 @@ "id": "malware--a456fdcd-68f2-46fb-adb0-97c6817338c9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.357255Z", - "modified": "2022-02-05T00:37:25.954104Z", + "modified": "2022-09-08T18:26:14.313824Z", "name": "SamSam", "description": "Ransomware.", "malware_types": [ @@ -18,30 +18,26 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/samsam.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/samsam.md", "external_id": "X0016" }, { "source_name": "external_source", - "url": "https://www.us-cert.gov/ncas/alerts/AA18-337A" + "url": "https://www.cisa.gov/uscert/ncas/alerts/AA18-337A" }, { "source_name": "external_source", - "url": "https://blog.malwarebytes.com/cybercrime/2018/05/samsam-ransomware-need-know/" + "url": "https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html" + }, + { + "source_name": "external_source", + "url": "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_aliases": [ - "MSIL/Samas.A", - "Samas", - "Samsa" - ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2015" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--a6ad7a2e-f619-4598-914b-16f68b372789.json b/mbc/malware/malware--a6ad7a2e-f619-4598-914b-16f68b372789.json index ea316614..1cb10784 100644 --- a/mbc/malware/malware--a6ad7a2e-f619-4598-914b-16f68b372789.json +++ b/mbc/malware/malware--a6ad7a2e-f619-4598-914b-16f68b372789.json @@ -8,7 +8,7 @@ "id": "malware--a6ad7a2e-f619-4598-914b-16f68b372789", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.374255Z", - "modified": "2022-02-05T00:37:25.969727Z", + "modified": "2022-09-08T18:26:14.323288Z", "name": "YiSpecter", "description": "YiSpecter is Apple iOS malware that can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps\u2019 execution to display advertisements, change Safari\u2019s default search engine, bookmarks and opened pages, and upload device information to a C2 server. It uses tricks to hide its icons from iOS\u2019s SpringBoard, which prevents the user from finding and deleting it. The components also use the same name and logos of system apps to trick iOS power users.", "malware_types": [ @@ -18,7 +18,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/yispecter.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/yispecter.md", "external_id": "X0024" }, { @@ -29,10 +29,7 @@ "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "iOS" - ], - "x_mitre_year": "2015" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--b0625dd2-cc91-4936-9e12-289960aa0b41.json b/mbc/malware/malware--b0625dd2-cc91-4936-9e12-289960aa0b41.json index e212de47..5529e70f 100644 --- a/mbc/malware/malware--b0625dd2-cc91-4936-9e12-289960aa0b41.json +++ b/mbc/malware/malware--b0625dd2-cc91-4936-9e12-289960aa0b41.json @@ -8,7 +8,7 @@ "id": "malware--b0625dd2-cc91-4936-9e12-289960aa0b41", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.354255Z", - "modified": "2022-02-05T00:37:25.954104Z", + "modified": "2022-09-08T18:26:14.326793Z", "name": "Redhip", "description": "An information stealer.", "malware_types": [ @@ -18,7 +18,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/redhip.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/redhip.md", "external_id": "X0015" }, { @@ -29,10 +29,7 @@ "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2011" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--bb2ac91f-90ad-4ed5-95ef-a899346ba4ce.json b/mbc/malware/malware--bb2ac91f-90ad-4ed5-95ef-a899346ba4ce.json index 54426ed2..1cfeb6de 100644 --- a/mbc/malware/malware--bb2ac91f-90ad-4ed5-95ef-a899346ba4ce.json +++ b/mbc/malware/malware--bb2ac91f-90ad-4ed5-95ef-a899346ba4ce.json @@ -8,7 +8,7 @@ "id": "malware--bb2ac91f-90ad-4ed5-95ef-a899346ba4ce", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.365256Z", - "modified": "2022-02-05T00:37:25.969727Z", + "modified": "2022-09-08T18:26:14.324196Z", "name": "Terminator", "description": "A remote access tool (RAT).", "malware_types": [ @@ -18,21 +18,22 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/terminator.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/terminator.md", "external_id": "X0021" }, { "source_name": "external_source", - "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf" + "url": "https://www.mandiant.com/resources/hot-knives-through-butter-evading-file-based-sandboxes" + }, + { + "source_name": "external_source", + "url": "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/FireEye-Terminator_RAT.pdf" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2013" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--cb022b7d-775c-4db8-ab25-3add7e215d54.json b/mbc/malware/malware--cb022b7d-775c-4db8-ab25-3add7e215d54.json index aac2cde9..4e41a763 100644 --- a/mbc/malware/malware--cb022b7d-775c-4db8-ab25-3add7e215d54.json +++ b/mbc/malware/malware--cb022b7d-775c-4db8-ab25-3add7e215d54.json @@ -8,7 +8,7 @@ "id": "malware--cb022b7d-775c-4db8-ab25-3add7e215d54", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.350255Z", - "modified": "2022-02-05T00:37:25.954104Z", + "modified": "2022-09-08T18:26:14.320403Z", "name": "Mebromi", "description": "A BIOS bootkit.", "malware_types": [ @@ -18,7 +18,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/mebromi.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/mebromi.md", "external_id": "X0013" }, { @@ -29,10 +29,7 @@ "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2011" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--cdd198e2-3f6f-42c4-adfd-d97dc66c5f19.json b/mbc/malware/malware--cdd198e2-3f6f-42c4-adfd-d97dc66c5f19.json index b859560a..1a58bcd1 100644 --- a/mbc/malware/malware--cdd198e2-3f6f-42c4-adfd-d97dc66c5f19.json +++ b/mbc/malware/malware--cdd198e2-3f6f-42c4-adfd-d97dc66c5f19.json @@ -8,7 +8,7 @@ "id": "malware--cdd198e2-3f6f-42c4-adfd-d97dc66c5f19", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.323252Z", - "modified": "2022-02-05T00:37:25.92289Z", + "modified": "2022-09-08T18:26:14.31748Z", "name": "BlackEnergy", "description": "An HTTP-based botnet used mostly for DDoS attacks.", "malware_types": [ @@ -18,21 +18,26 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/blackenergy.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/blackenergy.md", "external_id": "X0002" }, { "source_name": "external_source", - "url": "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf" + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "external_source", + "url": "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" + }, + { + "source_name": "external_source", + "url": "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2007" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--d36b0186-1e10-4dd8-a1df-076e9a692c57.json b/mbc/malware/malware--d36b0186-1e10-4dd8-a1df-076e9a692c57.json index 439fc00e..258d6011 100644 --- a/mbc/malware/malware--d36b0186-1e10-4dd8-a1df-076e9a692c57.json +++ b/mbc/malware/malware--d36b0186-1e10-4dd8-a1df-076e9a692c57.json @@ -8,7 +8,7 @@ "id": "malware--d36b0186-1e10-4dd8-a1df-076e9a692c57", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.360255Z", - "modified": "2022-02-05T00:37:25.969727Z", + "modified": "2022-09-08T18:26:14.321051Z", "name": "Shamoon", "description": "Data wiping malware.", "malware_types": [ @@ -18,21 +18,30 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/shamoon.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/shamoon.md", "external_id": "X0018" }, { "source_name": "external_source", - "url": "http://www.darkreading.com/attacks-breaches/disk-wiping-shamoon-malware-resurfaces-with-file-erasing-malware-in-tow/d/d-id/1333509" + "url": "https://www.darkreading.com/attacks-breaches/disk-wiping-shamoon-malware-resurfaces-with-file-erasing-malware-in-tow" + }, + { + "source_name": "external_source", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/" + }, + { + "source_name": "external_source", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/" + }, + { + "source_name": "external_source", + "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=281521ea-2d18-4bf9-9e88-8b1dc41cfdb6&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2012" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--dbe9ee23-f01d-4cdb-bf53-066c77352dac.json b/mbc/malware/malware--dbe9ee23-f01d-4cdb-bf53-066c77352dac.json index 55cdc1d9..50aa46ea 100644 --- a/mbc/malware/malware--dbe9ee23-f01d-4cdb-bf53-066c77352dac.json +++ b/mbc/malware/malware--dbe9ee23-f01d-4cdb-bf53-066c77352dac.json @@ -8,7 +8,7 @@ "id": "malware--dbe9ee23-f01d-4cdb-bf53-066c77352dac", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.358255Z", - "modified": "2022-02-05T00:37:25.954104Z", + "modified": "2022-09-08T18:26:14.321653Z", "name": "SearchAwesome", "description": "Adware that intercepts encrypted web traffic to inject ads.", "malware_types": [ @@ -18,7 +18,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/searchawesome.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/searchawesome.md", "external_id": "X0017" }, { @@ -29,10 +29,7 @@ "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Mac OSX" - ], - "x_mitre_year": "2018" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--dd874fc3-691c-4825-95cc-bbe52e5406f5.json b/mbc/malware/malware--dd874fc3-691c-4825-95cc-bbe52e5406f5.json index 9e45ed77..64791d58 100644 --- a/mbc/malware/malware--dd874fc3-691c-4825-95cc-bbe52e5406f5.json +++ b/mbc/malware/malware--dd874fc3-691c-4825-95cc-bbe52e5406f5.json @@ -8,7 +8,7 @@ "id": "malware--dd874fc3-691c-4825-95cc-bbe52e5406f5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.337252Z", - "modified": "2022-02-05T00:37:25.938478Z", + "modified": "2022-09-08T18:26:14.325263Z", "name": "GotBotKR", "description": "Modified version of a publicly available backdoor name GoBot2. Modifications are mainly evasion techniques specific to South Korea.", "malware_types": [ @@ -18,7 +18,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/gotbotkr.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/gotbotkr.md", "external_id": "X0027" }, { @@ -29,10 +29,7 @@ "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2019" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--e616d9d2-36b4-4510-84ad-66f19442fe3e.json b/mbc/malware/malware--e616d9d2-36b4-4510-84ad-66f19442fe3e.json index 4d86216c..37c14a1c 100644 --- a/mbc/malware/malware--e616d9d2-36b4-4510-84ad-66f19442fe3e.json +++ b/mbc/malware/malware--e616d9d2-36b4-4510-84ad-66f19442fe3e.json @@ -8,7 +8,7 @@ "id": "malware--e616d9d2-36b4-4510-84ad-66f19442fe3e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.339252Z", - "modified": "2022-02-05T00:37:25.938478Z", + "modified": "2022-09-08T18:26:14.318699Z", "name": "GravityRAT", "description": "Evades detection by checking current CPU temperature.", "malware_types": [ @@ -18,21 +18,22 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/gravity-rat.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/gravity-rat.md", "external_id": "X0032" }, { "source_name": "external_source", "url": "https://www.hackread.com/gravityrat-malware-evades-detection-targets-india/" + }, + { + "source_name": "external_source", + "url": "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2018" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--f31598c3-8d55-440f-ac5f-4b8ea34fc09b.json b/mbc/malware/malware--f31598c3-8d55-440f-ac5f-4b8ea34fc09b.json index 7b38a58a..fc383937 100644 --- a/mbc/malware/malware--f31598c3-8d55-440f-ac5f-4b8ea34fc09b.json +++ b/mbc/malware/malware--f31598c3-8d55-440f-ac5f-4b8ea34fc09b.json @@ -8,7 +8,7 @@ "id": "malware--f31598c3-8d55-440f-ac5f-4b8ea34fc09b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.322252Z", - "modified": "2022-02-05T00:37:25.92289Z", + "modified": "2022-09-08T18:26:14.319789Z", "name": "Bagle", "description": "A mass-mailing computer worm affecting Microsoft Windows.", "malware_types": [ @@ -18,16 +18,12 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/bagle.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/bagle.md", "external_id": "X0001" }, { "source_name": "external_source", - "url": "https://en.wikipedia.org/wiki/Bagle_(computer_worm)" - }, - { - "source_name": "external_source", - "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/malware/worm_bagle.u" + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/WORM_BAGLE.U/" }, { "source_name": "external_source", @@ -37,10 +33,7 @@ "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2004" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/malware/malware--fa095747-0ca8-4965-a222-cf1fe7647e12.json b/mbc/malware/malware--fa095747-0ca8-4965-a222-cf1fe7647e12.json index 866bf4f9..9c06c9c7 100644 --- a/mbc/malware/malware--fa095747-0ca8-4965-a222-cf1fe7647e12.json +++ b/mbc/malware/malware--fa095747-0ca8-4965-a222-cf1fe7647e12.json @@ -8,7 +8,7 @@ "id": "malware--fa095747-0ca8-4965-a222-cf1fe7647e12", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-08-21T20:50:04.344254Z", - "modified": "2022-02-05T00:37:25.938478Z", + "modified": "2022-09-08T18:26:14.318107Z", "name": "Kovter", "description": "A trojan that performs click-fraud.", "malware_types": [ @@ -18,21 +18,22 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/kovter.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/kovter.md", "external_id": "X0009" }, { "source_name": "external_source", - "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" + "url": "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/" + }, + { + "source_name": "external_source", + "url": "https://labs.vipre.com/analysis-of-kovter-a-very-clever-piece-of-malware/#:~:text=Kovter%20copies%20the%20fileless%20persistence,written%20on%20to%20the%20filesystem." } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2016" + "x_mitre_year": "" } ] } \ No newline at end of file diff --git a/mbc/mbc.json b/mbc/mbc.json index dacc3c4e..23946293 100644 --- a/mbc/mbc.json +++ b/mbc/mbc.json @@ -1,16679 +1,9682 @@ { "type": "bundle", - "id": "bundle--881bfb7c-9446-467c-8f21-5fe319ae2a5d", + "id": "bundle--ab5c6c3f-4f93-4abf-a407-cb58f4179644", "objects": [ { - "type": "attack-pattern", + "type": "identity", "spec_version": "2.1", - "id": "attack-pattern--001ca78e-188e-4725-9f43-706d0f487837", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.607265Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Send Data", - "description": "Send data to a controller.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "command-and-control" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", - "external_id": "B0030.001" - } - ], + "id": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-01-01T00:00:00.000Z", + "modified": "2020-01-01T00:00:00.000Z", + "name": "The MITRE Corporation", + "identity_class": "organization", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--006afc45-b6df-4e75-8102-b38ccb09db58", + "id": "malware--b0625dd2-cc91-4936-9e12-289960aa0b41", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.90226Z", - "modified": "2022-02-05T00:37:22.835477Z", - "name": "Router Firmware", - "description": "Cisco routers can have their firmware images modified in order to maliciously infect and persist on end-user machines in a network. This is accomplished by using default or acquired credentials to gain access to a router and to install a backdoor. The implant resides within a modified Cisco IOS image and, when loaded, maintains its persistence in the environment, even after a system reboot. However, any further modules loaded by the attacker will only exist in the router's volatile memory and will not be available for use after reboot. Known affected hardware includes Cisco routers 1841, 2811, and 3825.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/persistence/component-firmware.md", - "external_id": "F0009.001" - } + "created": "2020-08-21T20:50:04.354255Z", + "modified": "2022-09-08T18:26:14.326793Z", + "name": "Redhip", + "description": "An information stealer.", + "malware_types": [ + "unknown" ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true - }, - { - "type": "attack-pattern", - "spec_version": "2.1", - "id": "attack-pattern--010c8801-3ad4-479b-8c56-c29e108121c9", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.842259Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "InternetOpen::WinINet", - "description": "Initializes an application's use of the WinINet functions.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/wininet.md", - "external_id": "C0005.002" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/redhip.md", + "external_id": "X0015" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--013fce9b-0645-41a4-b6ec-03a70b319715", + "id": "malware--cb022b7d-775c-4db8-ab25-3add7e215d54", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.864259Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "Create Office Document::Create File", - "description": "An Office document is created.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "file-system-micro-objective" - } + "created": "2020-08-21T20:50:04.350255Z", + "modified": "2022-09-08T18:26:14.320403Z", + "name": "Mebromi", + "description": "A BIOS bootkit.", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/create-file.md", - "external_id": "C0016.001" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/mebromi.md", + "external_id": "X0013" + }, + { + "source_name": "external_source", + "url": "https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--023243fb-9971-4e64-9bca-5976fa84f08f", + "id": "malware--0c0d59b7-4ff0-4a09-9c64-558334485ece", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.828261Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Request::SMTP Communication", - "description": "Makes SMTP request.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } + "created": "2020-08-21T20:50:04.331252Z", + "modified": "2022-09-08T18:26:14.315006Z", + "name": "DNSChanger", + "description": "Used to change DNS settings to generate fraudulent advertising revenue.", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/smtp-comm.md", - "external_id": "C0012.002" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/dnschanger.md", + "external_id": "X0005" + }, + { + "source_name": "external_source", + "url": "https://www.huffingtonpost.com/2011/11/09/click-hijack-hackers-online-ad-scam_n_1084497.html" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--02b99b72-6baa-4329-9a48-1ce8aae4383a", + "id": "malware--4188f951-4400-406c-8281-509395fc8e11", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.486264Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Timing/Uptime Check", - "description": "Comparing single GetTickCount with some value to see if system has been started at least *X* amount ago. This behavior can be mitigated in non-automated analysis environments.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } + "created": "2020-08-21T20:50:04.326252Z", + "modified": "2022-09-08T18:26:14.322759Z", + "name": "CryptoLocker", + "description": "CryptoLocker is a family of ransomware.", + "malware_types": [ + "unknown" ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", - "external_id": "B0007.009" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/cryptolocker.md", + "external_id": "X0030" + }, + { + "source_name": "external_source", + "url": "https://www.secureworks.com/research/cryptolocker-ransomware" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--02f5dda2-da92-4e5b-88bb-67e9e542c444", + "id": "malware--31e78af0-0509-4f7b-b304-77a8e5bf7ead", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.67367Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "RtlAdjustPrivilege", - "description": "Malware may call RtlAdjustPrivilege to detect if a debugger is attached (or to prevent a debugger from attaching).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.022" - } + "created": "2020-08-21T20:50:04.370254Z", + "modified": "2022-09-08T18:26:14.316788Z", + "name": "Ursnif", + "description": "A banking trojan that uses malware macros to evade sandbox detection. Variant of Gozi.", + "malware_types": [ + "unknown" ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true - }, - { - "type": "attack-pattern", - "spec_version": "2.1", - "id": "attack-pattern--03996e71-dfa7-4585-8a42-da7f95c50436", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Shadow System Service Dispatch Table Hooking", - "description": "The Shadow System Service Dispatch Table (SSDT) can be hooked similarly to how the SSDT and IAT are hooked. The target of the hooking with the Shadow SSDT is the Windows subsystem (win32k.sys).", - "kill_chain_phases": [ + "is_family": true, + "external_references": [ { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/ursnif.md", + "external_id": "X0022" }, { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" + "source_name": "external_source", + "url": "https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaign-sandbox-evasion-techniques" }, { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ + "source_name": "external_source", + "url": "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" + }, { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hijack-execution-flow.md", - "external_id": "F0015.004" + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" }, { "source_name": "external_source", - "url": "https://www.mdpi.com/1999-5903/4/4/971/html" + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--03d1844f-241a-4ed9-858f-47e5e6543746", + "id": "malware--508cadaa-4fd5-4105-803e-8944e388ee45", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.458263Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "API Hook Detection", - "description": "Module bounds based .", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], + "created": "2020-08-21T20:50:04.349255Z", + "modified": "2022-09-08T18:26:14.330263Z", + "name": "MazarBot", + "description": "Targets Android phones via a poisoned text message.", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.001" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/mazarbot.md", + "external_id": "X0012" }, { "source_name": "external_source", - "description": "Anti Debugging Tricks, Al-Khaser.", - "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + "url": "https://us.norton.com/internetsecurity-emerging-threats-mazar-bot-malware-invades-and-erases-android-devices.html" + }, + { + "source_name": "external_source", + "url": "https://www.player.one/new-android-sms-malware-can-completely-own-your-phone-just-one-text-how-avoid-mazar-512363" + }, + { + "source_name": "external_source", + "url": "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--0469984a-07e7-4160-ba64-f1abf02346bb", + "id": "malware--5fe2035d-58a0-4cd6-9561-cf4442871a10", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.484262Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Product Key/ID Testing", - "description": "Checking for a particular product key/ID associated with a sandbox environment (commonly associated with the Windows host OS used in the environment) can be used to detect whether a malware instance is being executed in a particular sandbox. This can be achieved through several means, including testing for the Key/ID in the Windows registry.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } + "created": "2020-08-21T20:50:04.332252Z", + "modified": "2022-09-08T18:26:14.326183Z", + "name": "Emotet", + "description": "Emotet is a banking trojan.", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", - "external_id": "B0007.005" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/emotet.md", + "external_id": "X0028" + }, + { + "source_name": "external_source", + "url": "https://cofense.com/recent-geodo-malware-campaigns-feature-heavily-obfuscated-macros/" + }, + { + "source_name": "external_source", + "url": "https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1" + }, + { + "source_name": "external_source", + "url": "https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--048440e7-8adb-4a71-9ee3-922ca4040b1f", + "id": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.936476Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Application Window Discovery", - "description": "Malware may attempt to get a listing of open application windows.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" - } + "created": "2020-08-21T20:50:04.367256Z", + "modified": "2022-09-08T18:26:14.316006Z", + "name": "TrickBot", + "description": "Trojan spyware program that has mainly been used for targeting banking sites. TrickBot is written in the C++ programming language.", + "malware_types": [ + "unknown" ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/app-window-discover.md", - "external_id": "E1010" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/trickbot.md", + "external_id": "X0025" + }, + { + "source_name": "external_source", + "url": "https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.cybereason.com/blog/research/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1010/", - "external_id": "T1010" + "source_name": "external_source", + "url": "https://www.trendmicro.com/en_us/research/18/k/trickbot-shows-off-new-trick-password-grabber-module.html" + }, + { + "source_name": "external_source", + "url": "https://www.bitdefender.com/blog/labs/trickbot-is-dead-long-live-trickbot/" + }, + { + "source_name": "external_source", + "url": "https://eclypsium.com/wp-content/uploads/2020/12/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.joesecurity.org/blog/498839998833561473" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--04da331b-6112-420c-9358-58cb21e5a4af", + "id": "malware--2640ed9a-24d9-4975-90c2-c8ab94d544e3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.556264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Fake Code Insertion", - "description": "Add fake code similar to known packers or known goods to fool identification. Can confuse some automated unpackers.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } + "created": "2020-08-21T20:50:04.361255Z", + "modified": "2022-09-08T18:26:14.327796Z", + "name": "Stuxnet", + "description": "A malicious worm targeting SCADA systems.", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", - "external_id": "B0032.004" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/stuxnet.md", + "external_id": "X0019" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--04e25839-3207-4600-8972-618aa7cf44af", + "id": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.606261Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Request Email Address List", - "description": "Request email address list.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "command-and-control" - } + "created": "2020-08-21T20:50:04.352256Z", + "modified": "2022-09-08T18:26:14.32216Z", + "name": "Poison-Ivy", + "description": "Remote Access Trojan (RAT).", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", - "external_id": "B0030.010" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/poison-ivy.md", + "external_id": "X0014" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/poisonivy" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--063274b5-04c4-4987-98d6-850c2598b601", + "id": "malware--2def59e9-a1ba-4c23-9f7d-437935d1e965", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.805261Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Resolve Free Hosting Domain::DNS Communication", - "description": "Resolves a free hosting domain (e.g., freeiz.com).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } + "created": "2020-08-21T20:50:04.336251Z", + "modified": "2022-09-08T18:26:14.319188Z", + "name": "Geneio", + "description": "Geneio is a byproduct of the DYLD_PRINT_TIFILE vulnerability. Geneio can gain access to the MAC Keychain and persist until removed by the user.", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/dns-comm.md", - "external_id": "C0011.005" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/geneio.md", + "external_id": "X0007" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.org/mac/2015/08/genieo-installer-tricks-keychain/" + }, + { + "source_name": "external_source", + "url": "https://macpaw.com/how-to/remove-genieo-malware-mac" + }, + { + "source_name": "external_source", + "url": "https://www.symantec.com/security_response/writeup.jsp?docid=2014-071013-3137-99" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--068a3a77-caf2-4951-9e38-97ad68c792d6", + "id": "malware--6875c768-4212-474d-85dc-1e89c62e9a65", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.510265Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Code Integrity Check", - "description": "Check that the unpacking code is unmodified. Variation exists where unpacking code is part of the \"key\" used to unpack, therefore any Software Breakpoints during debugging causes unpacking to completely fail or result in malformed unpacked code.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } + "created": "2020-08-21T20:50:04.363292Z", + "modified": "2022-09-08T18:26:14.328802Z", + "name": "SYNful Knock", + "description": "A modification of the router's firmware images used to maintain persistence.", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.005" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/synful-knock.md", + "external_id": "X0020" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/resources/synful-knock-acis" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--06c3d5c7-d4bf-4b28-8385-e169ba81e744", + "id": "malware--30666a55-e3de-40ff-a680-8bca9c163cb0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.80226Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Exploit Private APIs", - "description": "Malware can exploit private APIs to infect jailbroken and non-jailbroken iOS devices. Research shows that over 100 apps in the App Store have abused private APIs and bypassed Appleā€™s strict code review.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "lateral-movement" - } + "created": "2020-08-21T20:50:04.355256Z", + "modified": "2022-09-08T18:26:14.315491Z", + "name": "Rombertik", + "description": "This family of malware steals data the user enters into a browser and uses a variety of behaviors to hinder analysis.", + "malware_types": [ + "unknown" ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/lateral-movement/supply-chain-compromise.md", - "external_id": "E1195.m02" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/rombertik.md", + "external_id": "X0031" + }, + { + "source_name": "external_source", + "url": "https://blogs.cisco.com/security/talos/rombertik" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--07181568-3663-4ade-ac99-3e32bd7d5400", + "id": "malware--dd874fc3-691c-4825-95cc-bbe52e5406f5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.468265Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Process Environment Block BeingDebugged", - "description": "The BeingDebugged field is tested to determine whether the process is being debugged.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } + "created": "2020-08-21T20:50:04.337252Z", + "modified": "2022-09-08T18:26:14.325263Z", + "name": "GotBotKR", + "description": "Modified version of a publicly available backdoor name GoBot2. Modifications are mainly evasion techniques specific to South Korea.", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.035" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/gotbotkr.md", + "external_id": "X0027" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--0741d3d3-4027-430d-a574-5bc06d62a9c0", + "id": "malware--d36b0186-1e10-4dd8-a1df-076e9a692c57", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:36.03097Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "Hashed Message Authentication Code", - "description": "Malware uses an HMAC schema.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } + "created": "2020-08-21T20:50:04.360255Z", + "modified": "2022-09-08T18:26:14.321051Z", + "name": "Shamoon", + "description": "Data wiping malware.", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/hmac.md", - "external_id": "C0061" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/shamoon.md", + "external_id": "X0018" + }, + { + "source_name": "external_source", + "url": "https://www.darkreading.com/attacks-breaches/disk-wiping-shamoon-malware-resurfaces-with-file-erasing-malware-in-tow" + }, + { + "source_name": "external_source", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/" + }, + { + "source_name": "external_source", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/" + }, + { + "source_name": "external_source", + "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=281521ea-2d18-4bf9-9e88-8b1dc41cfdb6&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--0947cd27-a2b6-466f-b47c-4d36e4ce06cb", + "id": "malware--542141d9-e98d-4d4a-9b15-dfc3f8933e48", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.824262Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Write Pipe::Interprocess Communication", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } + "created": "2020-08-21T20:50:04.347255Z", + "modified": "2022-09-08T18:26:14.330783Z", + "name": "Locky Bart", + "description": "Locky Bart is ransomware.", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/inter-process.md", - "external_id": "C0003.004" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/locky-bart.md", + "external_id": "X0011" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--0985829f-204f-4760-8ece-ff0f3031a715", + "id": "malware--549d1c35-f214-4760-ab97-2142c66cf111", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.484262Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Injected DLL Testing", - "description": "Testing for the name of a particular DLL that is known to be injected by a sandbox for API hooking is a common way of detecting sandbox environments. This can be achieved through the kernel32!GetModuleHandle API call and other means.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } + "created": "2020-08-21T20:50:04.328253Z", + "modified": "2022-09-08T18:26:14.32376Z", + "name": "CryptoWall", + "description": "CryptoWall is a family of ransomware.", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", - "external_id": "B0007.004" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/cryptowall.md", + "external_id": "X0029" + }, + { + "source_name": "external_source", + "url": "https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--09aa0bf7-bdec-4642-ad23-c8f1c9b01297", + "id": "malware--36e75009-8fd6-467a-aa8c-c6a4d3511dfa", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.775261Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Destroy Hardware", - "description": "Destroys a physical piece of hardware. For example, malware may cause hardware to overheat.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } + "created": "2020-08-21T20:50:04.345255Z", + "modified": "2022-09-08T18:26:14.329763Z", + "name": "Kraken", + "description": "A family of bots.", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/destroy-hardware.md", - "external_id": "B0017" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/kraken.md", + "external_id": "X0010" }, { "source_name": "external_source", - "url": "https://www.bbc.com/timelines/zc6fbk7" + "url": "http://blog.threatexpert.com/2008/04/kraken-changes-tactics.html" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--09c1ddac-3b9f-487d-acba-78be3b686519", + "id": "malware--a6ad7a2e-f619-4598-914b-16f68b372789", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.530265Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Unusual/Undocumented API Calls", - "description": "Call unusual APIs to block non-exhaustive emulators (particularly anti-virus).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } + "created": "2020-08-21T20:50:04.374255Z", + "modified": "2022-09-08T18:26:14.323288Z", + "name": "YiSpecter", + "description": "YiSpecter is Apple iOS malware that can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other appsā€™ execution to display advertisements, change Safariā€™s default search engine, bookmarks and opened pages, and upload device information to a C2 server. It uses tricks to hide its icons from iOSā€™s SpringBoard, which prevents the user from finding and deleting it. The components also use the same name and logos of system apps to trick iOS power users.", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-emulator.md", - "external_id": "B0005.003" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/yispecter.md", + "external_id": "X0024" + }, + { + "source_name": "external_source", + "url": "http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--0aeb39aa-febf-463e-97e0-546f558daed6", + "id": "malware--bb2ac91f-90ad-4ed5-95ef-a899346ba4ce", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.472261Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "SetHandleInformation", - "description": "(Protected Handle)", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } + "created": "2020-08-21T20:50:04.365256Z", + "modified": "2022-09-08T18:26:14.324196Z", + "name": "Terminator", + "description": "A remote access tool (RAT).", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.024" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/terminator.md", + "external_id": "X0021" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/resources/hot-knives-through-butter-evading-file-based-sandboxes" + }, + { + "source_name": "external_source", + "url": "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/FireEye-Terminator_RAT.pdf" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--0b1371c5-4bec-466a-b643-43b719537894", + "id": "malware--cdd198e2-3f6f-42c4-adfd-d97dc66c5f19", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.502264Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Modern Specs Check - USB drive", - "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment. Checks whether there is a potential USB drive; if not a virtual environment is suspected.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } + "created": "2020-08-21T20:50:04.323252Z", + "modified": "2022-09-08T18:26:14.31748Z", + "name": "BlackEnergy", + "description": "An HTTP-based botnet used mostly for DDoS attacks.", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.016" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/blackenergy.md", + "external_id": "X0002" + }, + { + "source_name": "external_source", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "external_source", + "url": "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" + }, + { + "source_name": "external_source", + "url": "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--0b6c8517-62d1-49c1-9a2d-9300806d1370", + "id": "malware--f31598c3-8d55-440f-ac5f-4b8ea34fc09b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.973483Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Create Request::HTTP Communication", - "description": "HTTP client creates request.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } + "created": "2020-08-21T20:50:04.322252Z", + "modified": "2022-09-08T18:26:14.319789Z", + "name": "Bagle", + "description": "A mass-mailing computer worm affecting Microsoft Windows.", + "malware_types": [ + "unknown" ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", - "external_id": "C0002.012" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/bagle.md", + "external_id": "X0001" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/WORM_BAGLE.U/" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Bagle_(computer_worm)" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--0be642a6-a030-4ecf-9c30-83f9cbc9fd56", + "id": "malware--6a1bde20-a344-4738-9df5-b568fa4b5f33", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.504264Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Unique Hardware/Firmware Check - MAC Address", - "description": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment. VMware uses specific virtual MAC address that can be detected. The usual MAC address used started with the following numbers: \"00:0C:29\", \"00:1C:14\", \"00:50:56\", \"00:05:69\". Virtualbox uses specific virtual MAC address that can be detected by Malware. The usual MAC address used started with the following numbers: 08:00:27.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } + "created": "2020-08-21T20:50:04.342252Z", + "modified": "2022-09-08T18:26:14.329281Z", + "name": "Hupigon", + "description": "A family of backdoors.", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.028" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/hupigon.md", + "external_id": "X0008" }, { "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HUPIGON" + }, + { + "source_name": "external_source", + "url": "https://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--0e2fb8df-bef3-4664-88f9-f6614b80f107", + "id": "malware--19d14868-ff81-4c8c-9a6a-c57baf7e7f52", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.502264Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Modern Specs Check - Total physical memory", - "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment. Most modern machines have at leave 4 GB of memory. (GlobalMemoryStatusEx) .", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } + "created": "2020-08-21T20:50:04.330254Z", + "modified": "2022-09-08T18:26:14.314517Z", + "name": "Dark Comet", + "description": "A Remote Access Trojan (RAT) that allows a user to control the system via a GUI. It has many features which allows a user to use it as administrative remote help tool; however, DarkComet has many features which can be used maliciously. DarkComet is commonly used to spy on the victims by taking screen captures, key-logging, or password stealing.", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.014" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/dark-comet.md", + "external_id": "X0004" }, { "source_name": "external_source", - "url": "https://github.com/LordNoteworthy/al-khaser" + "url": "https://en.wikipedia.org/wiki/DarkComet" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--0e87261d-5234-4ccb-87c1-2f9bb32b5c11", + "id": "malware--a456fdcd-68f2-46fb-adb0-97c6817338c9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.512264Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Import Obfuscation", - "description": "Add obfuscation between imports calls and APIs.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.010" - } + "created": "2020-08-21T20:50:04.357255Z", + "modified": "2022-09-08T18:26:14.313824Z", + "name": "SamSam", + "description": "Ransomware.", + "malware_types": [ + "unknown" ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true - }, - { - "type": "attack-pattern", - "spec_version": "2.1", - "id": "attack-pattern--0eb664b8-73e1-4799-9e22-277ab898579d", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.728262Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Sysinternals", - "description": "Sysinternals tools are used for additional command line functionality.", - "kill_chain_phases": [ + "is_family": true, + "external_references": [ { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/samsam.md", + "external_id": "X0016" }, { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ + "source_name": "external_source", + "url": "https://www.cisa.gov/uscert/ncas/alerts/AA18-337A" + }, { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/exploit-software.md", - "external_id": "E1203.m05" + "source_name": "external_source", + "url": "https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html" + }, + { + "source_name": "external_source", + "url": "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--0f77be56-a5ef-4c06-8557-46782bb2cd67", + "id": "malware--e616d9d2-36b4-4510-84ad-66f19442fe3e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.992483Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "Blowfish::Encrypt Data", - "description": "Malware encrypts with the Blowfish algorithm.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } + "created": "2020-08-21T20:50:04.339252Z", + "modified": "2022-09-08T18:26:14.318699Z", + "name": "GravityRAT", + "description": "Evades detection by checking current CPU temperature.", + "malware_types": [ + "unknown" ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", - "external_id": "C0027.002" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/gravity-rat.md", + "external_id": "X0032" + }, + { + "source_name": "external_source", + "url": "https://www.hackread.com/gravityrat-malware-evades-detection-targets-india/" + }, + { + "source_name": "external_source", + "url": "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--0fe6e31d-fd22-4140-8e31-6ff5ad8cd47f", + "id": "malware--92f9ba45-2fb3-4d97-9865-eda477e7b779", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.556264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Entry Point Obfuscation", - "description": "Obfuscate the entry point of the malware executable.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } + "created": "2020-08-21T20:50:04.340252Z", + "modified": "2022-09-08T18:26:14.327217Z", + "name": "Heriplor", + "description": "This Trojan is associated with the Energetic Bear group [[1]](#1).", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", - "external_id": "B0032.009" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/heriplor.md", + "external_id": "X0026" + }, + { + "source_name": "external_source", + "url": "https://insights.sei.cmu.edu/blog/api-hashing-tool-imagine-that/" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_heriplor.a" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--1004c879-79b0-44db-996c-910a7f9e3857", + "id": "malware--dbe9ee23-f01d-4cdb-bf53-066c77352dac", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.974485Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Set Header::HTTP Communication", - "description": "HTTP header is set.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } + "created": "2020-08-21T20:50:04.358255Z", + "modified": "2022-09-08T18:26:14.321653Z", + "name": "SearchAwesome", + "description": "Adware that intercepts encrypted web traffic to inject ads.", + "malware_types": [ + "unknown" ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", - "external_id": "C0002.013" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/searchawesome.md", + "external_id": "X0017" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection/" } ], + "x_mitre_year": "" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--4fe657cf-373f-4a71-a2b8-8de5c109eef9", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-08-21T20:50:04.325252Z", + "modified": "2022-09-08T18:26:14.324734Z", + "name": "Conficker", + "description": "A worm targeting Microsoft Windows operations systems.", + "malware_types": [ + "unknown" + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/conficker.md", + "external_id": "X0003" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Conficker" + }, + { + "source_name": "external_source", + "url": "http://www.csl.sri.com/users/vinod/papers/Conficker/" + } + ], + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--1011a561-6f17-4f8d-874a-8ad491a2b470", + "id": "malware--86cfa430-ca3b-4322-bdfe-989aca5305f0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.729261Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Windows Utilities", - "description": "One or more Windows utilities are used.", - "kill_chain_phases": [ + "created": "2020-08-21T20:50:04.334253Z", + "modified": "2022-09-08T18:26:14.328334Z", + "name": "Gamut", + "description": "A spamming botnet.", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "is_family": true, + "external_references": [ { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/gamut.md", + "external_id": "X0006" }, { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" + "source_name": "external_source", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/" } ], + "x_mitre_year": "" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--5dcefe05-4ead-4f84-9919-ebefe968df27", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-08-21T20:50:04.369255Z", + "modified": "2022-09-08T18:26:14.325734Z", + "name": "UP007 Malware Family", + "description": "Description.", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/exploit-software.md", - "external_id": "E1203.m06" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/up007.md", + "external_id": "X0033" + }, + { + "source_name": "external_source", + "url": "https://citizenlab.ca/2016/04/between-hong-kong-and-burma/" } ], + "x_mitre_year": "" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-08-21T20:50:04.372256Z", + "modified": "2022-09-08T18:26:14.331246Z", + "name": "WebCobra", + "description": "Cryptojacking malware.", + "malware_types": [ + "unknown" + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/webcobra.md", + "external_id": "X0023" + }, + { + "source_name": "external_source", + "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" + }, + { + "source_name": "external_source", + "url": "https://www.forbes.com/sites/rachelwolfson/2018/11/13/cryptojacking-on-the-rise-webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/#16f5542cc336" + } + ], + "x_mitre_year": "" }, { - "type": "attack-pattern", + "type": "malware", "spec_version": "2.1", - "id": "attack-pattern--1057fe1c-c844-4de3-b72d-05313572a36c", + "id": "malware--fa095747-0ca8-4965-a222-cf1fe7647e12", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.992483Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "Block Cipher::Encrypt Data", - "description": "Malware encrypts with a block cipher.", - "kill_chain_phases": [ + "created": "2020-08-21T20:50:04.344254Z", + "modified": "2022-09-08T18:26:14.318107Z", + "name": "Kovter", + "description": "A trojan that performs click-fraud.", + "malware_types": [ + "unknown" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "is_family": true, + "external_references": [ { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/xample-malware/kovter.md", + "external_id": "X0009" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/" + }, + { + "source_name": "external_source", + "url": "https://labs.vipre.com/analysis-of-kovter-a-very-clever-piece-of-malware/#:~:text=Kovter%20copies%20the%20fileless%20persistence,written%20on%20to%20the%20filesystem." } ], + "x_mitre_year": "" + }, + { + "created": "2020-08-21T20:49:59.292268Z", + "spec_version": "2.1", + "description": "Micro-behaviors related to malware manipulating machine memory.", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", - "external_id": "C0027.014" + "external_id": "OC0002", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/memory/README.md" } ], + "id": "x-mitre-tactic--e4edf677-0ea0-474a-a14d-da3ea660d69f", + "modified": "2022-02-05T00:37:22.397978Z", + "name": "Memory Micro-objective", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "type": "x-mitre-tactic", + "x_mitre_shortname": "memory-micro-objective" }, { - "type": "attack-pattern", + "created": "2021-02-11T06:49:31.787443Z", "spec_version": "2.1", - "id": "attack-pattern--10bee884-590b-45f4-8577-5cbe6d6efa1a", + "description": "Micro-behaviors related to operating systems.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.916486Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Bypass Windows File Protection", - "description": "Malware bypasses Windows file protection.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", - "external_id": "F0004.007" + "external_id": "OC0008", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/README.md" } ], + "id": "x-mitre-tactic--7f07ea86-c44a-4f1f-86d0-3d904c7ddb59", + "modified": "2022-02-05T00:37:22.397978Z", + "name": "Operating System Micro-objective", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "type": "x-mitre-tactic", + "x_mitre_shortname": "operating-system-micro-objective" }, { - "type": "attack-pattern", + "created": "2020-02-05T20:28:15.071Z", "spec_version": "2.1", - "id": "attack-pattern--112d8251-af9c-404d-b3f6-44bd15c42a5d", + "description": "Behaviors that enable malware to evade detection.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.816261Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Server::HTTP Communication", - "description": "General HTTP server behavior.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", - "external_id": "C0002.001" + "external_id": "OB0006", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/README.md" } ], + "id": "x-mitre-tactic--9b3422b7-bc43-4b28-8d51-ba68782a9da2", + "modified": "2022-09-08T18:26:13.1667Z", + "name": "Defense Evasion", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "type": "x-mitre-tactic", + "x_mitre_shortname": "defense-evasion" }, { - "type": "attack-pattern", + "created": "2020-02-05T20:28:15.068Z", "spec_version": "2.1", - "id": "attack-pattern--1212c336-4105-477e-9e3a-0789790a3941", + "description": "Behaviors that enable malware to steal data from a system. This includes stored data, such as files, as well as data input into applications, such as web browsers.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.559264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Interleaving Code", - "description": "Split code into sections that may be rearranged and are connected by unconditional jumps.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", - "external_id": "B0032.014" + "external_id": "OB0010", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/README.md" } ], + "id": "x-mitre-tactic--911377e6-b712-4754-a865-3e2989512b9a", + "modified": "2022-09-08T18:26:13.162044Z", + "name": "Exfiltration", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "type": "x-mitre-tactic", + "x_mitre_shortname": "exfiltration" }, { - "type": "attack-pattern", + "created": "2020-08-21T20:49:59.283263Z", "spec_version": "2.1", - "id": "attack-pattern--12c16b13-65d4-49ea-9dcb-3a88553ac5d3", + "description": "Micro-behaviors related to file manipulation.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.989483Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "HC-128::Decrypt Data", - "description": "Malware decrypts data encrypted with the HC-128 algorithm.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", - "external_id": "C0031.006" + "external_id": "OC0001", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/README.md" } ], + "id": "x-mitre-tactic--0735bfd3-bffa-4476-9e3b-e33cc5c553e0", + "modified": "2022-02-05T00:37:22.397978Z", + "name": "File System Micro-objective", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "type": "x-mitre-tactic", + "x_mitre_shortname": "file-system-micro-objective" }, { - "type": "attack-pattern", + "created": "2020-02-05T20:28:15.076Z", "spec_version": "2.1", - "id": "attack-pattern--13631209-26c3-481c-bd8c-fa6c57c3dbe5", + "description": "Behaviors that enable malware to manipulate, interrupt, or destroy systems and data.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.583262Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "VMProtect", - "description": "Uses VMProtect.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", - "external_id": "F0001.010" + "external_id": "OB0008", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/README.md" } ], + "id": "x-mitre-tactic--389367d2-9dea-4ffe-b794-cfeaba83bcf6", + "modified": "2022-09-08T18:26:13.161554Z", + "name": "Impact", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "type": "x-mitre-tactic", + "x_mitre_shortname": "impact" }, { - "type": "attack-pattern", + "created": "2020-02-05T20:28:15.056Z", "spec_version": "2.1", - "id": "attack-pattern--13d8f97e-b0dc-4ced-918d-31297b1f9aff", + "description": "Behaviors that enable malware to propagate or otherwise move through an environment. Lateral movement may be active, happening via direct machine access, or may be passive (for example, done via malicious email).", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.459263Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "CloseHandle", - "description": "(NtClose); If an invalid handle is passed to the CloseHandle function and a debugger is present, then an EXCEPTION_INVALID_HANDLE (0xC0000008) exception will be raised.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.003" - }, - { - "source_name": "external_source", - "description": "Anti Debugging Tricks, Al-Khaser.", - "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + "external_id": "OB0011", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/lateral-movement/README.md" } ], + "id": "x-mitre-tactic--1f99e060-c0e8-449c-8629-216ef75d7828", + "modified": "2022-09-08T18:26:13.159756Z", + "name": "Lateral Movement", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "type": "x-mitre-tactic", + "x_mitre_shortname": "lateral-movement" }, { - "type": "attack-pattern", + "created": "2020-08-21T20:49:59.275263Z", "spec_version": "2.1", - "id": "attack-pattern--146be7e5-feeb-4dd2-8283-796b29394ac1", + "description": "Micro-behaviors that enable malware to use crypto.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.918444Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Location", - "description": "Malware may change or choose the location of itself, another file, or a directory to prevent detection.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hidden-files.md", - "external_id": "F0005.002" + "external_id": "OC0005", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/README.md" } ], + "id": "x-mitre-tactic--db22e244-4c56-4a42-9e3a-6285bde88a5d", + "modified": "2022-02-05T00:37:22.382348Z", + "name": "Cryptography Micro-objective", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "type": "x-mitre-tactic", + "x_mitre_shortname": "cryptography-micro-objective" }, { - "type": "attack-pattern", + "created": "2020-02-05T20:28:15.065Z", "spec_version": "2.1", - "id": "attack-pattern--14abf3a5-065b-4a7b-b5d7-16ba7ae62e3a", + "description": "Behaviors that enable malware to execute code on a system to achieve a variety of goals.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.736174Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Guard Pages", - "description": "Encrypt blocks of code individually and decrypt temporarily only upon execution.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", - "external_id": "B0006.006" + "external_id": "OB0009", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/README.md" } ], + "id": "x-mitre-tactic--f95436cf-2e09-4541-b88a-f3fb6ec3b63b", + "modified": "2022-09-08T18:26:13.160607Z", + "name": "Execution", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "type": "x-mitre-tactic", + "x_mitre_shortname": "execution" }, { - "type": "attack-pattern", + "created": "2020-02-05T20:28:15.061Z", "spec_version": "2.1", - "id": "attack-pattern--1504bfdb-bc65-4fc2-9afd-8d2e82737dd6", + "description": "Behaviors that prevent, obstruct, or evade behavioral analysis of malware--for example, analysis done using a sandbox or debugger. Because the underlying methods differ, separate \"detection\" and \"evasion\" behaviors are defined for some anti-behavioral analysis areas.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.008483Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "FNV::Non-Cryptographic Hash", - "description": "Malware uses the FNV hash function.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/noncrypto-hash.md", - "external_id": "C0030.005" + "external_id": "OB0001", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/README.md" + }, + { + "source_name": "external_source", + "description": "Unprotect Project, a database about malware self-defense and protection.", + "url": "https://search.unprotect.it/map" + }, + { + "source_name": "external_source", + "description": "InDepthUnpacking, course content for teaching malware anti-analysis techniques and mitigations, with emphasis on packers.", + "url": "https://github.com/knowmalware/InDepthUnpacking" } ], + "id": "x-mitre-tactic--eb6166b0-f3c9-4124-aeb9-662941baa19e", + "modified": "2022-09-08T18:26:13.162561Z", + "name": "Anti-Behavioral Analysis", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "type": "x-mitre-tactic", + "x_mitre_shortname": "anti-behavioral-analysis" }, { - "type": "attack-pattern", + "created": "2020-02-05T20:28:15.072Z", "spec_version": "2.1", - "id": "attack-pattern--1506d910-1208-4064-a633-8291f6d36e74", + "description": "Behaviors that enable malware to obtain higher level permissions. These behaviors often overlap with Persistence behaviors.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.554264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "API Hashing", - "description": "Instead of storing function names in the Import Address Table (IAT) and calling GetProcAddress, a DLL is loaded and the name of each of its exports is hashed until it matches a specific hash. Manual symbol resolution is then used to access and execute the exported function. This method is often used by shellcode because it reduces the size of each import from a human-readable string to a sequence of four bytes. The Method is also known as \"Imports by Hash\" and \"GET_APIS_WITH_CRC.\"", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", - "external_id": "B0032.001" - }, - { - "source_name": "external_source", - "url": "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html" + "external_id": "OB0013", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/privilege-escalation/README.md" } ], + "id": "x-mitre-tactic--d896bd1c-d0e9-4281-9755-9b76a7c963d3", + "modified": "2022-09-08T18:26:13.158803Z", + "name": "Privilege Escalation", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "type": "x-mitre-tactic", + "x_mitre_shortname": "privilege-escalation" }, { - "type": "attack-pattern", + "created": "2020-08-21T20:49:59.279262Z", "spec_version": "2.1", - "id": "attack-pattern--1540ed37-87c4-485f-b729-1e418a63762c", + "description": "Micro-behaviors related to malware manipulating data.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.845581Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Injection via Windows Fibers", - "description": "Malware executes shellcode via Windows fibers by converting a thread to a fiber.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/process-inject.md", - "external_id": "E1055.m05" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1055", - "external_id": "T1055" + "external_id": "OC0004", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/README.md" } ], + "id": "x-mitre-tactic--408ef4fa-de24-489a-ac9e-1f51af84bf5d", + "modified": "2022-02-05T00:37:22.382348Z", + "name": "Data Micro-objective", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "type": "x-mitre-tactic", + "x_mitre_shortname": "data-micro-objective" }, { - "type": "attack-pattern", + "created": "2020-08-21T20:49:59.296264Z", "spec_version": "2.1", - "id": "attack-pattern--155facb0-bb4a-4df0-b276-70c16f4c12f9", + "description": "Micro-behaviors related to processes.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.503263Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Unique Hardware/Firmware Check - I/O Communication Port", - "description": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment. VMware uses virtual I/O ports for communication between the virtual machine and the host operating system to support functionality like copy and paste between the two systems. The port can be queried and compared with a magic number VMXh to identify the use of VMware.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.025" + "external_id": "OC0003", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/README.md" } ], + "id": "x-mitre-tactic--dd9a101e-8fea-4b2e-afd0-4c0c3f0f864e", + "modified": "2022-02-05T00:37:22.397978Z", + "name": "Process Micro-objective", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "type": "x-mitre-tactic", + "x_mitre_shortname": "process-micro-objective" }, { - "type": "attack-pattern", + "created": "2020-02-05T20:28:15.058Z", "spec_version": "2.1", - "id": "attack-pattern--168ed95b-0c10-42c4-9f0a-c1c462b39f6c", + "description": "Behaviors that enable malware to identify and gather information, such as sensitive files, from a machine or network. Sources often targeted include drives, browsers, audio/video, and email. Often the malware's next objective is to exfiltrate the information gathered.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.561265Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Stack Strings", - "description": "Build and decrypt strings on the stack at each use, then discard to avoid obvious references.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", - "external_id": "B0032.017" + "external_id": "OB0003", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/README.md" } ], + "id": "x-mitre-tactic--69c52ee6-8372-40be-8efc-200896493343", + "modified": "2022-09-08T18:26:13.159242Z", + "name": "Collection", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "type": "x-mitre-tactic", + "x_mitre_shortname": "collection" }, { - "type": "attack-pattern", + "created": "2020-08-21T20:49:59.287265Z", "spec_version": "2.1", - "id": "attack-pattern--17cf477e-a8e5-4c52-b207-7023cfd16c1d", + "description": "Micro-behaviors related to hardware.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.877737Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Host Fingerprint Check", - "description": "Compare a previously computed host fingerprint(e.g., based on installed applications) to the current system's to determine if the malware instance is still executing on the same system. If not, execution stops, making debugging or sandbox analysis more difficult.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md", - "external_id": "B0025.004" + "external_id": "OC0007", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/hardware/README.md" } ], + "id": "x-mitre-tactic--578d34bc-28b7-4467-afe1-a969e00797d3", + "modified": "2022-02-05T00:37:22.397978Z", + "name": "Hardware Micro-objective", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "type": "x-mitre-tactic", + "x_mitre_shortname": "hardware-micro-objective" }, { - "type": "attack-pattern", + "created": "2022-09-08T18:26:13.156705Z", "spec_version": "2.1", - "id": "attack-pattern--17e05846-68f4-4f0c-bc23-88e01515bfcf", + "description": "Behaviors to obtain credential access, allowing it or its underlying threat actor to assume control of an account with the associated system and network permissions.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.720618Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Hook Interrupt", - "description": "Modification of interrupt vector or descriptor tables.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.009" + "external_id": "OB0006", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/credential-access/README.md" } ], + "id": "x-mitre-tactic--da7738af-46f6-4bc6-bfa2-91a466439391", + "modified": "2022-09-08T18:26:13.156705Z", + "name": "Credential Access", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "type": "x-mitre-tactic", + "x_mitre_shortname": "credential-access" }, { - "type": "attack-pattern", + "created": "2020-02-05T20:28:15.064Z", "spec_version": "2.1", - "id": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", + "description": "Behaviors that enable malware to communicate with systems such as C2 servers or bots. Malware can establish command and control with various levels of covertness, depending on system configuration and network topology.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.991483Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "Decrypt Data", - "description": "Malware may decrypt data.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", - "external_id": "C0031" + "external_id": "OB0004", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/README.md" + }, + { + "source_name": "external_source", + "url": "https://www.bitdefender.com/blog/labs/trickbot-is-dead-long-live-trickbot/" } ], + "id": "x-mitre-tactic--5ca03153-2bfb-4540-acad-4eb54f188589", + "modified": "2022-09-08T18:26:13.16016Z", + "name": "Command and Control", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": false + "type": "x-mitre-tactic", + "x_mitre_shortname": "command-and-control" }, { - "type": "attack-pattern", + "created": "2020-08-21T20:49:59.270263Z", "spec_version": "2.1", - "id": "attack-pattern--18377be7-e46d-48a0-ac85-b6af8f777b78", + "description": "Micro-behaviors that enable malware to communicate.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.031479Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Query Registry Value::Registry", - "description": "Malware queries a registry value.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "operating-system-micro-objective" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/registry.md", - "external_id": "C0036.006" + "external_id": "OC0006", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/README.md" } ], + "id": "x-mitre-tactic--30f8323e-ca97-4067-bb76-b14edff2fa88", + "modified": "2022-02-05T00:37:22.382348Z", + "name": "Communication Micro-objective", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "type": "x-mitre-tactic", + "x_mitre_shortname": "communication-micro-objective" }, { - "type": "attack-pattern", + "created": "2020-02-05T20:28:15.062Z", "spec_version": "2.1", - "id": "attack-pattern--187b4cd8-132e-4514-9ad2-e0b20abc2b70", + "description": "Behaviors that enable malware to gain knowledge about the system and network.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.479261Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Emulator Detection", - "description": "Detects whether the malware instance is being executed inside an emulator. If so, conditional execution selects a benign execution path.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-emulator.md", - "external_id": "B0004" - }, - { - "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" + "external_id": "OB0007", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/README.md" } ], + "id": "x-mitre-tactic--9f09f947-5fc6-455f-b7eb-504c2ba972aa", + "modified": "2022-09-08T18:26:13.158338Z", + "name": "Discovery", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": false + "type": "x-mitre-tactic", + "x_mitre_shortname": "discovery" }, { - "type": "attack-pattern", + "created": "2020-02-05T20:28:15.060Z", "spec_version": "2.1", - "id": "attack-pattern--195e17be-fac3-4ffe-a961-631e2af205bb", + "description": "Behaviors and code characteristics that prevent or hinder static analysis of the malware. Simple static analysis identifies features such as embedded strings, header information, or file metadata. More involved static analysis involves the disassembly of the binary code.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.720618Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Guard Pages", - "description": "Encrypt blocks of code individually and decrypt temporarily only upon execution.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.008" + "external_id": "OB0002", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/README.md" + }, + { + "source_name": "external_source", + "description": "Unprotect Project, a database about malware self-defense and protection.", + "url": "https://search.unprotect.it/map/sandbox-evasion/" + }, + { + "source_name": "external_source", + "description": "InDepthUnpacking, course content for teaching malware anti-analysis techniques and mitigations, with emphasis on packers.", + "url": "https://github.com/knowmalware/InDepthUnpacking" } ], + "id": "x-mitre-tactic--225d85b5-6806-4760-a9d7-b5e38ca66153", + "modified": "2022-09-08T18:26:13.157655Z", + "name": "Anti-Static Analysis", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "type": "x-mitre-tactic", + "x_mitre_shortname": "anti-static-analysis" }, { - "type": "attack-pattern", + "created": "2022-09-08T18:26:13.16108Z", "spec_version": "2.1", - "id": "attack-pattern--1a424274-077f-4c21-bc63-ef2d8e574ed0", + "description": "Behaviors that enable malware to remain on a system regardless of system events, such as reboots.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.019478Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Writes File", - "description": "Malware writes to a file.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "file-system-micro-objective" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/write-file.md", - "external_id": "C0052" + "external_id": "OB00012", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/persistence/README.md" } ], + "id": "x-mitre-tactic--6771a9e9-03e2-45df-bc92-2ce9249123bc", + "modified": "2022-09-08T18:26:13.16108Z", + "name": "Persistence", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": false + "type": "x-mitre-tactic", + "x_mitre_shortname": "persistence" }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--1a89f398-f3ef-484a-8735-024823241a11", + "id": "relationship--51a03352-ebd5-4877-a2ef-f4fcfa378ae8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.871658Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Code Discovery", - "description": "Malware may inspect code or enumerate aspects.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/code-discover.md", - "external_id": "B0046" - } - ], + "created": "2021-02-10T06:49:35.489479Z", + "modified": "2021-02-10T06:49:35.489479Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--6e892e5f-0d39-4e58-9a69-1ff8cc479291", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--1adddaa3-6164-4adf-b910-6b8a78fb3111", + "id": "relationship--9a76355f-caca-46a7-a0c6-ba286b5d2fb3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.811259Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Client::HTTP Communication", - "description": "General HTTP client behavior.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", - "external_id": "C0002.002" - } - ], + "created": "2021-02-10T06:49:35.631517Z", + "modified": "2021-02-10T06:49:35.631517Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--112d8251-af9c-404d-b3f6-44bd15c42a5d", + "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--1afb242c-883b-40c2-8a37-fc5064dd7d2b", + "id": "relationship--3ddcef21-22e6-4fee-bd78-e7d6c2c83048", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.819261Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Generate Traffic::ICMP Communication", - "description": "Generate ICMP traffic.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/icmp-comm.md", - "external_id": "C0014.001" - } - ], + "created": "2021-02-10T06:49:35.706443Z", + "modified": "2021-02-10T06:49:35.706443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--dcd29dd1-20d2-4387-90dd-95480c4e0f1c", + "target_ref": "attack-pattern--62e27cc8-6e08-4d62-af86-2eb0e42fc530", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--1b5c05fd-3785-4710-8ee2-efadad6ef437", + "id": "relationship--78235ffd-fb8c-4167-b996-0e7b3853e0db", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.491263Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Check Running Services", - "description": "VMwareService.exe runs the VMware Tools Service as a child of services.exe. It can be identified by listing services.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.006" - }, - { - "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" - } - ], + "created": "2022-02-04T23:52:40.945699Z", + "modified": "2022-02-04T23:52:40.945699Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--ebdd8ba8-4235-4ee3-8866-a9d33f9dd11e", + "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--1b8eadb6-6e0f-4739-b31c-2805b225aa89", + "id": "relationship--1e9bb45f-e46b-452e-9c18-61c3c80ec1e0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.781262Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Exploit Kit Behavior", - "description": "An Exploit Kit is a toolkit that exploits vulnerabilities in software to deliver malicious payloads (malware).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/exploit-kit-behavior.md", - "external_id": "E1190" - }, - { - "source_name": "external_source", - "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1190", - "external_id": "T1190" - } - ], + "created": "2021-02-10T06:49:35.509442Z", + "modified": "2021-02-10T06:49:35.509442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--af706b89-56dd-4b02-81e6-eb64fe57c2e6", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--1bfa0256-c28e-4dcc-82f6-8fa6880328f6", + "id": "relationship--fc399948-eede-4a80-b003-5eb63573d9e3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.982483Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Receive UDP Data::Socket Communication", - "description": "Receive UDP data.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", - "external_id": "C0001.017" - } - ], + "created": "2021-02-10T06:49:35.494443Z", + "modified": "2021-02-10T06:49:35.494443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--9615d610-999a-417d-bf19-54da01c38b89", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--1c9f410c-8e61-4d75-80be-e80461c54971", + "id": "relationship--eeaf78d0-1c5a-46e1-a0e6-031d5da5877a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Import Address Table (IAT) Hooking", - "description": "Malware (e.g. rootkit) modifies a process's import address table (IAT), which stores pointers to imported API functions.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hijack-execution-flow.md", - "external_id": "F0015.003" - }, - { - "source_name": "external_source", - "url": "https://www.sans.org/media/score/checklists/rootkits-investigation-procedures.pdf" - } - ], + "created": "2021-02-10T06:49:35.492443Z", + "modified": "2021-02-10T06:49:35.492443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1e4a21a9-2d09-48fc-bcea-13d1359f2bbd", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--1cca12fe-f5c4-4c35-979b-5c6962dd9484", + "id": "relationship--c3d81490-069d-4698-b673-3e4228ebfeec", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.986482Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "Cryptographic Hash", - "description": "Malware may use a cryptographic hash.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/crypto-hash.md", - "external_id": "C0029" - } - ], + "created": "2021-02-10T06:49:35.71091Z", + "modified": "2021-02-10T06:49:35.71091Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--8df78326-a8e8-4039-82a7-3dd375910e71", + "target_ref": "attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--1d1b8b46-c3d7-49e5-8856-367b48272f5e", + "id": "relationship--9c3eb4b3-53ee-4126-ba9d-fb58632584df", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.594264Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Input Capture", - "description": "Malware captures user input.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/input-capture.md", - "external_id": "E1056" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1056", - "external_id": "T1056" - } - ], + "created": "2022-02-04T23:52:41.041094Z", + "modified": "2022-02-04T23:52:41.041094Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--7f779291-853e-4e30-a57c-0b3276b70905", + "target_ref": "attack-pattern--b9a7ebfb-ce75-4050-b9ac-79d2bf146c4f", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--1d9b88e8-2bab-44ac-b1ae-26faf8f07f48", + "id": "relationship--d9e32737-c7be-41bb-925e-424b55bd7c10", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.512264Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Malloc Use", - "description": "Instead of unpacking into a pre-defined section/segment (ex: .text) of the binary, use malloc() / VirtualAlloc() to create a new segment. This makes keeping track of memory locations across different runs more difficult, as there is no guarantee that malloc/VirtualAlloc will assign the same address range each time.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.013" - } - ], + "created": "2021-02-10T06:49:35.452445Z", + "modified": "2021-02-10T06:49:35.452445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5b65a982-2a1d-4b32-ad40-b9e05b4d0284", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--1dd62131-bc8e-4de7-b68a-1ea4c6b44c03", + "id": "relationship--c4f72d93-9b4a-4115-88d6-bae28231abba", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.005479Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "Base64::Encode Data", - "description": "Malware may encode data using Base64.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/encode.md", - "external_id": "C0026.001" - } - ], + "created": "2022-09-08T18:26:19.142159Z", + "modified": "2022-09-08T18:26:19.142159Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d4b4af24-91a5-4f21-82c6-7f67f316239f", + "target_ref": "attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--1df0593b-0f35-41c8-b7d8-41d6a3e9cf8c", + "id": "relationship--4483dfbc-eda0-4a56-aa56-c6c122b46f2d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.798698Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Export Address Table (EAT) Hooking", - "description": "Hooks the export address table (EAT).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/credential-access/hooking.md", - "external_id": "F0003.006" - } - ], + "created": "2021-02-10T06:49:35.510443Z", + "modified": "2021-02-10T06:49:35.510443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--225f1311-c972-428d-be5e-f99a9edb705c", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--1e4a21a9-2d09-48fc-bcea-13d1359f2bbd", + "id": "relationship--b9e7e9c7-e68d-4db7-b7d8-8371c7e31037", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.500263Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Modern Specs Check - Drive size", - "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment. Most modern machines have at least 80 GB disks. May use DeviceloControl (IOCTL_DISK_GET_LENGTH_INFO) or GetDiskFreeSpaceEx (TotalNumberOfBytes) .", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.015" - }, - { - "source_name": "external_source", - "url": "https://github.com/LordNoteworthy/al-khaser" - } - ], + "created": "2021-02-10T06:49:35.690461Z", + "modified": "2021-02-10T06:49:35.690461Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--608a4855-fe3a-4bff-a7a2-46db2ffd360b", + "target_ref": "attack-pattern--6dfe201d-34d6-4474-9210-e0364cca9de0", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--1e5a85a2-73fc-467c-a94b-ec867885b4c3", + "id": "relationship--e1fe7576-a4b1-4a06-9ca2-65c901aa6592", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.467265Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Page Exception Breakpoint Detection", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.017" - }, - { - "source_name": "external_source", - "description": "Anti Debugging Tricks, Al-Khaser.", - "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" - } - ], + "created": "2021-02-10T06:49:35.567485Z", + "modified": "2021-02-10T06:49:35.567485Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b5d3d3c7-f9bd-4d61-8a73-593972018a8b", + "target_ref": "attack-pattern--7069df4d-92ef-4a18-b5a5-bf27dc9ef446", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--1ef444d5-6292-4701-be04-7d8bbd677b95", + "id": "relationship--32a3bc4f-4a7f-4ccb-a91f-0871823eba23", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.993484Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "RC6::Encrypt Data", - "description": "Malware encrypts with the RC6 algorithm.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", - "external_id": "C0027.010" - } - ], + "created": "2021-02-10T06:49:35.48648Z", + "modified": "2021-02-10T06:49:35.48648Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b7727763-8ffd-4588-b8a1-15168d18f0dd", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--200ecf0e-33a7-4a9c-af4a-a3033b64e238", + "id": "relationship--b3793626-0c6a-4cfd-8071-c21073e2b8a8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.490263Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Check Processes", - "description": "The VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. Malware can list the process and searches for the VMware string. Process related to Virtualbox can be detected by malware by query the process list.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.004" - }, - { - "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" - } - ], + "created": "2021-02-10T06:49:35.579443Z", + "modified": "2021-02-10T06:49:35.579443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a6389b1f-c2f4-4bb7-8b52-6725b00f6052", + "target_ref": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", + "id": "relationship--420f543c-dd0c-47ae-96c9-d293bc8403cd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.609265Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "C2 Communication", - "description": "All command and control malware use implant/controller communication. The methods listed below can be used to capture explicit communication details. Remote file copy behavior is captured separately, as is done in ATT&CK - see [Remote File Copy](https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/remote-file-copy.md).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "command-and-control" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", - "external_id": "B0030" - } - ], + "created": "2021-02-10T06:49:35.463442Z", + "modified": "2021-02-10T06:49:35.463442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a7d53e43-1336-49be-bf6b-9cc3fb832ab2", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2080b6b4-a74c-43da-97db-1a2ca33ca589", + "id": "relationship--d9f13e0b-1d12-408a-879a-aabaf669aa3e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.464262Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "NtQueryInformationProcess", - "description": "Calling NtQueryInformationProcess with its ProcessInformationClass parameter set to 0x07 (ProcessDebugPort constant) will cause the system to set ProcessInformation to -1 if the process is being debugged. Calling with ProcessInformationClass set to 0x0E (ProcessDebugFlags) or 0x11 (ProcessDebugObject) are used similarly. Testing \"ProcessDebugPort\" is equivalent to using the kernel32!CheckRemoteDebuggerPresent API call (see next method).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.012" - } - ], + "created": "2021-02-10T06:49:35.586443Z", + "modified": "2021-02-10T06:49:35.586443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5389958e-188f-453f-ba90-e886291f200e", + "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--20bb8954-7d15-4f3f-b015-6de301407391", + "id": "relationship--385dea15-c11e-44c3-a3bc-c39939c17f1e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.003478Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "XOR::Decode Data", - "description": "Malware may use xor to decode data.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/decode.md", - "external_id": "C0053.002" - } - ], + "created": "2021-02-10T06:49:35.712898Z", + "modified": "2021-02-10T06:49:35.712898Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--7adc736f-d3ca-438a-8bce-46967e062ea3", + "target_ref": "attack-pattern--3955de8e-1ab7-4ab0-b7ca-226822885913", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--21399f14-f429-48f6-be04-d971783ba531", + "id": "relationship--a1b9a65b-7f5d-4287-8fe6-3d11a05a93db", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.870658Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Enumerate PE Sections", - "description": "Malware enumerates virtual offsets of code sections.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/code-discover.md", - "external_id": "B0046.001" - } - ], + "created": "2022-02-04T23:52:40.97859Z", + "modified": "2022-02-04T23:52:40.97859Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5706671b-371d-40dd-95ae-d9574ba49291", + "target_ref": "attack-pattern--1a89f398-f3ef-484a-8735-024823241a11", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--225f1311-c972-428d-be5e-f99a9edb705c", + "id": "relationship--a6b3bfb6-1551-40b7-85ee-43b40981aa00", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.517264Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Thread Timeout", - "description": "Setting dwMilliseconds in WaitForSingleObject to a small number will timeout the thread before the analyst can step through and analyze the code executing in the thread. Modifying this via patch, register, or stack to the value `0xFFFFFFFF`, the **INFINITE** constant circumvents this anti-debugging technique.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.029" - } - ], + "created": "2021-02-10T06:49:35.554443Z", + "modified": "2021-02-10T06:49:35.554443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--598efe94-7195-42ad-9af8-d1d9c39433ba", + "target_ref": "attack-pattern--87b6586d-145f-47d9-8183-755ca03e5921", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--23949fea-4e13-41e3-b8c7-b25efd93f346", + "id": "relationship--8176d422-a51b-488d-ae21-0a67afb64b3d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.506259Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Memory-only Payload", - "description": "Malware is never written to disk (e.g., RAT plugins received from the controller are never written to disk).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-capture.md", - "external_id": "B0036.001" - } - ], + "created": "2021-02-10T06:49:35.689442Z", + "modified": "2021-02-10T06:49:35.689442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--bf339932-e456-44db-a711-b2d3482d9065", + "target_ref": "attack-pattern--2f605aaf-790b-4ba1-9603-3b14cf2f1c52", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--23cc9528-7b14-4f75-9daf-0afb8d9c24fa", + "id": "relationship--80e2a5e2-1e17-463b-bc9d-d58b4884c7f7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.798698Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Import Address Table (IAT) Hooking", - "description": "Modifies a process's import address table (IAT), which stores pointers to imported API functions.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/credential-access/hooking.md", - "external_id": "F0003.001" - } - ], + "created": "2021-02-10T06:49:35.499441Z", + "modified": "2021-02-10T06:49:35.499441Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--4b908d8d-dc10-4114-99e6-8a82fe6a5e7f", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--243d3475-704e-4bc1-b8a6-42ca4bda02fc", + "id": "relationship--0df3ad4f-fdff-4373-971c-5d818a0f83fb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.507263Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Capture Evasion", - "description": "Malware has characteristics enabling it to evade capture from the infected system.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-capture.md", - "external_id": "B0036" - } - ], + "created": "2021-02-10T06:49:35.589482Z", + "modified": "2021-02-10T06:49:35.589482Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--bb0c753c-31a4-48b9-9548-47a29cce149a", + "target_ref": "attack-pattern--048440e7-8adb-4a71-9ee3-922ca4040b1f", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--24464dee-85e0-4fbf-b604-130f783c3689", + "id": "relationship--298fa055-8bd0-4067-8951-58fe0f23312c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.720618Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Tampering", - "description": "Erase or corrupt specific file parts to prevent rebuilding (header, packer stub, etc.).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.028" - } - ], + "created": "2021-02-10T06:49:35.689736Z", + "modified": "2021-02-10T06:49:35.689736Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--4f786f90-7679-427a-932b-2d212faffa37", + "target_ref": "attack-pattern--6dfe201d-34d6-4474-9210-e0364cca9de0", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--245f1add-7e00-4b25-9f57-a88febbd9359", + "id": "relationship--30c38873-69d5-48e3-9c21-c94acff756e9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.915483Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Heavens Gate", - "description": "Malware evades endpoint security products by invoking 64-bit code in 32-bit processes, effectively bypassing user-mode hooks.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", - "external_id": "F0004.008" - }, - { - "source_name": "external_source", - "description": "Carl Petty, Red Canary, 3/3/2020. Online:", - "url": "https://redcanary.com/blog/heavens-gate-technique-on-linux/" - } - ], + "created": "2021-02-10T06:49:35.674443Z", + "modified": "2021-02-10T06:49:35.674443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a453cf88-1389-4ffd-8f3c-e95475f10a9f", + "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2494ac41-5d2b-4112-903a-fdc2a09d376b", + "id": "relationship--dc0547b4-1a0f-459d-b30d-0b2d841bead5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.783046Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "File search", - "description": "Controller requests the implant to search for a given filename pattern, often a [glob](https://en.wikipedia.org/wiki/Glob_(programming)).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "command-and-control" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", - "external_id": "B0030.015" - } - ], + "created": "2021-02-10T06:49:35.457445Z", + "modified": "2021-02-10T06:49:35.457445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--85d9ce2b-1b52-4de5-8b03-74ed590639d6", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--24d2552e-d0ee-4ab5-8e75-743b233379e1", + "id": "relationship--afb8eb1b-32cf-466b-893d-1cd2bfe0d0b4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.530265Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Extra Loops/Time Locks", - "description": "Add extra loops to make time-constraint emulators give up.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-emulator.md", - "external_id": "B0005.004" - } - ], + "created": "2021-02-10T06:49:35.503442Z", + "modified": "2021-02-10T06:49:35.503442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--7f30f323-51eb-42a6-8331-834b0da343cc", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--24ed02f2-afad-49c8-a3c4-8ab1c418443e", + "id": "relationship--78aec280-eead-46dc-993e-7d5ad2b57541", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.743261Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Send Email", - "description": "Sends an email message from the system on which the malware is executing to one or more recipients, mostly commonly for the purpose of spamming or for distributing a malicious attachment or URL (malspamming).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "lateral-movement" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/send-email.md", - "external_id": "B0020" - }, - { - "source_name": "external_source", - "url": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Gamut-Spambot-Analysis/" - }, - { - "source_name": "external_source", - "url": "https://en.wikipedia.org/wiki/Bagle_(computer_worm)" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1566/", - "external_id": "T1566" - } - ], + "created": "2021-02-10T06:49:35.678443Z", + "modified": "2021-02-10T06:49:35.678443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--77b42d45-8bcf-4d7d-b6d1-4756b6edf272", + "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2514d117-a906-491c-bdef-fdc0ca4ab49b", + "id": "relationship--6163d58e-187c-496c-b47e-ec9f9e75f54f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.895263Z", - "modified": "2022-02-05T00:37:22.835477Z", - "name": "Terminate Process", - "description": "Malware terminates a process.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "process-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/terminate-process.md", - "external_id": "C0018" - } - ], + "created": "2022-02-04T23:52:40.962929Z", + "modified": "2022-02-04T23:52:40.962929Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--66995783-bfea-4c72-8fcb-4bdb015dc98f", + "target_ref": "attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--25dbb3ef-6301-4f8c-a8d2-a03b5c23dafd", + "id": "relationship--d24a0361-8f68-4707-840e-780133205819", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.016478Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Get File Attributes", - "description": "Malware gets the attributes of a file.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "file-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/get-file-attr.md", - "external_id": "C0049" - } - ], + "created": "2021-02-10T06:49:35.497442Z", + "modified": "2021-02-10T06:49:35.497442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--155facb0-bb4a-4df0-b276-70c16f4c12f9", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2620e845-cb45-43b5-91a4-dd72dcf3339d", + "id": "relationship--b99b2728-4bcd-419d-9b2d-e19a4f81fa17", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.492261Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Check Windows", - "description": "Malware may check windows for VM-related characteristics.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.009" - } - ], + "created": "2021-02-10T06:49:35.504443Z", + "modified": "2021-02-10T06:49:35.504443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--8fb51611-3f2a-42e3-9af0-fd8eda882cf8", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--26a24fc4-3488-408f-ae36-9e5e881f4b9e", + "id": "relationship--c33c9546-3de6-4409-93c2-ca185814abe9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.038481Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Suspend Thread", - "description": "Malware may suspend a thread.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "process-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/suspend-thread.md", - "external_id": "C0055" - } - ], + "created": "2022-02-04T23:52:40.8832Z", + "modified": "2022-02-04T23:52:40.8832Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a962a19b-79e6-4154-a634-b85d9e9d0264", + "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--26d8815b-c8d1-4fc9-a6f6-218c0436b7a1", + "id": "relationship--c8b1f9ac-52aa-40f0-b63a-3cfdfc9cc914", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.562264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Thunk Code Insertion", - "description": "Variation on Jump Insertion. Used by some compilers for user-generated functions.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", - "external_id": "B0032.006" - } - ], + "created": "2021-02-10T06:49:35.530444Z", + "modified": "2021-02-10T06:49:35.530444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--6a54a038-71b7-4b4c-87c2-2e5b433404af", + "target_ref": "attack-pattern--5146900f-415f-4817-9153-a9a3f857b3cd", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--276108d0-bfef-45d8-9e20-0e6f5c107f6f", + "id": "relationship--ae997115-bd28-417b-b412-695cfb11cd01", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.650261Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Hide Data in Registry", - "description": "Malware may use a registry key to store a long sequence of bytes.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/covert-location.md", - "external_id": "B0040.001" - } - ], + "created": "2021-02-10T06:49:35.563442Z", + "modified": "2021-02-10T06:49:35.563442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b729ab37-a73c-4d87-a72b-4123385a2581", + "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--27a1c173-3d93-430b-9544-8dd2db602b87", + "id": "relationship--d921ecba-5b38-46e4-9929-35e2071c3a00", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.662262Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Hidden Files and Directories", - "description": "Malware may hide files and folders to avoid detection and/or to persist on the system. See potential methods below.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hidden-files.md", - "external_id": "F0005" - } - ], + "created": "2021-02-10T06:49:35.597586Z", + "modified": "2021-02-10T06:49:35.597586Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--6dfa5d14-e016-4572-a2c9-ca4f697c7a14", + "target_ref": "attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2847e96e-8080-4f95-96df-b2194e42ac25", + "id": "relationship--d7d50e3f-f477-4260-8932-928e09d6d765", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.973483Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Receive Request::HTTP Communication", - "description": "HTTP server receives request.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", - "external_id": "C0002.015" - } - ], + "created": "2021-02-10T06:49:35.678443Z", + "modified": "2021-02-10T06:49:35.678443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d447c221-2ab5-4378-bb19-78b97869fa58", + "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--28715d14-8b3f-4be9-95f6-e306de73f53f", + "id": "relationship--ccd33d4b-3108-4947-81a6-35b8b4e1af11", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.798698Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Shadow SDT Hooking", - "description": "Hooks the Shadow SSDT similarly to how the SSDT and IAT are hooked. The target of the hooking with the Shadow SSDT is the Windows subsystem (win32k.sys).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/credential-access/hooking.md", - "external_id": "F0003.005" - } - ], + "created": "2021-02-10T06:49:35.684442Z", + "modified": "2021-02-10T06:49:35.684442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--e399ce8e-2c1d-4bc4-9669-308cb99f1e10", + "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--28c6f55a-126f-436b-ab2e-af77f91d0cec", + "id": "relationship--24be0b76-7963-49e6-857a-ac06ad5bc4e4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.597265Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Application Hook", - "description": "Keystrokes are captured with an application hook.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/keylogging.md", - "external_id": "F0002.001" - } - ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "created": "2021-02-10T06:49:35.47449Z", + "modified": "2021-02-10T06:49:35.47449Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--7c01a0a6-5081-4609-9546-120f0652f1d4", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", + "id": "relationship--083ec365-6341-4068-8981-9d41d33be578", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.486264Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Sandbox Detection", - "description": "Detects whether the malware instance is being executed inside an instrumented sandbox environment (e.g., Cuckoo Sandbox). If so, conditional execution selects a benign execution path.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", - "external_id": "B0007" - }, - { - "source_name": "external_source", - "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" - }, - { - "source_name": "external_source", - "url": "http://labs.lastline.com/exposing-rombertik-turning-the-tables-on-evasive-malware" - }, - { - "source_name": "external_source", - "url": "https://github.com/LordNoteworthy/al-khaser" - }, - { - "source_name": "external_source", - "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf" - } - ], + "created": "2021-02-10T06:49:35.570481Z", + "modified": "2021-02-10T06:49:35.570481Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--245f1add-7e00-4b25-9f57-a88febbd9359", + "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", + "id": "relationship--d037ad47-c862-401f-80a2-c95698aae95f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.689263Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Process Injection", - "description": "Malware may execute code in the address space of a separate process.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/process-inject.md", - "external_id": "E1055" - }, - { - "source_name": "external_source", - "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" - }, - { - "source_name": "external_source", - "url": "https://github.com/LordNoteworthy/al-khaser" - }, - { - "source_name": "external_source", - "url": "https://citizenlab.ca/2016/04/between-hong-kong-and-burma/" - }, - { - "source_name": "external_source", - "url": "https://www.ired.team/offensive-security/code-injection-process-injection/executing-shellcode-with-createfiber" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1055", - "external_id": "T1055" - } - ], + "created": "2021-02-10T06:49:35.473484Z", + "modified": "2021-02-10T06:49:35.473484Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--9aa48852-5d9f-45e3-a094-113bc10c1cbc", + "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2b01bf8e-63cf-495c-8e2f-d18a8c286ad5", + "id": "relationship--a1df96e9-2ef3-4939-b68c-e13dbcd38c60", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.499265Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Instruction Testing - VMCPUID", - "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.037" - }, - { - "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" - } - ], + "created": "2021-02-10T06:49:35.456445Z", + "modified": "2021-02-10T06:49:35.456445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--2080b6b4-a74c-43da-97db-1a2ca33ca589", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2b4653a5-2865-4768-ae75-e1f7cb84b39a", + "id": "relationship--8a59149c-0a38-46a8-a1c8-2aa236149116", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.535262Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Flow Opcode Obstruction", - "description": "Flow opcodes (e.g., jumps, loops) are removed and emulated (or decrypted) by the packer during execution, resulting in incorrect dumps. .", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", - "external_id": "B0006.009" - }, - { - "source_name": "external_source", - "url": "https://www.gironsec.com/code/packers.pdf" - } - ], + "created": "2022-09-08T18:26:19.070707Z", + "modified": "2022-09-08T18:26:19.070707Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--9fb37268-5250-495b-b80c-96315169c1a8", + "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2baec974-fab4-4fe3-92a6-c477893f132d", + "id": "relationship--3d11a5ca-28e7-4f1e-aed7-14f93c9b7181", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.509262Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Block Interrupts", - "description": "Block interrupt (via hooking) 1 and/or 3 to prevent debuggers from working.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.001" - } - ], + "created": "2022-09-08T18:26:19.048115Z", + "modified": "2022-09-08T18:26:19.048115Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--6f73f473-5fb0-4777-a951-6de90d9ea01f", + "target_ref": "attack-pattern--7533526d-569f-460b-9e00-5ef2d6eff9e2", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2bef87a4-e803-4bb7-8f8f-fac4f63a02e1", + "id": "relationship--ff9cf97c-d31b-4536-b358-93a6575ee178", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.534261Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Erase the PE header", - "description": "Erase PE header from memory.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", - "external_id": "B0006.002" - } - ], + "created": "2021-02-10T06:49:35.693726Z", + "modified": "2021-02-10T06:49:35.693726Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--333a4ca2-d8a5-4829-abcb-c42736a41f0d", + "target_ref": "attack-pattern--d1a3a19c-bcd0-40fc-8b5f-9e755260abc2", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2bf1a1a6-82ff-4e52-b11c-bd2d0495e830", + "id": "relationship--6c6c6933-a843-4fcc-8534-4192e0c18c33", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.033478Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Wallpaper", - "description": "Malware modifies the wallpaper.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "operating-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/wallpaper.md", - "external_id": "C0035" - } - ], + "created": "2021-02-10T06:49:35.450445Z", + "modified": "2021-02-10T06:49:35.450445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--add320e6-3798-40f7-91be-5062eb3a9e00", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2c55e74c-c066-43e0-bdaa-8d74959b7694", + "id": "relationship--4430014b-9fc5-4b48-a8a9-7a9b657dbef3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Export Address Table (EAT) Hooking", - "description": "Malware (e.g. rootkit) hooks the export address table (EAT).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hijack-execution-flow.md", - "external_id": "F0015.001" - } - ], + "created": "2021-02-10T06:49:35.506476Z", + "modified": "2021-02-10T06:49:35.506476Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--ff66c503-48b3-4f2b-a462-f54258d2cfca", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2c90706d-0b4a-45e1-b9f0-0292ebb69edf", + "id": "relationship--ed421b26-6209-4ac5-8474-50b017eeb281", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.496265Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Instruction Testing - CPUID", - "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM. Checking the CPU ID found within the registry can provide information to system type.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.034" - }, - { - "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" - } - ], + "created": "2021-02-10T06:49:35.701491Z", + "modified": "2021-02-10T06:49:35.701491Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1504bfdb-bc65-4fc2-9afd-8d2e82737dd6", + "target_ref": "attack-pattern--7855768b-8130-4981-8420-6e8a8d2a277a", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2cab79e4-750b-43e3-9486-0d7801d8fdd8", + "id": "relationship--0c1016cb-bb35-448a-9b36-4ee17488dc8b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.900382Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Delete File", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/remote-commands.md", - "external_id": "B0011.001" - } - ], + "created": "2021-02-10T06:49:35.632968Z", + "modified": "2021-02-10T06:49:35.632968Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1adddaa3-6164-4adf-b910-6b8a78fb3111", + "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2e82d33e-a804-42a2-9931-57f7b7af78f9", + "id": "relationship--aee3da6b-f795-4287-a6da-b7698c7369b0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.991483Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "AES::Encrypt Data", - "description": "Malware encrypts with the AES algorithm.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", - "external_id": "C0027.001" - } - ], + "created": "2021-02-10T06:49:35.575481Z", + "modified": "2021-02-10T06:49:35.575481Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--e7d60710-0081-4d47-9fd3-3e2d410828e7", + "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2ed5189e-8701-45ab-b222-b4b23f2bbb0e", + "id": "relationship--2e0c9bbc-6206-4b83-be2c-70c2db88e443", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.85726Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "Use Constant", - "description": "Malware may manipulate or use a constant value, for example as part of a larger string used by some function.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/use-constant.md", - "external_id": "C0020" - } - ], + "created": "2022-02-04T23:52:40.962929Z", + "modified": "2022-02-04T23:52:40.962929Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--9a20e319-4340-469f-a31c-5153dbd05bd0", + "target_ref": "attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2f16f65d-4fba-4574-882d-97d54392f5bb", + "id": "relationship--d6c2d9fb-2437-4510-be5e-c7da4fabee98", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.806261Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "DNS Communication", - "description": "The DNS Communication micro-behavior focuses on DNS communication.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/dns-comm.md", - "external_id": "C0011" - } - ], + "created": "2021-02-10T06:49:35.545495Z", + "modified": "2021-02-10T06:49:35.545495Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--26d8815b-c8d1-4fc9-a6f6-218c0436b7a1", + "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", + "id": "relationship--8a69d272-6153-4c8f-b19d-cbd9e8d9d15c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.52526Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Dynamic Analysis Evasion", - "description": "Malware may obstruct dynamic analysis in a sandbox, emulator, or virtual machine.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", - "external_id": "B0003" - }, - { - "source_name": "external_source", - "url": "http://joe4security.blogspot.com/2013/06/overloading-sandboxes-new-generic.html" - }, - { - "source_name": "external_source", - "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" - }, - { - "source_name": "external_source", - "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf" - }, - { - "source_name": "external_source", - "url": "https://research.checkpoint.com/2019-resurgence-of-smokeloader/" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1497/", - "external_id": "T1497" - } - ], + "created": "2021-02-10T06:49:35.478443Z", + "modified": "2021-02-10T06:49:35.478443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--adf43bd9-7112-42fe-8024-7f7fe5a2225f", + "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2f605aaf-790b-4ba1-9603-3b14cf2f1c52", + "id": "relationship--12ee152d-79a5-4e77-93c1-56fa9edac2d4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.850262Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "Generate Pseudo-random Sequence", - "description": "The Generate Pseudo-random Sequence microbehavior can be used for a number of purposes. The methods below include specific functions, as well as pseudorandom number generators (PRNG).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/gen-random.md", - "external_id": "C0021" - } - ], + "created": "2021-02-10T06:49:35.612443Z", + "modified": "2021-02-10T06:49:35.612443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--ae865c4b-d90b-46be-aae6-6fbe897b76d9", + "target_ref": "attack-pattern--2ff4ce39-a726-471a-92d9-21a5c51a0bc3", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2f82d3b5-c6f8-4f4b-89e1-8605ea457749", + "id": "relationship--24dbed05-124f-49f5-998b-fb2bda1c4a15", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.939481Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Taskbar Discovery", - "description": "Malware may find the taskbar.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/taskbar-discover.md", - "external_id": "B0043" - } - ], + "created": "2021-02-10T06:49:35.592482Z", + "modified": "2021-02-10T06:49:35.592482Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--489d6e43-968b-432d-b89b-e9e4f974423b", + "target_ref": "attack-pattern--767a1acf-9e83-4181-82cd-2bcb9d8871d9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2fdbb4b2-a02a-42de-a6de-2263b48392f1", + "id": "relationship--5a12747a-b03e-4230-a499-db165272c5ac", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.975482Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "WinHTTP::HTTP Communication", - "description": "An HTTP request is made via the Windows HTTP Services (WinHTTP) application programming interface (API).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", - "external_id": "C0002.008" - } - ], + "created": "2021-02-10T06:49:35.569485Z", + "modified": "2021-02-10T06:49:35.569485Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--aaa5cf52-8414-4ac3-9bbb-3a45ba1f6d0d", + "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--2ff4ce39-a726-471a-92d9-21a5c51a0bc3", + "id": "relationship--cd65a36f-bc6c-4788-95da-59b1e5266f18", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.769263Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Data Destruction", - "description": "Data, system files, or other files are destroyed. Individual files are selected, as opposed to wiping an entire sector.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/data-destruction.md", - "external_id": "E1485" - }, - { - "source_name": "external_source", - "url": "http://www.darkreading.com/attacks-breaches/disk-wiping-shamoon-malware-resurfaces-with-file-erasing-malware-in-tow/d/d-id/1333509" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1485/", - "external_id": "T1485" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1447/", - "external_id": "T1447" - } - ], + "created": "2021-02-10T06:49:35.575481Z", + "modified": "2021-02-10T06:49:35.575481Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--f1b3a223-fa61-4341-9d0c-9f71b399ee00", + "target_ref": "attack-pattern--6168e69c-f827-4f92-8404-cd24fff9802c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--3018beac-a047-4b14-9c72-3340866b4c67", + "id": "relationship--72044d7c-39a9-451c-820c-14bc25c45c84", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.845581Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Patch Process Command Line", - "description": "Malware patches the PEB of a process to spoof the arguments.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/process-inject.md", - "external_id": "E1055.m04" - } - ], + "created": "2021-02-10T06:49:35.574482Z", + "modified": "2021-02-10T06:49:35.574482Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--f277deb3-f676-4536-b7c0-8cc76354b631", + "target_ref": "attack-pattern--6168e69c-f827-4f92-8404-cd24fff9802c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--3110ab37-847b-4f50-be91-9748cee0f4a0", + "id": "relationship--956dbc7c-feb2-433c-b3e1-d6a6d8962629", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.683261Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Packer Stub", - "description": "A packer stub can generate polymorphic code.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/polymorphic-code.md", - "external_id": "B0029.001" - } - ], + "created": "2022-02-04T23:52:40.914452Z", + "modified": "2022-02-04T23:52:40.914452Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d4aefa59-0817-4916-ad93-6ef174e070d3", + "target_ref": "attack-pattern--f78bf329-48e4-4f8c-9468-0f8cd2ec08b5", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--31c2f227-2583-4f36-a24f-0f2610f1e055", + "id": "relationship--55696eb3-164e-4de9-901f-375ce8b3d23d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.007478Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "Fast-Hash::Non-Cryptographic Hash", - "description": "Malware uses the Fast-Hash hash function.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/noncrypto-hash.md", - "external_id": "C0030.003" - } - ], + "created": "2021-02-10T06:49:35.568481Z", + "modified": "2021-02-10T06:49:35.568481Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--276108d0-bfef-45d8-9e20-0e6f5c107f6f", + "target_ref": "attack-pattern--e365ec9c-2c0b-41fe-9a6a-f2b4042f37f3", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--333a4ca2-d8a5-4829-abcb-c42736a41f0d", + "id": "relationship--9c76a296-00a9-489c-8651-228df2928b1a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.002478Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "IEncodingFilterFactory::Compress Data", - "description": "Malware compresses data using IEncodingFilterFactory.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/compress.md", - "external_id": "C0024.002" - } - ], + "created": "2022-02-04T23:52:40.962929Z", + "modified": "2022-02-04T23:52:40.962929Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--03996e71-dfa7-4585-8a42-da7f95c50436", + "target_ref": "attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--33ac3946-4bd9-4904-b02e-45e2d17dbfdd", + "id": "relationship--2e6d72ae-2e84-48ed-999e-4fd317709893", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.77826Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Data Encrypted for Impact", - "description": "Malware may encrypt files stored on the system to prevent user access until a ransom is paid and/or to interrupt system availability. The encryption process usually iterates over all letter drives in the system (except for CD drives) and then recursively encrypts all files with specific suffixes.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/encrypt-impact.md", - "external_id": "E1486" - }, - { - "source_name": "external_source", - "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/" - }, - { - "source_name": "external_source", - "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/" - } - ], + "created": "2021-02-10T06:49:35.553443Z", + "modified": "2021-02-10T06:49:35.553443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--eee013e1-4cfd-42f9-9f46-71f4b1598ef3", + "target_ref": "attack-pattern--87b6586d-145f-47d9-8183-755ca03e5921", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", + "id": "relationship--2bd9e452-fe56-463b-8079-eeaebcfc800b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.994484Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "Encrypt Data", - "description": "Malware may encrypt data.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", - "external_id": "C0027" - } - ], + "created": "2021-02-10T06:49:35.563442Z", + "modified": "2021-02-10T06:49:35.563442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--001ca78e-188e-4725-9f43-706d0f487837", + "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--35284c4d-652f-40bd-b49b-7d625914bc75", + "id": "relationship--1e2386a3-d4f2-45e8-ace5-98a4e8f8d89a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.483264Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Check Clipboard Data", - "description": "Checks clipboard data which can be used to detect whether execution is inside a sandbox.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", - "external_id": "B0007.001" - } - ], + "created": "2021-02-10T06:49:35.604442Z", + "modified": "2021-02-10T06:49:35.604442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--c484a07a-2c0e-4141-bfd0-161a38812c64", + "target_ref": "attack-pattern--6168e69c-f827-4f92-8404-cd24fff9802c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--352fc821-2bbf-4d2a-a9a2-3a69b3bac30c", + "id": "relationship--baa7b7d4-500b-47a4-a4e0-23965ea21fcc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.974485Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Start Server::HTTP Communication", - "description": "HTTP server is started.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", - "external_id": "C0002.018" - } - ], + "created": "2021-02-10T06:49:35.518445Z", + "modified": "2021-02-10T06:49:35.518445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--2b4653a5-2865-4768-ae75-e1f7cb84b39a", + "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--35365158-0007-49fa-bc45-da311d3c6246", + "id": "relationship--da2cf324-3633-4e1b-97ef-6fa9afa8ce2e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.973483Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Extract Body::HTTP Communication", - "description": "HTTP client extracts HTTP body.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", - "external_id": "C0002.011" - } - ], + "created": "2021-02-10T06:49:35.585443Z", + "modified": "2021-02-10T06:49:35.585443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--e82333e9-4719-464b-87d9-164c6b00cb5d", + "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--35a8f2ce-05e2-4a25-a469-e07a6360eee3", + "id": "relationship--d1f3d7b0-343a-49fb-a5f8-44eee2b1771a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.469264Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Process Environment Block IsDebugged", - "description": "The IsDebugged field is tested to determine whether the process is being debugged.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.037" - } - ], + "created": "2021-02-10T06:49:35.544446Z", + "modified": "2021-02-10T06:49:35.544446Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--e39e7007-c7b1-4a8c-a1c1-5f94ea3ae8fa", + "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--35d551ab-014b-4fab-8ba8-b91fb42a3985", + "id": "relationship--d2b79a97-9aa2-4615-982a-469a502dcd48", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.533262Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Code Encryption in Memory", - "description": "Encrypt the executing malware instance code in memory.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", - "external_id": "B0006.001" - } - ], + "created": "2021-02-10T06:49:35.639963Z", + "modified": "2021-02-10T06:49:35.639963Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--80d3bfbb-e88b-4396-9233-9fc88096a938", + "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--36074f02-7b9b-4052-998f-cb6c56447031", + "id": "relationship--f4568b14-51ae-4baf-a443-15cba11405f1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.555263Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Code Insertion", - "description": "Insert code to impede disassembly.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", - "external_id": "B0032.002" - } - ], + "created": "2021-02-10T06:49:35.591482Z", + "modified": "2021-02-10T06:49:35.591482Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--dd600655-8b9a-4a67-be72-3088d96e0e5a", + "target_ref": "attack-pattern--767a1acf-9e83-4181-82cd-2bcb9d8871d9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--373415cb-bc3b-4602-8032-584b7cf758c5", + "id": "relationship--fd287f2b-09ce-4f5e-a2ff-7fcba59ee5be", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.73826Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Upload File", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/remote-commands.md", - "external_id": "B0011.007" - } - ], + "created": "2021-02-10T06:49:35.626555Z", + "modified": "2021-02-10T06:49:35.626555Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--cb1c9047-e589-4aed-b5d5-c6062a1ab340", + "target_ref": "attack-pattern--3f00f5b3-a3bf-4c9c-8874-f7998c391aa8", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--373bb770-4890-4e13-a0d6-94459bed37aa", + "id": "relationship--42f9aa4c-a48e-412d-bec0-5ad8ecd6dd00", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.566267Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Minification", - "description": "Minification is 'the process of removing all unnecessary characters from source code without changing its functionality.' A simple example is when all the unnecessary whitespace and comments are removed. Minification is distinguished from compression in that it neither adds to nor changes the code seen by the interpreter. Minification is often used for malware written in interpreted languages, such as JavaScript, PHP, or Python. Legitimate code that is transmitted many times a second, such as JavaScript on websites, often uses minification to simply reduce the number of bytes transmitted.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-optimize.md", - "external_id": "B0034.002" - }, - { - "source_name": "external_source", - "url": "https://en.wikipedia.org/wiki/Minification_(programming)" - } - ], + "created": "2021-02-10T06:49:35.586443Z", + "modified": "2021-02-10T06:49:35.586443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a5589cd0-a6ee-4d1a-9963-3c44e9734242", + "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--37487e77-eda2-495c-bf1c-48f05062b2ca", + "id": "relationship--cc3f1203-967f-4550-a9be-1622e7528204", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.989483Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "RC4::Decrypt Data", - "description": "Malware decrypts data encrypted with the RC4 algorithm.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", - "external_id": "C0031.008" - } - ], + "created": "2021-02-10T06:49:35.557442Z", + "modified": "2021-02-10T06:49:35.557442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--99bd055e-cadd-4ed3-94a4-b21570cd8350", + "target_ref": "attack-pattern--75f19e70-8d96-4a7b-a3cf-e629c8d5e779", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--37eb387f-ecb3-4098-926b-2e1d2c3da16e", + "id": "relationship--c93cceb6-5aad-4dd5-a2c1-ac00b2d8ba7a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.828261Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Server Connect::SMTP Communication", - "description": "Connects to an smtp server.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/smtp-comm.md", - "external_id": "C0012.001" - } - ], + "created": "2021-02-10T06:49:35.712031Z", + "modified": "2021-02-10T06:49:35.712031Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--18377be7-e46d-48a0-ac85-b6af8f777b78", + "target_ref": "attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--38dad326-aeb6-4341-9a2b-233fcd5698cd", + "id": "relationship--478019f4-7fba-49e1-8d9c-890f16a54123", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.582262Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Themida", - "description": "Uses Themida.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", - "external_id": "F0001.011" - } - ], + "created": "2022-02-04T23:52:40.945699Z", + "modified": "2022-02-04T23:52:40.945699Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b2320873-c5bb-4691-80f6-ffbd143b8b9a", + "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--3955de8e-1ab7-4ab0-b7ca-226822885913", + "id": "relationship--d2d5d68b-caa0-4b05-a297-3daca76d583e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.887261Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Create Process", - "description": "Malware creates a process.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "process-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/create-process.md", - "external_id": "C0017" - } - ], + "created": "2021-02-10T06:49:35.509442Z", + "modified": "2021-02-10T06:49:35.509442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--dcd263ce-1f73-4f82-a7cf-5571498a8d36", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--39d98cff-ebf0-4824-8a7a-55ba1058664b", + "id": "relationship--3e147b5c-70ec-44b0-82f8-e0e50d205e05", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.468265Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Process Environment Block", - "description": "The Process Environment Block (PEB) is a Windows data structure associated with each process that contains several fields, such as \"BeingDebugged,\" \"NtGlobalFlag,\" and \"IsDebugged\". Testing the value of this PEB field of a particular process can indicate whether the process is being debugged. Testing \"BeingDebugged\" is equivalent to using the kernel32!IsDebuggerPresent API call (see separate method).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.019" - } - ], + "created": "2022-02-04T23:52:40.962929Z", + "modified": "2022-02-04T23:52:40.962929Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--3018beac-a047-4b14-9c72-3340866b4c67", + "target_ref": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--39df68e5-9065-4b60-8ad1-ff626707b95a", + "id": "relationship--d0abc3bc-790a-422c-9811-46e9645c4c91", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.983492Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "TCP Client::Socket Communication", - "description": "TCP client behavior.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", - "external_id": "C0001.008" - } - ], + "created": "2021-02-10T06:49:35.547447Z", + "modified": "2021-02-10T06:49:35.547447Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--878a631a-286b-4df2-bd6c-29a14053c402", + "target_ref": "attack-pattern--4c89f923-0e3e-41ff-b128-2e47acbd80b7", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--3a9b6fab-01af-47ef-9563-69427ed4090c", + "id": "relationship--634d0ea4-0676-4efc-a74f-b483c5bcd3f0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.537265Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Guard Pages", - "description": "Encrypt blocks of code individually and decrypt temporarily only upon execution.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", - "external_id": "B0032.010" - } - ], + "created": "2021-02-10T06:49:35.605446Z", + "modified": "2021-02-10T06:49:35.605446Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--89cee1bf-b7ab-4c13-8011-22364628422d", + "target_ref": "attack-pattern--6168e69c-f827-4f92-8404-cd24fff9802c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--3aa1c4d4-06c4-4d48-bc44-601b29abded8", + "id": "relationship--0245e5c7-c10b-48bb-af3b-4c7a7dfbadd6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.558264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Instruction Overlap", - "description": "Jump after the first byte of an instruction to confuse disassembler.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", - "external_id": "B0032.013" - } - ], + "created": "2022-02-04T23:52:40.945699Z", + "modified": "2022-02-04T23:52:40.945699Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a46f5dce-2530-4823-8253-d702c8b2abeb", + "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--3b11e590-980e-4850-a9a1-6189b62f62b1", + "id": "relationship--f426b305-9bfc-4427-8514-b050f602c6e1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.00448Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "IEncodingFilterFactory::Decompress Data", - "description": "Malware decompresses data using IEncodingFilterFactory.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/decompress.md", - "external_id": "C0025.002" - } - ], + "created": "2021-02-10T06:49:35.493443Z", + "modified": "2021-02-10T06:49:35.493443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--0e2fb8df-bef3-4664-88f9-f6614b80f107", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--3bb917e7-25d9-42de-8b23-d040a51c08e5", + "id": "relationship--970a924f-8577-4a75-9507-dc179e7e5cda", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.000444Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "Verhoeff::Checksum", - "description": "Malware uses the Verhoeff algorithm, often for purposes of error detection.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/checksum.md", - "external_id": "C0032.004" - } - ], + "created": "2021-02-10T06:49:35.651444Z", + "modified": "2021-02-10T06:49:35.651444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--f4d0e9ac-c868-42fa-9b1f-0d0bee913da1", + "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--3c0f36be-c4c0-4769-9be4-50682bc6a467", + "id": "relationship--86e0f1c9-6af3-47d6-a16c-68a9c4c853c0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.516301Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Self-Unmapping", - "description": "UnmapViewOfFile() on itself.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.025" - } - ], + "created": "2021-02-10T06:49:35.547447Z", + "modified": "2021-02-10T06:49:35.547447Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--84b9dfc5-4109-40fb-8378-52ecc2919cb4", + "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--3cb4d50f-649d-4b09-b9a4-151bcc7ebc43", + "id": "relationship--0aebf062-cb5d-4c24-9275-16bc1270ad26", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.560265Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Merged Code Sections", - "description": "Merge all sections resulting in just one entry in the sections table to make readability more difficult. May affect some detection signatures if written to be section dependent.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", - "external_id": "B0032.015" - } - ], + "created": "2021-02-10T06:49:35.644474Z", + "modified": "2021-02-10T06:49:35.644474Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d6e1b096-1595-47e7-8230-223aa9cad622", + "target_ref": "attack-pattern--e57c3d95-67fc-4d26-a74e-12953fff494b", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--3d34b429-1686-44be-8b63-bded4942cee7", + "id": "relationship--ebcb5830-b06f-4524-ad33-1cb034d85e3c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.514301Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Pipeline Misdirection", - "description": "Take advantage of pipelining in modern processors to misdirect debugging, emulation, or static analysis tools. An unpacker can assume a certain number of opcodes will be cached and then proceed to overwrite them in memory, causing a debugger/emulator/analyzer to follow different code than is normally executed.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.018" - } - ], + "created": "2021-02-10T06:49:35.588443Z", + "modified": "2021-02-10T06:49:35.588443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--42c0847a-d4e3-497e-9540-c691ae0364c1", + "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--3d502650-c707-4d28-b520-f440faa33ade", + "id": "relationship--ecd59316-0917-4b71-978a-76afa548d9a4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.999444Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "Adler::Checksum", - "description": "Malware computes an Adler checksum.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/checksum.md", - "external_id": "C0032.005" - } - ], + "created": "2021-02-10T06:49:35.623442Z", + "modified": "2021-02-10T06:49:35.623442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--8c803835-6fd8-4af8-a178-be3e2dc43687", + "target_ref": "attack-pattern--83145b10-974b-4bcd-8547-1f441be18d36", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--3dc536c2-fa47-4acd-9043-1b0a0c2b2db6", + "id": "relationship--8473645f-775d-4bdc-8a66-971387760c7c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.70226Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "COMSPEC Environment Variable", - "description": "Uninstalls self via COMSPEC environment variable.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/self-deletion.md", - "external_id": "F0007.001" - } - ], + "created": "2021-02-10T06:49:35.636443Z", + "modified": "2021-02-10T06:49:35.636443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--673cfd52-f67e-4fad-80b2-64465de4f7b0", + "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--3f00f5b3-a3bf-4c9c-8874-f7998c391aa8", + "id": "relationship--de382962-a3f9-4076-aa38-988f8559a34f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.80226Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Supply Chain Compromise", - "description": "The supply chain may be compromised to enable initial malware infection. Malware-related methods are listed below to supplement the information available defined in ATT&CK: [**Supply Chain Compromise**](https://attack.mitre.org/techniques/T1195/).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "lateral-movement" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/lateral-movement/supply-chain-compromise.md", - "external_id": "E1195" - }, - { - "source_name": "external_source", - "url": "http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1195/", - "external_id": "T1195" - } - ], + "created": "2021-02-10T06:49:35.48548Z", + "modified": "2021-02-10T06:49:35.48548Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--93bd89e3-9cfd-47f6-9fed-bb13b58acd82", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--3f907716-eb0f-4fd6-8db6-46f6932ab585", + "id": "relationship--3dfc2f43-ed0b-4637-abdf-a6e258e7df0a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.518266Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Use Interrupts", - "description": "The unpacking code relies on use of int 1 or int 3, or it uses the interrupt vector table as part of the decryption \"key\".", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.030" - } - ], + "created": "2021-02-10T06:49:35.558442Z", + "modified": "2021-02-10T06:49:35.558442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d6181cb9-7268-4ff7-99db-94df827e746e", + "target_ref": "attack-pattern--e3f453d4-03f3-4a8a-bfb1-d603016e234f", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--3fe270a3-09a5-4ca9-937f-d2bee9afed96", + "id": "relationship--3e59abd5-eb6f-4c78-a3f4-e26be1373992", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.516301Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Section Misalignment", - "description": "Some analysis tools cannot handle binaries with misaligned sections.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.023" - } - ], + "created": "2021-02-10T06:49:35.605446Z", + "modified": "2021-02-10T06:49:35.605446Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--9a5f43f7-dd94-4035-b335-9d0d388c93ae", + "target_ref": "attack-pattern--6168e69c-f827-4f92-8404-cd24fff9802c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--405c94b9-4f0e-476b-982d-72bb1905daa9", + "id": "relationship--b8236567-fd01-4fb9-800f-d1a333cf253a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.580266Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Standard Compression", - "description": "Uses a standard algorithm, such as UPX or LZMA, to compress an executable file.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", - "external_id": "F0001.002" - } - ], + "created": "2022-02-04T23:52:40.97859Z", + "modified": "2022-02-04T23:52:40.97859Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--17cf477e-a8e5-4c52-b207-7023cfd16c1d", + "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--415ff076-0f63-4040-940e-439321695a67", + "id": "relationship--914d11ac-8e6f-40f5-a9b3-04bf4f1c7d97", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.556264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Dead Code Insertion", - "description": "Include \"dead\" code with no real functionality.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", - "external_id": "B0032.003" - } - ], + "created": "2021-02-10T06:49:35.622442Z", + "modified": "2021-02-10T06:49:35.622442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a90fbac2-8ec1-486c-85bf-6cb6269a5ea6", + "target_ref": "attack-pattern--e25edc0c-3631-4df8-a37f-4695d3cec86e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--41746d12-dfb1-4e7d-bd7e-81678b93b977", + "id": "relationship--8f2864ed-7bf4-4fcd-bc00-050cecb2f038", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.529264Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Different Opcode Sets", - "description": "Use different opcodes sets (ex: FPU, MMX, SSE) to block emulators.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-emulator.md", - "external_id": "B0005.001" - } - ], + "created": "2021-02-10T06:49:35.530037Z", + "modified": "2021-02-10T06:49:35.530037Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--73478759-d9de-4bbd-a687-081c5f00c935", + "target_ref": "attack-pattern--5146900f-415f-4817-9153-a9a3f857b3cd", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--41c176c1-6258-4bd4-9518-c2dc433c254c", + "id": "relationship--e28c8b1d-cbae-4ab6-9def-123c71c2f2e5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.88026Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Overflow Buffer", - "description": "Malware may overflow the buffer for various purposes.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "memory-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/memory/overflow-buffer.md", - "external_id": "C0010" - } - ], + "created": "2021-02-10T06:49:35.656443Z", + "modified": "2021-02-10T06:49:35.656443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--ab699bec-3a3f-498f-a658-1eabe6fe90c9", + "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--4283aa07-89f3-40d8-b45f-87ef48c8a86d", + "id": "relationship--78cfc708-d577-4899-b286-61c0a82599d8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.490263Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Check Named System Objects", - "description": "Virtual machines often include specific named system objects by default, such as Windows device drivers, which can be detected by testing for specific strings, whether found in the Windows registry or other places.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.003" - } - ], + "created": "2021-02-10T06:49:35.529445Z", + "modified": "2021-02-10T06:49:35.529445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5a895abc-11b8-4f33-a05d-47daa38002af", + "target_ref": "attack-pattern--5146900f-415f-4817-9153-a9a3f857b3cd", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--4294b63a-0b68-473a-8e57-bd5da8d90bf6", + "id": "relationship--14265425-d70b-44a4-bf07-dfaa7d460b3c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.92426Z", - "modified": "2022-02-05T00:37:22.835477Z", - "name": "Registry Run Keys / Startup Folder", - "description": "Malware may add an entry to the Windows Registry run keys or startup folder to enable persistence.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/persistence/registry-run-startup.md", - "external_id": "F0012" - }, - { - "source_name": "external_source", - "url": "https://threatvector.cylance.com/en_us/home/windows-registry-persistence-part-2-the-run-keys-and-search-order.html" - }, - { - "source_name": "external_source", - "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" - }, - { - "source_name": "external_source", - "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HUPIGON" - }, - { - "source_name": "external_source", - "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf" - } - ], + "created": "2021-02-10T06:49:35.50848Z", + "modified": "2021-02-10T06:49:35.50848Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--8fcb44c9-dec3-4358-bf3d-35b4174f7d2b", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--42a50e42-61c1-4eb0-a7a2-f7f278feb391", + "id": "relationship--16ca026b-74af-4633-b139-5e82124b4315", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:36.062232Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "aPLib::Decompress Data", - "description": "Malware decompresses data using aPLib.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/decompress.md", - "external_id": "C0025.003" - } - ], + "created": "2021-02-10T06:49:35.464445Z", + "modified": "2021-02-10T06:49:35.464445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--4ca9173b-10b3-4a35-8507-f6b34fa4fc23", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--42c0847a-d4e3-497e-9540-c691ae0364c1", + "id": "relationship--6322e651-3782-44fc-a873-70beb05f7d23", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.707263Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Process detection - Sandboxes", - "description": "Malware can scan for the process name associated with common analysis tools. Joe Sandbox, etc.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", - "external_id": "B0013.007" - } - ], + "created": "2022-02-04T23:52:40.914452Z", + "modified": "2022-02-04T23:52:40.914452Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--24464dee-85e0-4fbf-b604-130f783c3689", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--42cea877-6723-4126-a016-6f2b8954eb6b", + "id": "relationship--97e750dc-f739-4758-a410-8b779187d386", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.60426Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Check for Payload", - "description": "Check for payload.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "command-and-control" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", - "external_id": "B0030.005" - } - ], + "created": "2021-02-10T06:49:35.704445Z", + "modified": "2021-02-10T06:49:35.704445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d26aaa4d-5143-4888-b81c-346d3b51641b", + "target_ref": "attack-pattern--7c7b98c3-b136-439f-83ce-4dd357e76c89", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--454163a6-b453-449c-88c1-96919f92705a", + "id": "relationship--326934b2-c3b7-4854-b52e-c8c521351d37", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.91426Z", - "modified": "2022-02-05T00:37:22.835477Z", - "name": "Malicious Network Driver", - "description": "Malicious network drivers can be installed on several machines on a network via an exploited server with high uptime. Once the drivers are installed on the host machines, they can re-infect the server if it is restarted (persistence), can infect other machines on the network (lateral movement), and can redirect traffic on the network.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "lateral-movement" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/persistence/malicious-network-drv.md", - "external_id": "B0026" - }, - { - "source_name": "external_source", - "url": "https://www.zdnet.com/article/luckymouse-targets-govt-entities-through-malicious-ndisproxy-driver/" - } - ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "created": "2021-02-10T06:49:35.63795Z", + "modified": "2021-02-10T06:49:35.63795Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--741edcac-607c-4ebf-a8d0-928e02fe1461", + "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--45c5ccc6-f44e-4b7e-b2af-d5b1a0d01cd2", + "id": "relationship--86db4afc-b24b-4201-bc24-70d3d23c1710", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.489264Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Check Memory Artifacts", - "description": "VMware leaves many artifacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognizable footprints. Malware can search through physical memory for the strings VMware, commonly used to detect memory artifacts.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.002" - }, - { - "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" - } - ], + "created": "2021-02-10T06:49:35.656443Z", + "modified": "2021-02-10T06:49:35.656443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--763fa6dd-331c-4c07-bc09-00f40cc958cc", + "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--45f0c217-fd80-4ce1-a9b1-4a62418162bb", + "id": "relationship--a8d00e2f-f309-4c05-8f01-2c429f873dfb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.521266Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Delayed Execution", - "description": "Stalling code is typically executed before any malicious behavior. The malware's aim is to delay the execution of the malicious activity long enough so that an automated dynamic analysis system fails to extract the interesting malicious behavior. This method is very similar to ATT&CK's [Virtualization/Sandbox Evasion: Time Based Evasion](https://attack.mitre.org/techniques/T1497/003/) sub-technique.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", - "external_id": "B0003.003" - } - ], + "created": "2021-02-10T06:49:35.694967Z", + "modified": "2021-02-10T06:49:35.694967Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--656e96ac-b245-4c79-8b28-81423fd5d3cf", + "target_ref": "attack-pattern--d1a3a19c-bcd0-40fc-8b5f-9e755260abc2", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--461d88f4-10e9-4db1-b91d-e9a8cd0f8654", + "id": "relationship--63f506d2-31c2-40cb-b648-38f60125b8a1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.00448Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "QuickLZ::Decompress Data", - "description": "Malware decompresses data using QuickLZ.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/decompress.md", - "external_id": "C0025.001" - } - ], + "created": "2021-02-10T06:49:35.502442Z", + "modified": "2021-02-10T06:49:35.502442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--baae0d7a-88a9-479c-879e-9bbd0dea3bf0", + "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--46c39f69-1900-4558-9c0d-2d9fe322dd41", + "id": "relationship--04e8a51b-a35b-4418-95e1-1aaea4b06e69", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.972483Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Open URL::HTTP Communication", - "description": "HTTP client connects to a URL.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", - "external_id": "C0002.004" - } - ], + "created": "2021-02-10T06:49:35.531443Z", + "modified": "2021-02-10T06:49:35.531443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1506d910-1208-4064-a633-8291f6d36e74", + "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--46d77a13-9d20-4c9c-9846-cf6f298f6836", + "id": "relationship--8fe69ecc-eb76-40fd-9942-5621d9a2da2f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.606261Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Request Command", - "description": "Implant requests a command.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "command-and-control" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", - "external_id": "B0030.008" - } - ], + "created": "2021-02-10T06:49:35.669444Z", + "modified": "2021-02-10T06:49:35.669444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--f60a86ef-7e8a-4a7b-91fa-64a4c137068c", + "target_ref": "attack-pattern--7c9e2694-0dce-4dc3-aa06-199d5d002a05", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--48018d04-fcd1-4e5d-b29f-6ccf841ae65f", + "id": "relationship--fbfeab65-3b59-42b4-9671-df04b882cf68", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.848263Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "GetTickCount::Generate Pseudo-random Sequence", - "description": "Malware generates a pseudo-random sequence using GetTickCount.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/gen-random.md", - "external_id": "C0021.001" - } - ], + "created": "2021-02-10T06:49:35.515492Z", + "modified": "2021-02-10T06:49:35.515492Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--09c1ddac-3b9f-487d-acba-78be3b686519", + "target_ref": "attack-pattern--64ec233c-8762-4e4a-af40-475ebd3aa127", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--48964591-554c-420d-896b-89ad16f17eec", + "id": "relationship--08f35fa3-0327-4b97-929a-cfa4cce3a4ca", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.52526Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Restart", - "description": "Restarts or shuts down system to bypass sandboxing.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", - "external_id": "B0003.010" - } - ], + "created": "2021-02-10T06:49:35.498442Z", + "modified": "2021-02-10T06:49:35.498442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--f0df8409-6168-481b-97a9-eb15c77c1317", + "target_ref": "attack-pattern--243d3475-704e-4bc1-b8a6-42ca4bda02fc", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--489d6e43-968b-432d-b89b-e9e4f974423b", + "id": "relationship--a7198a08-9f93-495b-973f-f4ba35f11b39", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.727262Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Remote Desktop Protocols (RDP)", - "description": "RDP is used by malware.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/exploit-software.md", - "external_id": "E1203.m01" - } - ], + "created": "2021-02-10T06:49:35.49545Z", + "modified": "2021-02-10T06:49:35.49545Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--e4678b94-bfec-402e-9682-17a32ae8c379", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--4a062538-03cd-44da-a19f-6ed4401a4c36", + "id": "relationship--e25cc016-f6d4-4d58-901c-11559f4312e3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.972483Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Download URL::HTTP Communication", - "description": "HTTP client downloads URL to file.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", - "external_id": "C0002.006" - } - ], + "created": "2021-02-10T06:49:35.552443Z", + "modified": "2021-02-10T06:49:35.552443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--83892ea2-fded-49dd-bca7-d415f8fea8f9", + "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--4b908d8d-dc10-4114-99e6-8a82fe6a5e7f", + "id": "relationship--9cdd2bbe-b1b2-46a9-9af7-500237584b53", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.510265Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Break Point Clearing", - "description": "Intentionally clearing software or hardware breakpoints.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.002" - } - ], + "created": "2021-02-10T06:49:35.714266Z", + "modified": "2021-02-10T06:49:35.714266Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--ecf1cd8c-ffef-40bd-a2e3-441e77a84a77", + "target_ref": "attack-pattern--3955de8e-1ab7-4ab0-b7ca-226822885913", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--4c1c0aca-7fca-4aae-9d17-6fc99c8d7d0a", + "id": "relationship--93377883-f29a-4a84-b98b-d5eb0d819226", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.641261Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Bootkit", - "description": "The boot sectors of a hard drive are modified (e.g., Master Boot Record (MBR)). ATT&CK associates bootkits with the Persistence. See ATT&CK: [**Pre-OS Boot: Bootkit**](https://attack.mitre.org/techniques/T1067/).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/boot-sector-mod.md", - "external_id": "F0013" - }, - { - "source_name": "external_source", - "url": "https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/" - } - ], + "created": "2021-02-10T06:49:35.449445Z", + "modified": "2021-02-10T06:49:35.449445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--03d1844f-241a-4ed9-858f-47e5e6543746", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--4c1e6e56-1c8d-4bce-b696-68ac83cb33f6", + "id": "relationship--594b99e5-6125-4e18-8003-0a6b229d6a8a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.593264Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Mouse Events", - "description": "Mouse events are captured.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/input-capture.md", - "external_id": "E1056.m01" - } - ], + "created": "2021-02-10T06:49:35.550479Z", + "modified": "2021-02-10T06:49:35.550479Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--bad6ec3f-e218-4190-8033-3e4e8dae8d00", + "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--4c4a5671-e788-40b8-8fd9-56d94ba32901", + "id": "relationship--3a455abe-520c-4836-ad23-43ec054d18c2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.012443Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "Create Directory", - "description": "Malware creates a directory.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "file-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/create-dir.md", - "external_id": "C0046" - } - ], + "created": "2021-02-10T06:49:35.635945Z", + "modified": "2021-02-10T06:49:35.635945Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--665d234f-6c97-4ae2-b43f-18ea89336220", + "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--4c89f923-0e3e-41ff-b128-2e47acbd80b7", + "id": "relationship--9286512d-fe9a-4caf-9989-81c6beda32ee", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.57126Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Executable Code Virtualization", - "description": "Original executable code is virtualized by translating the code into a special format that only a special virtual machine (VM) can run; the VM uses a customized virtual instruction set. A \"stub\" function calls the VM when the code is run. Virtualized code makes static analysis and reverse engineering more difficult; dumped code wonā€™t run without the VM.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-virtualize.md", - "external_id": "B0008" - }, - { - "source_name": "external_source", - "url": "https://github.com/xiaoweime/WProtect" - }, - { - "source_name": "external_source", - "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/" - } - ], + "created": "2021-02-10T06:49:35.460442Z", + "modified": "2021-02-10T06:49:35.460442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--35a8f2ce-05e2-4a25-a469-e07a6360eee3", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--4ca9173b-10b3-4a35-8507-f6b34fa4fc23", + "id": "relationship--fcf1224b-44ac-4086-86b0-05649a9414ea", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.474262Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "TIB Aware", - "description": "Malware may access information in the Thread Information Block (TIB) for debug detection or process obfuscation detection. The TIB can be accessed as an offset of the segment register (e.g., fs:[20h]).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.027" - } - ], + "created": "2021-02-10T06:49:35.520444Z", + "modified": "2021-02-10T06:49:35.520444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--cb5e801d-a60f-497e-93b6-23d5e29c09fd", + "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--4ce382af-356c-4906-b6f1-e44b4d71ed02", + "id": "relationship--6d364d40-56c6-4f5c-931d-51a7dfa6aed1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.988483Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "AES::Decrypt Data", - "description": "Malware decrypts data encrypted with the AES algorithm.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", - "external_id": "C0031.001" - } - ], + "created": "2021-02-10T06:49:35.505442Z", + "modified": "2021-02-10T06:49:35.505442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--3d34b429-1686-44be-8b63-bded4942cee7", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--4d618788-4089-4149-8948-3d3524c766c5", + "id": "relationship--cc3a95b0-d974-4712-800b-84f9a4fd396d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.73826Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Sleep", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/remote-commands.md", - "external_id": "B0011.005" - } - ], + "created": "2021-02-10T06:49:35.480441Z", + "modified": "2021-02-10T06:49:35.480441Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d3656287-db62-4856-860d-6b3ff60e23b2", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--4e6169c5-7791-4c39-b6c9-d79628a85448", + "id": "relationship--56445635-e12d-483f-9f37-8f54e2002bf2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.655262Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "AMSI Bypass", - "description": "Malware bypasses AMSI (Anti-malware Scan Interface).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", - "external_id": "F0004.004" - } - ], + "created": "2021-02-10T06:49:35.528504Z", + "modified": "2021-02-10T06:49:35.528504Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--bab113ca-bbe4-4b39-bcac-d7fa7325b1e9", + "target_ref": "attack-pattern--c6c8f32e-7d92-401e-930f-d193a59e4c95", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--4e688c01-10a1-41e9-a909-5442531069ac", + "id": "relationship--0374cfaa-8758-4105-9f0a-ec078bc08181", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.57926Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Custom Compression of Data", - "description": "Uses a custom algorithm to compress strings and variables (executable file data).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", - "external_id": "F0001.007" - } - ], + "created": "2021-02-10T06:49:35.691442Z", + "modified": "2021-02-10T06:49:35.691442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b9cf6d75-631e-4209-b84d-63a7dcaf9b65", + "target_ref": "attack-pattern--64b0c35c-a5fc-4410-aff8-0c85f9689f60", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--4ec39934-4cf3-4e7a-96fb-425ea2f56d15", + "id": "relationship--3328d84c-da60-47a0-840a-3c3cc1c91001", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.861259Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "Alter File Extension", - "description": "Malware alters a file extension. This could be done for many reasons, including to hide the file or as part of a ransomware's encryption process.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "file-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/alter-extend.md", - "external_id": "C0015" - } - ], + "created": "2021-02-10T06:49:35.477444Z", + "modified": "2021-02-10T06:49:35.477444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--dc5231d1-332e-45ab-9995-412a5da4c10d", + "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--4f3bc817-8162-41b5-b617-5c9a261b66e0", + "id": "relationship--ed91cc79-a8c4-4b1a-88cd-eaccec835932", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.460262Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Debugger Artifacts", - "description": "Malware may detect a debugger by its artifact (window title, device driver, exports, etc.).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.004" - } - ], + "created": "2022-09-08T18:26:19.144484Z", + "modified": "2022-09-08T18:26:19.144484Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--8226e7fa-8e78-497b-9967-32e5d1395e12", + "target_ref": "attack-pattern--098a700a-4cc0-4d0a-8bc5-42e7181eff1e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--4f786f90-7679-427a-932b-2d212faffa37", + "id": "relationship--8486b307-4ae3-42dc-ab6d-d9d511495390", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.997443Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "Import Public Key::Encryption Key", - "description": "Malware imports a public key.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/key.md", - "external_id": "C0028.001" - } - ], + "created": "2021-02-10T06:49:35.511492Z", + "modified": "2021-02-10T06:49:35.511492Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--45f0c217-fd80-4ce1-a9b1-4a62418162bb", + "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--4f994303-c449-4d22-8ead-5c531a36ecf5", + "id": "relationship--3292f259-14f0-49d0-953d-958438b155eb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.498264Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Instruction Testing - SGDT/SLDT (no pill)", - "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM. The No Pill technique relies on the fact that the LDT structure is assigned to a processor not an Operating System. The LDT location on a host machine will be zero and on a virtual machine will be non-zero.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.031" - }, - { - "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" - } - ], + "created": "2021-02-10T06:49:35.459442Z", + "modified": "2021-02-10T06:49:35.459442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--93ac6386-6f04-44cd-b7a5-78da3ced8b13", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--50e612f9-3481-42fc-aa7f-a468ce59a556", + "id": "relationship--907c56c0-01c4-4600-908c-4917dd56e085", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.791261Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Manipulate Network Traffic", - "description": "Malware intercepts and manipulates network traffic, typically accessing or modifying data, going to or originating from the system on which the malware instance is executing. Also known as a Man-in-the-Middle attack.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/manipulate-network-traffic.md", - "external_id": "B0019" - }, - { - "source_name": "external_source", - "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection/" - } - ], + "created": "2021-02-10T06:49:35.640443Z", + "modified": "2021-02-10T06:49:35.640443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--ebb8ef31-6c69-4dac-9b99-a69e8c76fcd3", + "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--51147afe-363a-4b8f-8bdd-2f3601c785f1", + "id": "relationship--a048b365-87c0-4d87-869b-27e4eae36478", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.748262Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Send Poisoned Text Message", - "description": "A malicious attachment is sent via spam SMS or MMS messages. When the user clicks the link, malware is installed.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "lateral-movement" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/send-poison-text-msg.md", - "external_id": "B0021" - }, - { - "source_name": "external_source", - "url": "https://us.norton.com/internetsecurity-emerging-threats-mazar-bot-malware-invades-and-erases-android-devices.html" - }, - { - "source_name": "external_source", - "url": "https://www.player.one/new-android-sms-malware-can-completely-own-your-phone-just-one-text-how-avoid-mazar-512363" - } - ], + "created": "2021-02-10T06:49:35.674443Z", + "modified": "2021-02-10T06:49:35.674443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b5f07958-9aea-4414-ab2c-d5a46399dc23", + "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5146900f-415f-4817-9153-a9a3f857b3cd", + "id": "relationship--2a1b69f7-bdb3-4523-b9f7-f0de2497501e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.552264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Disassembler Evasion", - "description": "Malware code evades disassembly in a recursive or linear disassembler. Some methods apply to both types of disassemblers; others apply to one type and not the other.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-disassembler.md", - "external_id": "B0012" - }, - { - "source_name": "external_source", - "url": "http://staff.ustc.edu.cn/~bjhua/courses/security/2014/readings/anti-disas.pdf" - }, - { - "source_name": "external_source", - "url": "http://www.kernelhacking.com/rodrigo/docs/blackhat2012-paper.pdf" - }, - { - "source_name": "external_source", - "url": "https://isc.sans.edu/diary/Malicious+VBA+Office+Document+Without+Source+Code/24870" - }, - { - "source_name": "external_source", - "url": "https://boingboing.net/2019/05/05/p-code-r-us.html" - } - ], + "created": "2022-02-04T23:52:40.962929Z", + "modified": "2022-02-04T23:52:40.962929Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--ca32295b-c968-4099-a010-e8758c066be6", + "target_ref": "attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5280b393-729d-43d5-b9e7-81da3d31b450", + "id": "relationship--dd3c58e9-b02b-451c-92b4-e294f84bad4a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.682261Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Call Indirections", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/polymorphic-code.md", - "external_id": "B0029.002" - }, - { - "source_name": "external_source", - "url": "https://www.mccormick.northwestern.edu/eecs/documents/tech-reports/2010-2014/evaluating-android-anti-malware-against-transformation-attacks.pdf" - } - ], + "created": "2021-02-10T06:49:35.585443Z", + "modified": "2021-02-10T06:49:35.585443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--62792aba-aba0-4623-b7b7-479bae7d314b", + "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--531f2659-2119-40c0-b3a6-d921feabb3ce", + "id": "relationship--7c1c47b5-d0b2-49f5-a7f7-1a74dfff6373", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.878261Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Change Memory Protection", - "description": "Malware may change memory protection. For example, read-write memory may be changed to read-execute. Changing memory protection may exploits (e.g., bypass Data Execution Prevention).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "memory-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/memory/memory-protect.md", - "external_id": "C0008" - } - ], + "created": "2022-02-04T23:52:40.962929Z", + "modified": "2022-02-04T23:52:40.962929Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5625baf5-d4bd-4920-b541-abc2e8466405", + "target_ref": "attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--53354aca-b791-4d12-875c-730f75d9be91", + "id": "relationship--3bb155c0-3689-4ce9-b53a-36f6c48b6421", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:36.077859Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Move File", - "description": "Malware moves a file.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "file-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/move-file.md", - "external_id": "C0063" - } - ], + "created": "2021-02-10T06:49:35.455445Z", + "modified": "2021-02-10T06:49:35.455445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--e85ffef6-8593-4bff-a6f0-d54b2e64fc70", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5389958e-188f-453f-ba90-e886291f200e", + "id": "relationship--4697ee9b-c70e-4086-8b9e-93b4a142077f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.705262Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Process detection", - "description": "Malware can scan for the process name associated with common analysis tools.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", - "external_id": "B0013.001" - } - ], + "created": "2021-02-10T06:49:35.491483Z", + "modified": "2021-02-10T06:49:35.491483Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--c08285dc-2707-4016-9db1-187e19f504f6", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--541b3b19-6e67-4c06-9f03-1b3f5a4395c4", + "id": "relationship--bc673d2f-0836-4e03-992e-e2fe9c3adeb0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.828261Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "SMTP Communication", - "description": "This micro-behavior focuses on SMTP communication.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/smtp-comm.md", - "external_id": "C0012" - } - ], + "created": "2022-09-08T18:26:19.032731Z", + "modified": "2022-09-08T18:26:19.032731Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--c5c986d0-cf3f-44bb-9f0e-023783e6066d", + "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--54c7f1ed-7132-4022-8f3e-3fd4e5b88169", + "id": "relationship--edf19d0b-d821-4779-9688-9f828486204d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:36.109082Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Enumerate Threads", - "description": "Malware enumerates threads.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "process-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/enumerate-threads.md", - "external_id": "C0064" - } - ], + "created": "2021-02-10T06:49:35.498442Z", + "modified": "2021-02-10T06:49:35.498442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5543a067-b312-42fa-8943-f58e3f709332", + "target_ref": "attack-pattern--243d3475-704e-4bc1-b8a6-42ca4bda02fc", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--55040e64-313d-4656-8e1c-1146ff2f47d7", + "id": "relationship--d1bd9f34-171e-4638-9ebd-810ea4ecb683", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.547264Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Invoke NTDLL System Calls via Encoded Table", - "description": "Invokes ntdll.dll functions without using an export table; an encoded translation table on the stack is used instead.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-call-graph.md", - "external_id": "B0010.002" - }, - { - "source_name": "external_source", - "url": "http://fumalwareanalysis.blogspot.com/2012/01/malware-analysis-tutorial-10-tricks-for.html" - } - ], + "created": "2021-02-10T06:49:35.634706Z", + "modified": "2021-02-10T06:49:35.634706Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--35365158-0007-49fa-bc45-da311d3c6246", + "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5543a067-b312-42fa-8943-f58e3f709332", + "id": "relationship--553ce917-a792-47cf-8c30-6620e5609840", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.506259Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Encrypted Payloads", - "description": "Decryption key is stored external to the executable or never touches the disk.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-capture.md", - "external_id": "B0036.002" - } - ], + "created": "2021-02-10T06:49:35.658443Z", + "modified": "2021-02-10T06:49:35.658443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--948cdf0e-8ac2-46a4-8bc0-a5ab5eda55a2", + "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5625baf5-d4bd-4920-b541-abc2e8466405", + "id": "relationship--649e3ca9-4bae-4e3c-8977-89545e16bcbd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.845581Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Memory Rootkit", - "description": "A memory rootkit hids in RAM. Behaviors may include methods to prevent memory access. The lifespan of a memory rootkit is short because it disappears after a system reboot.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/rootkit-behavior.md", - "external_id": "E1014.m17" - } - ], + "created": "2021-02-10T06:49:35.465445Z", + "modified": "2021-02-10T06:49:35.465445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--bdeba524-0f2d-4d2f-a107-2b7516a0b496", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--56e26c80-e09f-4a51-8947-3c5a07dd3bf9", + "id": "relationship--1b8740ef-e989-4499-96e1-9a859e049e36", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.72626Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Java-based Web Servers", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/exploit-software.md", - "external_id": "E1203.m02" - } - ], + "created": "2021-02-10T06:49:35.574482Z", + "modified": "2021-02-10T06:49:35.574482Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--eab3d576-e947-486b-857c-ffa680b30050", + "target_ref": "attack-pattern--dd5c1c28-0fa4-4c34-8008-7a2fba8a4a25", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--56e97c05-06ca-49f9-bf50-d663993dee22", + "id": "relationship--8f59ccec-c489-4fcf-b388-c848d701d707", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.001445Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "Compression Library", - "description": "Malware uses a compression library.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/compress-lib.md", - "external_id": "C0060" - } - ], + "created": "2021-02-10T06:49:35.631316Z", + "modified": "2021-02-10T06:49:35.631316Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--bdf66c87-1488-4eed-ae9c-2482bc93e93d", + "target_ref": "attack-pattern--6f4c9cb2-1417-4f3e-a907-bce53e3a68a3", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5706671b-371d-40dd-95ae-d9574ba49291", + "id": "relationship--802d1fb6-9260-4e51-b06a-99d573112106", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.871658Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Parse PE Header", - "description": "Malware parses the PE header.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/code-discover.md", - "external_id": "B0046.003" - } - ], + "created": "2021-02-10T06:49:35.458443Z", + "modified": "2021-02-10T06:49:35.458443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--904b465b-d733-4619-b0d5-5c394cd2b7f3", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--574e1bad-081e-43d5-a6e5-665cdc815b8d", + "id": "relationship--3618a207-89d9-4cd5-8933-74604e47d7b0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.474262Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Timing/Delay Check", - "description": "Malware may compare time between two points to detect unusual execution, such as the (relative) massive delays introduced by debugging.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.028" - } - ], + "created": "2022-02-04T23:52:40.994215Z", + "modified": "2022-02-04T23:52:40.994215Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--2cab79e4-750b-43e3-9486-0d7801d8fdd8", + "target_ref": "attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--58245c62-d50e-40d4-b31e-63902657709f", + "id": "relationship--ece9840d-26ec-4e09-94b7-41f3f523e84a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.029444Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Set Variable::Environment Variable", - "description": "Malware sets an environment variable.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "operating-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/enviro-var.md", - "external_id": "C0034.001" - } - ], + "created": "2022-09-08T18:26:19.144126Z", + "modified": "2022-09-08T18:26:19.144126Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--ec7f9541-06af-4db7-a9c2-183b513f144a", + "target_ref": "attack-pattern--098a700a-4cc0-4d0a-8bc5-42e7181eff1e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--598efe94-7195-42ad-9af8-d1d9c39433ba", + "id": "relationship--02247109-98f4-4143-ab69-73b4999120dc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.58826Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Ethereum", - "description": "Access Ethereum data.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/cryptocurrency.md", - "external_id": "B0028.002" - } - ], + "created": "2021-02-10T06:49:35.714442Z", + "modified": "2021-02-10T06:49:35.714442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d320eec6-6fe3-4fd8-81f8-700742858f19", + "target_ref": "attack-pattern--f867931f-8c8a-4b28-bc5b-0482852124b6", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5a28507d-35d5-4a9c-83e0-4ecb9774c23c", + "id": "relationship--28278415-71d3-4be9-a5fe-28d54a976475", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.992483Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "Camellia::Encrypt Data", - "description": "Malware encrypts with the Camellia algorithm.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", - "external_id": "C0027.003" - } - ], + "created": "2021-02-10T06:49:35.556484Z", + "modified": "2021-02-10T06:49:35.556484Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--28c6f55a-126f-436b-ab2e-af77f91d0cec", + "target_ref": "attack-pattern--75f19e70-8d96-4a7b-a3cf-e629c8d5e779", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5a3611aa-4253-4302-b09e-02fe53a1af9d", + "id": "relationship--b92e3544-1b6a-4568-b89b-539f04333cb3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.611265Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Domain Name Generation", - "description": "Malware generates the domain name of the controller to which it connects. Access to on the fly domains enables C2 to operate as domains and IP addresses are blocked. The algorithm can be complicated in more advanced implants; understanding the details so that names can be predicted can be useful in mitigation and response.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "command-and-control" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/domain-name-generate.md", - "external_id": "B0031" - }, - { - "source_name": "external_source", - "url": "https://blog.malwarebytes.com/security-world/2016/12/explained-domain-generating-algorithm/" - }, - { - "source_name": "external_source", - "url": "http://blog.threatexpert.com/2008/04/kraken-changes-tactics.html" - }, - { - "source_name": "external_source", - "url": "https://en.wikipedia.org/wiki/Conficker" - } - ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "created": "2021-02-10T06:49:35.546456Z", + "modified": "2021-02-10T06:49:35.546456Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--ce322a95-0385-40cb-af25-96e377a7de8f", + "target_ref": "attack-pattern--c09b91df-e723-4ad4-b021-04d2773094f9", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5a895abc-11b8-4f33-a05d-47daa38002af", + "id": "relationship--49c51e2e-4240-4e7f-90bd-2110ca45790d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.550264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Conditional Misdirection", - "description": "Conditional jumps are sometimes used to confuse disassembly engines, resulting in the wrong instruction boundaries and thus wrong mnemonic and operands; identified by instructions *jmp/jcc to a label+#* (e.g., JNE loc_401345fe+2).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-disassembler.md", - "external_id": "B0012.002" - } - ], + "created": "2021-02-10T06:49:35.576443Z", + "modified": "2021-02-10T06:49:35.576443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--7c5cb62b-9374-47b1-8a2f-82204b8640b6", + "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5aed60b2-8feb-4d3a-a585-b399a41bbc6f", + "id": "relationship--8e1047a3-1f25-415d-a483-88c1ab79caa5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.581263Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Standard Compression of Data", - "description": "Uses a standard algorithm to compress strings and variables (executable file data).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", - "external_id": "F0001.004" - } - ], + "created": "2021-02-10T06:49:35.703804Z", + "modified": "2021-02-10T06:49:35.703804Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--013fce9b-0645-41a4-b6ec-03a70b319715", + "target_ref": "attack-pattern--7c7b98c3-b136-439f-83ce-4dd357e76c89", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5b65a982-2a1d-4b32-ad40-b9e05b4d0284", + "id": "relationship--6afb1755-ab8c-41d5-a9bc-2f6e86e2fad5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.460262Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Hardware Breakpoints", - "description": "(SEH/GetThreadContext); Debug registers will indicate the presence of a debugger. See for details.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.005" - }, - { - "source_name": "external_source", - "description": "Anti Debugging Tricks, Al-Khaser.", - "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" - } - ], + "created": "2021-02-10T06:49:35.671443Z", + "modified": "2021-02-10T06:49:35.671443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--70de257e-38ed-4422-864b-3b6d74aa5fab", + "target_ref": "attack-pattern--1cca12fe-f5c4-4c35-979b-5c6962dd9484", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5b93eef5-683e-44cb-b737-0e80feb890d2", + "id": "relationship--1f4f28ea-bced-46d1-bc3f-2b98afe71576", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.887261Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Create Process via WMI::Create Process", - "description": "Malware uses WMI to create a process.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "process-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/create-process.md", - "external_id": "C0017.002" - } - ], + "created": "2021-02-10T06:49:35.510443Z", + "modified": "2021-02-10T06:49:35.510443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--3f907716-eb0f-4fd6-8db6-46f6932ab585", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5c5601b2-b0ce-4732-a2b2-d45c30efef8c", + "id": "relationship--0adcf50a-9193-4bb2-9e53-437050adb7f8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.581263Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Standard Compression of Code", - "description": "Uses a standard algorithm to compress the opcode mnemonics.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", - "external_id": "F0001.003" - } - ], + "created": "2021-02-10T06:49:35.493443Z", + "modified": "2021-02-10T06:49:35.493443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--8bf7607c-b292-40e6-9372-8624fc971a66", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5c965b91-a0fd-4a85-b688-9be91a7a5aa8", + "id": "relationship--5e03783a-f410-4b24-a1ae-1f11e0012d70", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.798698Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Inline Patching", - "description": "Overwrites the first bytes in an API function to redirect code flow.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/credential-access/hooking.md", - "external_id": "F0003.002" - } - ], + "created": "2021-02-10T06:49:35.469483Z", + "modified": "2021-02-10T06:49:35.469483Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--97024953-18b1-43d8-adf2-207ac2dca44e", + "target_ref": "attack-pattern--187b4cd8-132e-4514-9ad2-e0b20abc2b70", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5cd1a1ce-0012-4e78-9449-24a8e3b0f4e2", + "id": "relationship--d073938a-9b01-4297-81ec-71847da4ea1c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.806261Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Server Connect::DNS Communication", - "description": "Connects to DNS server.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/dns-comm.md", - "external_id": "C0011.002" - } - ], + "created": "2021-02-10T06:49:35.570481Z", + "modified": "2021-02-10T06:49:35.570481Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--ab2e210b-f2a3-4f50-b42a-7304b875429c", + "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5d116564-0ef7-4791-9a34-e86d81840b49", + "id": "relationship--b94e1b68-3b43-4319-b261-cbedc8870aab", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.920259Z", - "modified": "2022-02-05T00:37:22.835477Z", - "name": "Modify Existing Service", - "description": "Malware may modify an existing service to gain persistence. Modification may include disabling a service.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/persistence/modify-service.md", - "external_id": "F0011" - }, - { - "source_name": "external_source", - "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" - } - ], + "created": "2022-02-04T23:52:40.97859Z", + "modified": "2022-02-04T23:52:40.97859Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--9dd6ef57-b3b3-48e8-a77e-233ffee5d45b", + "target_ref": "attack-pattern--1a89f398-f3ef-484a-8735-024823241a11", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5e4e232e-e441-4223-8b73-f160e9957a52", + "id": "relationship--a16e90f8-cf2e-4b7b-b415-2821c143b984", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.648262Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Install Insecure or Malicious Configuration", - "description": "Malware may install malicious configuration settings or may modify existing configuration settings. This MBC behavior extends the related ATT&CK technique to all platforms and to the Persistence objective.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/config-mod.md", - "external_id": "E1478" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1478", - "external_id": "T1478" - } - ], + "created": "2021-02-10T06:49:35.668507Z", + "modified": "2021-02-10T06:49:35.668507Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5f9d93b4-1083-440c-a170-eb181041fc56", + "target_ref": "attack-pattern--7c9e2694-0dce-4dc3-aa06-199d5d002a05", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5eef016e-6366-41e1-a33d-d85727dd5d65", + "id": "relationship--af581334-f4f3-4b9a-a5e4-b2ca11fc559b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.511265Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Get Base Indirectly", - "description": "CALL to a POP; finds base of code or data, often the packed version of the code; also used often in obfuscated/packed shellcode.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.007" - } - ], + "created": "2021-02-10T06:49:35.458443Z", + "modified": "2021-02-10T06:49:35.458443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--79e12011-d4af-449f-b2da-6b4227564808", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5ef50fb5-9da5-4926-85a6-8049dc0be9b3", + "id": "relationship--79898173-fa8c-4eff-86bd-d49caca32833", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.981483Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Send TCP Data::Socket Communication", - "description": "Send TCP data.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", - "external_id": "C0001.014" - } - ], + "created": "2021-02-10T06:49:35.63947Z", + "modified": "2021-02-10T06:49:35.63947Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1004c879-79b0-44db-996c-910a7f9e3857", + "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5f35c276-1599-47f2-b4df-468ccfa1e08b", + "id": "relationship--1e5372be-ad5f-408d-89b7-d8ed2aede14d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.972483Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Connect to Server::HTTP Communication", - "description": "HTTP client connects to HTTP server.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", - "external_id": "C0002.009" - } - ], + "created": "2021-02-10T06:49:35.701491Z", + "modified": "2021-02-10T06:49:35.701491Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--bf25a194-496a-4db2-801b-f2c5d3f951b5", + "target_ref": "attack-pattern--7855768b-8130-4981-8420-6e8a8d2a277a", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--5f9d93b4-1083-440c-a170-eb181041fc56", + "id": "relationship--0edfde5c-625a-485b-875d-c5c3027aa22c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.843259Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "InternetReadFile::WinINet", - "description": "Reads data from an open Internet file (URL data).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/wininet.md", - "external_id": "C0005.004" - } - ], + "created": "2021-02-10T06:49:35.627444Z", + "modified": "2021-02-10T06:49:35.627444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--06c3d5c7-d4bf-4b28-8385-e169ba81e744", + "target_ref": "attack-pattern--3f00f5b3-a3bf-4c9c-8874-f7998c391aa8", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--603e1968-92e1-41ec-86f1-c2ea0d28b7bf", + "id": "relationship--0cdce228-b8b8-432d-b689-8078cc888a33", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.986482Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "SHA1::Cryptographic Hash", - "description": "Malware uses a SHA-1 hash.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/crypto-hash.md", - "external_id": "C0029.002" - } - ], + "created": "2021-02-10T06:49:35.500442Z", + "modified": "2021-02-10T06:49:35.500442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--068a3a77-caf2-4951-9e38-97ad68c792d6", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--6069021d-57ec-403e-b6fc-013b995aa2f0", + "id": "relationship--58fbdd0e-119e-447c-a027-2439b9f012b8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.734261Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Prevent Concurrent Execution", - "description": "To avoid running multiple instances of itself, malware may check a system to see if it is already running.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/prevent-concurrent-exe.md", - "external_id": "B0024" - }, - { - "source_name": "external_source", - "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/malware/worm_bagle.u" - } - ], + "created": "2021-02-10T06:49:35.709443Z", + "modified": "2021-02-10T06:49:35.709443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--69df421d-b8ea-49d2-9bd2-9df44aa3ced6", + "target_ref": "attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--608a4855-fe3a-4bff-a7a2-46db2ffd360b", + "id": "relationship--00860bcf-c19d-488c-a064-21d58d08ab34", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.997443Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "RC4 KSA::Encryption Key", - "description": "Malware uses the RC4 Key Scheduling Algorithm (KSA).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/key.md", - "external_id": "C0028.002" - } - ], + "created": "2022-02-04T23:52:40.962929Z", + "modified": "2022-02-04T23:52:40.962929Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1c9f410c-8e61-4d75-80be-e80461c54971", + "target_ref": "attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--6168e69c-f827-4f92-8404-cd24fff9802c", + "id": "relationship--bdcdf7ec-ea76-4ff5-8b35-8e2e365ee0d9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.760262Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Archive Collected Data", - "description": "Malware may obfuscate data via encryption or encoding before exfiltration.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "exfiltration" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/data-encrypted.md", - "external_id": "E1560" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1560/", - "external_id": "T1560" - } - ], + "created": "2021-02-10T06:49:35.591482Z", + "modified": "2021-02-10T06:49:35.591482Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--56e26c80-e09f-4a51-8947-3c5a07dd3bf9", + "target_ref": "attack-pattern--767a1acf-9e83-4181-82cd-2bcb9d8871d9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "id": "relationship--f41fbd73-623e-4f83-a95b-09ee1bbeed75", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.504264Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Virtual Machine Detection", - "description": "Detects whether the malware instance is being executed in a virtual machine (VM), such as VMWare. If so, conditional execution selects a benign execution path.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009" - }, - { - "source_name": "external_source", - "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" - }, - { - "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" - }, - { - "source_name": "external_source", - "url": "https://www.hackread.com/gravityrat-malware-evades-detection-targets-india/" - }, - { - "source_name": "external_source", - "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" - }, - { - "source_name": "external_source", - "url": "https://github.com/LordNoteworthy/al-khaser" - }, - { - "source_name": "external_source", - "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1497/", - "external_id": "T1497" - } - ], + "created": "2021-02-10T06:49:35.681443Z", + "modified": "2021-02-10T06:49:35.681443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--becb5385-146e-42a3-a343-5beffc43a15c", + "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--623daf49-2a74-4fd8-a7f0-e11a8475999f", + "id": "relationship--babfbb26-ae8a-46c7-8ec5-5f172a8b6672", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.768261Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Delete Application/Software", - "description": "An application or software is deleted.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/data-destruction.md", - "external_id": "E1485.m03" - } - ], + "created": "2021-02-10T06:49:35.688517Z", + "modified": "2021-02-10T06:49:35.688517Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--f1212d9e-3af6-4ef4-a19e-ff2793564ffd", + "target_ref": "attack-pattern--2f605aaf-790b-4ba1-9603-3b14cf2f1c52", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--62792aba-aba0-4623-b7b7-479bae7d314b", + "id": "relationship--ae501972-7352-4340-9c15-cdd1120c2d65", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.705262Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Known Window", - "description": "Malware may detect an analysis tool via the presence of a known window.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", - "external_id": "B0013.009" - } - ], + "created": "2021-02-10T06:49:35.479442Z", + "modified": "2021-02-10T06:49:35.479442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--02b99b72-6baa-4329-9a48-1ce8aae4383a", + "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--6287eb18-a197-4822-b0f5-99b4237fe18a", + "id": "relationship--4cf50640-bc53-4eaa-a715-32db8ed6ffd0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.708261Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Process detection - SysInternals Suite Tools", - "description": "Malware can scan for the process name associated with common analysis tools. Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", - "external_id": "B0013.003" - } - ], + "created": "2022-02-04T23:52:40.97859Z", + "modified": "2022-02-04T23:52:40.97859Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--fe31be5f-2912-4056-b70b-62988d5c3829", + "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--62e27cc8-6e08-4d62-af86-2eb0e42fc530", + "id": "relationship--3b9dccfb-5d9e-430c-b919-06de5797dbc5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.02248Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Simulate Hardware", - "description": "Malware simulates hardware.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "hardware-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/hardware/simulate-hardware.md", - "external_id": "C0057" - } - ], + "created": "2021-02-10T06:49:35.646032Z", + "modified": "2021-02-10T06:49:35.646032Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--023243fb-9971-4e64-9bca-5976fa84f08f", + "target_ref": "attack-pattern--541b3b19-6e67-4c06-9f03-1b3f5a4395c4", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--641e7321-439b-4888-8624-f3ceace8465e", + "id": "relationship--7d24fa52-34a0-4296-95ab-5951fadfd081", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.845581Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Kernel Mode Rootkit", - "description": "Rootkit operates by adding or replacing code in OS, device drivers, loadable kernel modules (LKM). Related to ATT&CK: [Kernel Modules and Extensions](https://attack.mitre.org/techniques/T1547/006/)", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/rootkit-behavior.md", - "external_id": "E1014.m16" - } - ], + "created": "2021-02-10T06:49:35.598503Z", + "modified": "2021-02-10T06:49:35.598503Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--4d618788-4089-4149-8948-3d3524c766c5", + "target_ref": "attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--6479f655-1a26-4a37-96b4-170c5a57a31d", + "id": "relationship--19fbd4ce-7993-4163-996d-2d0678e6fc30", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.73826Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Uninstall", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/remote-commands.md", - "external_id": "B0011.006" - } - ], + "created": "2021-02-10T06:49:35.465445Z", + "modified": "2021-02-10T06:49:35.465445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--574e1bad-081e-43d5-a6e5-665cdc815b8d", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--648530a1-e16b-45c6-ae10-d3d47fc8bcb7", + "id": "relationship--e74dd571-aa94-42bc-becc-a25b981dccbd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.992483Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "HC-128::Encrypt Data", - "description": "Malware encrypts with the HC-128 algorithm.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", - "external_id": "C0027.006" - } - ], + "created": "2021-02-10T06:49:35.49545Z", + "modified": "2021-02-10T06:49:35.49545Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--cada9d62-2163-42e3-88ec-d37e2ade1030", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--6495c1d8-c694-4fc0-8063-05f0a42cad27", + "id": "relationship--7574627e-17f8-4f6e-a98e-f77e756e9f4b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.988483Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "Block Cipher::Decrypt Data", - "description": "Malware decrypts data encrypted with a block cipher.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", - "external_id": "C0031.002" - } - ], + "created": "2021-02-10T06:49:35.676443Z", + "modified": "2021-02-10T06:49:35.676443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--37487e77-eda2-495c-bf1c-48f05062b2ca", + "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--64b0c35c-a5fc-4410-aff8-0c85f9689f60", + "id": "relationship--f6eab96c-3825-4127-8516-a98cffc3ec11", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.000444Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "Checksum", - "description": "Malware may derive a checksum from some block of data. The checksum is often used for data validation.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/checksum.md", - "external_id": "C0032" - } - ], + "created": "2021-02-10T06:49:35.638614Z", + "modified": "2021-02-10T06:49:35.638614Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--352fc821-2bbf-4d2a-a9a2-3a69b3bac30c", + "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--64ec233c-8762-4e4a-af40-475ebd3aa127", + "id": "relationship--c11ecbe7-a3af-4492-b928-922fef8ad123", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.530265Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Emulator Evasion", - "description": "Behaviors that obstruct analysis in an emulator.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-emulator.md", - "external_id": "B0005" - } - ], + "created": "2021-02-10T06:49:35.499441Z", + "modified": "2021-02-10T06:49:35.499441Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--2baec974-fab4-4fe3-92a6-c477893f132d", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--656e96ac-b245-4c79-8b28-81423fd5d3cf", + "id": "relationship--e6cf4711-6b56-4f70-b70e-912b230c6c26", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.002478Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "QuickLZ::Compress Data", - "description": "Malware compresses data using QuickLZ.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/compress.md", - "external_id": "C0024.001" - } - ], + "created": "2021-02-10T06:49:35.496474Z", + "modified": "2021-02-10T06:49:35.496474Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--98cc634e-8ebb-4c19-b3f1-bea0abef18ae", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--65ac0031-387e-41f5-8c05-4a7484fa460d", + "id": "relationship--305ddd65-9572-4b7e-96e1-f7d3bdb38df8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.737262Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Execute", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/remote-commands.md", - "external_id": "B0011.003" - } - ], + "created": "2021-02-10T06:49:35.513484Z", + "modified": "2021-02-10T06:49:35.513484Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--8736d370-3b61-4b4d-a371-0a01e988cbde", + "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--6636c8bd-41a4-4a1e-965d-642c08be68db", + "id": "relationship--43eba576-5486-4061-8370-94de8fc35ad4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.651264Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Steganography", - "description": "Malware may store information in an image.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/covert-location.md", - "external_id": "B0040.002" - } - ], + "created": "2021-02-10T06:49:35.661442Z", + "modified": "2021-02-10T06:49:35.661442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1bfa0256-c28e-4dcc-82f6-8fa6880328f6", + "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--664457b6-7f76-4745-a92d-6acbfe3ee384", + "id": "relationship--58580a37-3977-4efb-b5fb-beda9bbfd345", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.521266Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Data Flood", - "description": "Overloads a sandbox by generating a flood of meaningless behavioral data.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", - "external_id": "B0003.002" - }, - { - "source_name": "external_source", - "url": "http://joe4security.blogspot.com/2013/06/overloading-sandboxes-new-generic.html" - } - ], + "created": "2021-02-10T06:49:35.696835Z", + "modified": "2021-02-10T06:49:35.696835Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--3b11e590-980e-4850-a9a1-6189b62f62b1", + "target_ref": "attack-pattern--ef5fd901-d515-4842-9119-c330c900e2e1", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--665d234f-6c97-4ae2-b43f-18ea89336220", + "id": "relationship--2c24d182-4d28-489a-ac98-a3db334fc636", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.973483Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Send Request::HTTP Communication", - "description": "HTTP client sends request (GET).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", - "external_id": "C0002.003" - } - ], + "created": "2022-09-08T18:26:19.092831Z", + "modified": "2022-09-08T18:26:19.092831Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b7df4632-63d2-4195-a529-643ab6098e16", + "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--66639ad1-1214-46af-9ce6-31b526ef6d9c", + "id": "relationship--2d702b38-41ca-4d36-ab6d-0770611e081e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.90326Z", - "modified": "2022-02-05T00:37:22.835477Z", - "name": "Component Firmware", - "description": "Malware may overwrite the flash memory contents of system BIOS or other firmware. [[1]](#1). Methods related to malware (extending ATT&CK's definitions) are below.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/persistence/component-firmware.md", - "external_id": "F0009" - }, - { - "source_name": "external_source", - "url": "https://www.scmagazine.com/home/opinions/are-synful-knock-style-router-attacks-set-to-become-the-new-normal/" - }, - { - "source_name": "external_source", - "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html" - } - ], + "created": "2021-02-10T06:49:35.670445Z", + "modified": "2021-02-10T06:49:35.670445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--603e1968-92e1-41ec-86f1-c2ea0d28b7bf", + "target_ref": "attack-pattern--1cca12fe-f5c4-4c35-979b-5c6962dd9484", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--66995783-bfea-4c72-8fcb-4bdb015dc98f", + "id": "relationship--24e7319f-bb69-47a7-b333-4f0859b76521", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "System Service Dispatch Table Hooking", - "description": "Malware (e.g. rootkit, malicious drivers) may hook the system service dispatch table (SSDT), also called the system service descriptor table. The SSDT contains information about the service tables used by the operating system for dispatching system calls. Hooking the SSDT enables malware to hide files, registry keys, and network connections.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hijack-execution-flow.md", - "external_id": "F0015.005" - }, - { - "source_name": "external_source", - "url": "https://www.mdpi.com/1999-5903/4/4/971/html" - } - ], + "created": "2021-02-10T06:49:35.500442Z", + "modified": "2021-02-10T06:49:35.500442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d7c408e8-d813-46aa-8267-a76f8d53ec35", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--66f0b43c-19fd-40b8-ae4f-de356df77371", + "id": "relationship--b77d147a-d61d-4e03-a993-df0ef04320e3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.994484Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "Sosemanuk::Encrypt Data", - "description": "Malware encrypts with the Sosemanuk stream cipher.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", - "external_id": "C0027.008" - } - ], + "created": "2021-02-10T06:49:35.55463Z", + "modified": "2021-02-10T06:49:35.55463Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--f7edbfa2-7ebf-4e66-bad5-a13150f5ce7a", + "target_ref": "attack-pattern--87b6586d-145f-47d9-8183-755ca03e5921", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--673cfd52-f67e-4fad-80b2-64465de4f7b0", + "id": "relationship--d2fca808-645a-4fb7-a796-5e48ee844732", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.973483Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Send Data::HTTP Communication", - "description": "HTTP clients sends data to a server (POST/PUT).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", - "external_id": "C0002.005" - } - ], + "created": "2021-02-10T06:49:35.483443Z", + "modified": "2021-02-10T06:49:35.483443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--200ecf0e-33a7-4a9c-af4a-a3033b64e238", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--677563ae-beb5-47f2-b85c-ece6d7c7dc7e", + "id": "relationship--f3502abe-1bdc-4944-9125-425dc5aff3da", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.560265Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Junk Code Insertion", - "description": "Insert dummy code between relevant opcodes. Can make signature writing more complex.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", - "external_id": "B0032.007" - } - ], + "created": "2021-02-10T06:49:35.572482Z", + "modified": "2021-02-10T06:49:35.572482Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d850864e-1db4-40f3-b891-b1db177d48b3", + "target_ref": "attack-pattern--27a1c173-3d93-430b-9544-8dd2db602b87", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--683507af-37f1-4db4-a922-d41cceaa8789", + "id": "relationship--2c43bdc5-b893-4004-abdf-0a47ed19d2f1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.472261Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "SeDebugPrivilege", - "description": "(Csrss.exe); Using the OpenProcess function on the csrss.exe process can detect a debugger.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.023" - }, - { - "source_name": "external_source", - "description": "Anti Debugging Tricks, Al-Khaser.", - "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" - } - ], + "created": "2021-02-10T06:49:35.687537Z", + "modified": "2021-02-10T06:49:35.687537Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--48018d04-fcd1-4e5d-b29f-6ccf841ae65f", + "target_ref": "attack-pattern--2f605aaf-790b-4ba1-9603-3b14cf2f1c52", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--68791849-d1ec-436a-983a-b6ca41bea52c", + "id": "relationship--4edb0c4a-cd3c-48cf-93bc-e616a9f14dea", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.514301Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Obfuscate Library Use", - "description": "LoadLibrary API calls or direct access of kernel32 via PEB (fs[0]) pointers, used to rebuild IAT or just obfuscate library use.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.016" - } - ], + "created": "2022-02-04T23:52:40.962929Z", + "modified": "2022-02-04T23:52:40.962929Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--966c59f0-e5f7-4c3f-80f8-49091c015ad7", + "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--68d12b85-7712-4572-a801-222a375b7033", + "id": "relationship--c3a6d906-8809-45a7-a764-2cf4418c02e8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.75826Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Encoding - Custom Encoding", - "description": "Data is encoded. A custom algorithm is used to encode the exfiltrated data.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "exfiltration" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/data-encrypted.md", - "external_id": "E1560.m04" - } - ], + "created": "2021-02-10T06:49:35.535444Z", + "modified": "2021-02-10T06:49:35.535444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--999fdac4-2cd5-471e-960e-993f82214902", + "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--69154c09-d2ee-4328-9543-1d0c1233df31", + "id": "relationship--e875346c-2c5a-4883-89a8-e503b3f9fb4a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.555263Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Data Value Obfuscation", - "description": "Obfuscate data values through indirection of local or global variables. For example, the instruction *if (a == 0) do x* can be obfuscated by setting a global variable, *Z*, to zero and using it in the instruction: *if (a==Z) do x*. [NEEDS REVIEW]", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", - "external_id": "B0032.008" - } - ], + "created": "2021-02-10T06:49:35.708458Z", + "modified": "2021-02-10T06:49:35.708458Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--58245c62-d50e-40d4-b31e-63902657709f", + "target_ref": "attack-pattern--e04595b9-234a-4495-a9ca-25c78e137291", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--69401771-6ed2-45b5-bc81-68444a3dc4c9", + "id": "relationship--a0e24b8b-680f-425d-9c42-d73ac487c904", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.005479Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "XOR::Encode Data", - "description": "Malware may use xor to encode data.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/encode.md", - "external_id": "C0026.002" - } - ], + "created": "2022-02-04T23:52:40.962929Z", + "modified": "2022-02-04T23:52:40.962929Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--641e7321-439b-4888-8624-f3ceace8465e", + "target_ref": "attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--69af89da-bf40-4b9e-93c5-baa8fb937099", + "id": "relationship--ee5af496-814b-4795-ba99-408680134e85", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.605266Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Receive Data", - "description": "Receive data or command from a controller.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "command-and-control" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", - "external_id": "B0030.002" - } - ], + "created": "2021-02-10T06:49:35.572482Z", + "modified": "2021-02-10T06:49:35.572482Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--91e25008-204c-4723-9c53-ca041c5fd2b1", + "target_ref": "attack-pattern--27a1c173-3d93-430b-9544-8dd2db602b87", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--69d4e839-b6ce-4299-b242-83192d6b62c2", + "id": "relationship--4be86d9d-3a96-49a8-a610-53eb6d508ad6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.485265Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Screen Resolution Testing", - "description": "Sandboxes aren't used in the same manner as a typical user environment, so most of the time the screen resolution stays at the minimum 800x600 or lower. No one is actually working on a such small screen. Malware could potentially detect the screen resolution to determine if it's a user machine or a sandbox.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", - "external_id": "B0007.006" - } - ], + "created": "2021-02-10T06:49:35.48848Z", + "modified": "2021-02-10T06:49:35.48848Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--dd40dbb6-6220-4b7b-93e1-20fe081eb219", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--69df421d-b8ea-49d2-9bd2-9df44aa3ced6", + "id": "relationship--0846c933-f893-4bb8-a5e0-fc2e7c40d69d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.030527Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Delete Registry Key::Registry", - "description": "Malware deletes a registry key.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "operating-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/registry.md", - "external_id": "C0036.002" - } - ], + "created": "2022-02-04T23:52:40.914452Z", + "modified": "2022-02-04T23:52:40.914452Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a438adb9-e8d8-40da-8fb3-0500b0c812f5", + "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--69f9ba6a-eb9e-4486-ae5e-fb7de1012c90", + "id": "relationship--967e87e4-5844-44f7-92be-86cc839ff0e0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.72626Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "File Transfer Protocol (FTP) Servers", - "description": "Malware leverages an FTP server.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/exploit-software.md", - "external_id": "E1203.m03" - } - ], + "created": "2021-02-10T06:49:35.573481Z", + "modified": "2021-02-10T06:49:35.573481Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--9048df12-c89f-45a6-99ac-caaa7446d6db", + "target_ref": "attack-pattern--27a1c173-3d93-430b-9544-8dd2db602b87", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--6a54a038-71b7-4b4c-87c2-2e5b433404af", + "id": "relationship--e6356d81-4891-4832-9399-ba361a9329db", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.551264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Value Dependent Jumps", - "description": "Explicit use of computed values for control flow, often many times in the same basic block or function.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-disassembler.md", - "external_id": "B0012.003" - } - ], + "created": "2021-02-10T06:49:35.698444Z", + "modified": "2021-02-10T06:49:35.698444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1dd62131-bc8e-4de7-b68a-1ea4c6b44c03", + "target_ref": "attack-pattern--a9530e23-d959-40a7-870a-bd6b29bee078", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--6a958b33-6517-459c-afda-7f4f490ac15d", + "id": "relationship--646c7b99-374e-4ba8-aff7-1f3992652300", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Hidden Services", - "description": "Hides any system services that the malware instance creates or injects itself into. Services can be hidden by hiding associated registry keys.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hide-artifacts.md", - "external_id": "E1564.m04" - } - ], + "created": "2021-02-10T06:49:35.532444Z", + "modified": "2021-02-10T06:49:35.532444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--69154c09-d2ee-4328-9543-1d0c1233df31", + "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--6ac62da2-e142-4fca-afba-bc0a0722cefc", + "id": "relationship--0e610bb6-bab9-4bf5-a300-cac9b12782e1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.87426Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Heap Spray", - "description": "Malware may use heap spraying to write a sequence of bytes on the heap section of a process.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "memory-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/memory/heapspray.md", - "external_id": "C0006" - } - ], + "created": "2021-02-10T06:49:35.548449Z", + "modified": "2021-02-10T06:49:35.548449Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--fecc2029-1268-4e13-b4b7-2b9f00c84972", + "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--6bb4c9f7-d08e-42c0-bb01-5df9d5ea632d", + "id": "relationship--92fe11df-9fa4-4466-b274-1101762ed31d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.638268Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Registry Install", - "description": "Stores itself in the Windows registry.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/alter-install-location.md", - "external_id": "B0027.002" - } - ], + "created": "2021-02-10T06:49:35.697716Z", + "modified": "2021-02-10T06:49:35.697716Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--461d88f4-10e9-4db1-b91d-e9a8cd0f8654", + "target_ref": "attack-pattern--ef5fd901-d515-4842-9119-c330c900e2e1", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--6c07f7cb-fd9d-4acf-9b99-b15ecafc8dca", + "id": "relationship--c753676d-6ff4-43c1-8392-a49941e72b4a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.784263Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Advertisement Replacement Fraud", - "description": "Malware injects ad windows onto websites the user views.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/generate-fraud-rev.md", - "external_id": "E1472.m02" - }, - { - "source_name": "external_source", - "url": "https://www.fipp.com/news/insightnews/what-are-the-nine-types-of-digital-ad-fraud" - } - ], + "created": "2021-02-10T06:49:35.460442Z", + "modified": "2021-02-10T06:49:35.460442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--97fc67af-9ec6-44a7-8187-32e07b5cdcb5", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--6dfa5d14-e016-4572-a2c9-ca4f697c7a14", + "id": "relationship--81859fbe-e752-42f3-b717-2a6a7e13c0c8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.737262Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Shutdown", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/remote-commands.md", - "external_id": "B0011.004" - } - ], + "created": "2022-02-04T23:52:40.994215Z", + "modified": "2022-02-04T23:52:40.994215Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--87414f49-bf46-4a09-9999-979d71eb16a5", + "target_ref": "attack-pattern--cc396380-d266-4e87-8fc7-412e89a2b4b0", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--6dfe201d-34d6-4474-9210-e0364cca9de0", + "id": "relationship--956ca423-89d4-44bb-a11a-5b9aecf36a27", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.997443Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "Encryption Key", - "description": "Malware may import, generate, or otherwise use an encryption key.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/key.md", - "external_id": "C0028" - } - ], + "created": "2021-02-10T06:49:35.462442Z", + "modified": "2021-02-10T06:49:35.462442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--89a1d613-7163-493b-8aa9-7a528dd1dd3e", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--6e6d534f-57ae-49cd-be41-0b6a77fbb6fb", + "id": "relationship--dd089615-2252-4134-8a85-f0776ce79bde", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.783046Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Execute File", - "description": "Execute/run/open the file using default operating system functionality, optionally with provided command-line arguments. The file may or may not already exist on the victim.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "command-and-control" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", - "external_id": "B0030.013" - } - ], + "created": "2021-02-10T06:49:35.643406Z", + "modified": "2021-02-10T06:49:35.643406Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--c1e8e932-3864-444e-b56b-70292bb7695c", + "target_ref": "attack-pattern--e57c3d95-67fc-4d26-a74e-12953fff494b", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--6e892e5f-0d39-4e58-9a69-1ff8cc479291", + "id": "relationship--dec218fe-55ec-41f2-b7a1-96d74c793989", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.497264Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Instruction Testing - RDTSC", - "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.036" - }, - { - "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" - } - ], + "created": "2021-02-10T06:49:35.606443Z", + "modified": "2021-02-10T06:49:35.606443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--623daf49-2a74-4fd8-a7f0-e11a8475999f", + "target_ref": "attack-pattern--2ff4ce39-a726-471a-92d9-21a5c51a0bc3", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--6f4c9cb2-1417-4f3e-a907-bce53e3a68a3", + "id": "relationship--e8b38f28-8c46-4c31-8036-45571c33dde5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.809259Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "FTP Communication", - "description": "The FTP Communication micro-behavior focuses on FTP communication.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/ftp-comm.md", - "external_id": "C0004" - } - ], + "created": "2021-02-10T06:49:35.456445Z", + "modified": "2021-02-10T06:49:35.456445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--89594c9d-1e28-49a2-8969-694ade43e857", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--6ffd281c-acc5-4543-9fb5-aa0002339ea8", + "id": "relationship--50717643-0b9f-4a5b-abf1-b5c376cdec6c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.981483Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Get Socket Status::Socket Communication", - "description": "Get socket status.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", - "external_id": "C0001.012" - } - ], + "created": "2021-02-10T06:49:35.681443Z", + "modified": "2021-02-10T06:49:35.681443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5a28507d-35d5-4a9c-83e0-4ecb9774c23c", + "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--7069df4d-92ef-4a18-b5a5-bf27dc9ef446", + "id": "relationship--d4484029-7085-4b0f-b9c9-576ef3789d4c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.644261Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Bypass Data Execution Prevention", - "description": "Malware may bypass Data Execution Prevention (DEP).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/bypass-dep.md", - "external_id": "B0037" - }, - { - "source_name": "external_source", - "url": "https://medium.com/cybersecurityservices/dep-bypass-using-rop-chains-garima-chopra-e8b3361e50ce" - } - ], + "created": "2022-09-08T18:26:19.092463Z", + "modified": "2022-09-08T18:26:19.092463Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--ae4acd7c-89e1-44d8-a5fa-0d53fe88911e", + "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--70de257e-38ed-4422-864b-3b6d74aa5fab", + "id": "relationship--61872a4e-7152-4be1-8297-6fb76b3e7017", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.986482Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "SHA224::Cryptographic Hash", - "description": "Malware uses a SHA-224 hash.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/crypto-hash.md", - "external_id": "C0029.004" - } - ], + "created": "2021-02-10T06:49:35.551476Z", + "modified": "2021-02-10T06:49:35.551476Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5aed60b2-8feb-4d3a-a585-b399a41bbc6f", + "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--71d88456-13b6-48de-b779-e6ff71aa3b5e", + "id": "relationship--b43139f5-8626-4df1-948b-30f6042af7ae", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.538265Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "SizeOfImage", - "description": "Set the SizeOfImage field of PEB.LoaderData to be huge.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", - "external_id": "B0006.004" - } - ], + "created": "2022-09-08T18:26:19.030816Z", + "modified": "2022-09-08T18:26:19.030816Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b063a520-75fb-41bc-afd7-bf13a8118dc5", + "target_ref": "attack-pattern--e2558f71-7409-4203-bd5b-8a331f29327a", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--73478759-d9de-4bbd-a687-081c5f00c935", + "id": "relationship--53471123-9043-4b7a-8a21-abd7330fefb6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.550264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "VBA Stomping", - "description": "Typically, VBA source code is compiled into p-code, which is stored with compressed sourced code in the OLE file with VBA macros. VBA Stomping - when the VBA source code is removed and only the p-code remains - makes analysis much harder. See for an analysis of a VBA-Stomped malicious VBA Office document. See for information on Evil Clippy, a tool that creates malicious MS Office documents.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-disassembler.md", - "external_id": "B0012.005" - }, - { - "source_name": "external_source", - "url": "https://isc.sans.edu/diary/Malicious+VBA+Office+Document+Without+Source+Code/24870" - }, - { - "source_name": "external_source", - "url": "https://boingboing.net/2019/05/05/p-code-r-us.html" - } - ], + "created": "2021-02-10T06:49:35.641721Z", + "modified": "2021-02-10T06:49:35.641721Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b535d57f-a2e0-427b-8f4d-69d948e6ebf4", + "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--73482bd3-d3d1-4f57-a5ac-59bf22866f16", + "id": "relationship--03817b6f-9fe0-4fdd-93a1-fc816b3b592d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.928367Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Disk Wipe", - "description": "Malware may erase the content of storage devices. This behavior is different than [Data Destruction](https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/data-destruction.md) because sections of the disk are erased rather than individual files.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/disk-wipe.md", - "external_id": "F0014" - } - ], + "created": "2021-02-10T06:49:35.513484Z", + "modified": "2021-02-10T06:49:35.513484Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--9fb8ebbb-efc5-4f9c-8059-dca2a21412fd", + "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200", + "id": "relationship--3d50075c-9ef1-4f64-8069-75e1cdffd66a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.739261Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Remote Commands", - "description": "Malware may provide an attacker with explicit commands. This behavior differs from the [Remote Access](https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/remote-access.md) behavior under the [Impact](https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact) objective in that *Impact: Remote Access* is potentially much broader and may include full remote access.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/remote-commands.md", - "external_id": "B0011" - } - ], + "created": "2021-02-10T06:49:35.675442Z", + "modified": "2021-02-10T06:49:35.675442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--12c16b13-65d4-49ea-9dcb-3a88553ac5d3", + "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--741edcac-607c-4ebf-a8d0-928e02fe1461", + "id": "relationship--d03dc120-1af4-4837-aa97-30100dd25ed7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.974485Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Get Response::HTTP Communication", - "description": "HTTP client receives response.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", - "external_id": "C0002.017" - } - ], + "created": "2021-02-10T06:49:35.675442Z", + "modified": "2021-02-10T06:49:35.675442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a8761808-d474-430a-9bd9-c770bc1163be", + "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--74d536e7-5fb3-4633-8f42-ca413aa2beea", + "id": "relationship--c49c1296-1265-4f09-a11e-e09e84afb3d9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.912738Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Delete Shadow Copies", - "description": "Deletes shadow drive data, which is related to ransomware.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/data-destruction.md", - "external_id": "E1485.m04" - } - ], + "created": "2021-02-10T06:49:35.530939Z", + "modified": "2021-02-10T06:49:35.530939Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--da7d23d7-ead0-4926-a7ee-be9ea77bb2cd", + "target_ref": "attack-pattern--5146900f-415f-4817-9153-a9a3f857b3cd", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--74f89ee2-f4c0-4221-8951-e3a8f1fc449b", + "id": "relationship--98bcdb5a-115d-41b6-bbf0-b6385bf8e556", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.682261Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Code Reordering", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/polymorphic-code.md", - "external_id": "B0029.003" - }, - { - "source_name": "external_source", - "url": "https://www.mccormick.northwestern.edu/eecs/documents/tech-reports/2010-2014/evaluating-android-anti-malware-against-transformation-attacks.pdf" - } - ], + "created": "2021-02-10T06:49:35.635443Z", + "modified": "2021-02-10T06:49:35.635443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--0b6c8517-62d1-49c1-9a2d-9300806d1370", + "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--75109dae-5db7-4582-be8b-edcea907659d", + "id": "relationship--a30d8395-e7b5-4fdd-adb9-b347222a3aa2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.522264Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Drop Code", - "description": "Original file is written to disk then executed. May confuse some sandboxes, especially if the dropped executable must be provided specific arguments and the original dropper is not associated with the drop file(s).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", - "external_id": "B0003.005" - } - ], + "created": "2021-02-10T06:49:35.515492Z", + "modified": "2021-02-10T06:49:35.515492Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--e1c3c48b-0b4d-418f-b7af-44715b214972", + "target_ref": "attack-pattern--64ec233c-8762-4e4a-af40-475ebd3aa127", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--758df510-b765-4172-94ad-70561cd0ef62", + "id": "relationship--e155da38-a648-43ee-98dc-cc74126497df", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.534261Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Feed Misinformation", - "description": "API behavior can be altered to prevent memory dumps. For example, inaccurate data can be reported when the contents of the physical memory of the system on which the malware instance is executing is retrieved. See [Hooking](../credential-access/hooking.md).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", - "external_id": "B0006.008" - } - ], + "created": "2021-02-10T06:49:35.595442Z", + "modified": "2021-02-10T06:49:35.595442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--c2e926cc-5d54-4cce-91f3-acf946574563", + "target_ref": "attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--75f19e70-8d96-4a7b-a3cf-e629c8d5e779", + "id": "relationship--a2d5b2c9-df66-4d89-982b-bcbd570043ad", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.598261Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Keylogging", - "description": "Malware captures user keyboard input.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/keylogging.md", - "external_id": "F0002" - } - ], + "created": "2022-02-04T23:52:40.945699Z", + "modified": "2022-02-04T23:52:40.945699Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--6e6d534f-57ae-49cd-be41-0b6a77fbb6fb", + "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--76206161-2e14-48a0-9191-998ef774b345", + "id": "relationship--b9888bd6-f659-4886-88c5-516bb3497e9c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.607265Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Send Heartbeat", - "description": "Heartbeat sent.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "command-and-control" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", - "external_id": "B0030.007" - } - ], + "created": "2021-02-10T06:49:35.489479Z", + "modified": "2021-02-10T06:49:35.489479Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--4f994303-c449-4d22-8ead-5c531a36ecf5", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--763fa6dd-331c-4c07-bc09-00f40cc958cc", + "id": "relationship--3f296064-170e-4b72-8cac-620d2f95652f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.981483Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Create TCP Socket::Socket Communication", - "description": "A TCP socket is created.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", - "external_id": "C0001.011" - } - ], + "created": "2021-02-10T06:49:35.616473Z", + "modified": "2021-02-10T06:49:35.616473Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--8abe31b2-7123-41f1-9ca3-5653bc1c0fdc", + "target_ref": "attack-pattern--e25edc0c-3631-4df8-a37f-4695d3cec86e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--767a1acf-9e83-4181-82cd-2bcb9d8871d9", + "id": "relationship--d3f7d57c-cc02-490d-bd13-834106887821", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.729261Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Exploitation for Client Execution", - "description": "Software is exploited - either because of a vulnerability or through its designed features - to gain access for malware. In general, exploitation may be done by a human attacker, but MBC focuses on software exploits implemented in code. Malware-specific details are below.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/exploit-software.md", - "external_id": "E1203" - }, - { - "source_name": "external_source", - "url": "https://blog.malwarebytes.com/cybercrime/2018/05/samsam-ransomware-need-know/" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1203", - "external_id": "T1203" - } - ], + "created": "2021-02-10T06:49:35.543445Z", + "modified": "2021-02-10T06:49:35.543445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b16029de-92c1-4b77-b334-733f0d099ecd", + "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--772c8a08-0dbb-4059-8459-7ac1193840bc", + "id": "relationship--8b8bcc5d-2756-4161-bc24-c7836b99e405", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.550264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Argument Obfuscation", - "description": "Simple number or string arguments to API calls are calculated at runtime, making linear disassembly more difficult.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-disassembler.md", - "external_id": "B0012.001" - } - ], + "created": "2021-02-10T06:49:35.48648Z", + "modified": "2021-02-10T06:49:35.48648Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--9406d0e3-7e61-42c9-8532-a35459deb4e7", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--77932220-efa9-44d5-b3a9-c5d9ed4f3573", + "id": "relationship--19b5c040-4305-428a-93fa-c7fa7aa03582", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.021478Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Ctrl-Alt-Del::Simulate Hardware", - "description": "Malware simulates Ctrl-Alt-Del.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "hardware-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/hardware/simulate-hardware.md", - "external_id": "C0057.001" - } - ], + "created": "2021-02-10T06:49:35.633444Z", + "modified": "2021-02-10T06:49:35.633444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5f35c276-1599-47f2-b4df-468ccfa1e08b", + "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--77b42d45-8bcf-4d7d-b6d1-4756b6edf272", + "id": "relationship--001fb916-7704-4afe-9cc5-02302511ec34", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.990485Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "Stream Cipher::Decrypt Data", - "description": "Malware decrypts data encrypted with a stream cipher.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", - "external_id": "C0031.013" - } - ], + "created": "2021-02-10T06:49:35.451445Z", + "modified": "2021-02-10T06:49:35.451445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--13d8f97e-b0dc-4ced-918d-31297b1f9aff", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", + "id": "relationship--65608b0d-cf7a-4c51-8d4e-e52d81eca2ec", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.983492Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Socket Communication", - "description": "This micro-behavior focuses on socket (TCP, UDP) communication.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", - "external_id": "C0001" - } - ], + "created": "2021-02-10T06:49:35.567485Z", + "modified": "2021-02-10T06:49:35.567485Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--6bb4c9f7-d08e-42c0-bb01-5df9d5ea632d", + "target_ref": "attack-pattern--7d349643-5ab8-4dc6-934f-bf16d0b0ea29", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--7850a582-f8c8-4582-a473-1b12e1f45929", + "id": "relationship--422f6662-a452-4dec-9112-cb172620cb35", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.494264Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Guest Process Testing", - "description": "Virtual machines offer guest additions that can be installed to add functionality such as clipboard sharing. Detecting the process responsible for these tasks, via its name or other methods, is a technique employed by malware for detecting whether it is being executed in a virtual machine.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.010" - } - ], + "created": "2021-02-10T06:49:35.705443Z", + "modified": "2021-02-10T06:49:35.705443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--77932220-efa9-44d5-b3a9-c5d9ed4f3573", + "target_ref": "attack-pattern--62e27cc8-6e08-4d62-af86-2eb0e42fc530", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--7855768b-8130-4981-8420-6e8a8d2a277a", + "id": "relationship--5785e586-1acd-466f-91b1-b0453295a9db", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.008483Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "Non-Cryptographic Hash", - "description": "Malware may use a non-cryptographic hash.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/noncrypto-hash.md", - "external_id": "C0030" - } - ], + "created": "2021-02-10T06:49:35.466445Z", + "modified": "2021-02-10T06:49:35.466445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--fe39ee83-4f97-4989-b1f4-11a95d36b9d2", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--791870bd-2325-4d30-b437-5e90ee997f3c", + "id": "relationship--6c274032-6011-4066-b65b-da1edc3c1041", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.706262Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Process detection - PE Utilities", - "description": "Malware can scan for the process name associated with common analysis tools. ImportREC / PETools / LordPE", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", - "external_id": "B0013.006" - } - ], + "created": "2022-02-04T23:52:40.962929Z", + "modified": "2022-02-04T23:52:40.962929Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--81bed55c-e336-4637-bae0-07d7d4d82ebe", + "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--793f4091-8c74-4062-95e0-0b32bccb5777", + "id": "relationship--f0c10f1d-a4db-4f0f-83c8-e9de21c5885c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.018479Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Set File Attributes", - "description": "Malware sets or modifies the attributes of a file.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "file-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/set-file-attr.md", - "external_id": "C0050" - } - ], + "created": "2021-02-10T06:49:35.631517Z", + "modified": "2021-02-10T06:49:35.631517Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--fe662062-536d-43ca-912b-534a2936ddad", + "target_ref": "attack-pattern--6f4c9cb2-1417-4f3e-a907-bce53e3a68a3", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--795aa535-959e-44b7-9f5e-2d5d0ca3cd1c", + "id": "relationship--61ca9cbc-792f-46c6-8dc5-1349697867e2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.515309Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Relocate API Code", - "description": "Relocate API code in separate buffer (calls donā€™t lead to imported DLLs).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.020" - } - ], + "created": "2021-02-10T06:49:35.578443Z", + "modified": "2021-02-10T06:49:35.578443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--3110ab37-847b-4f50-be91-9748cee0f4a0", + "target_ref": "attack-pattern--f05383f9-1d15-4eb9-97a4-13812f310acd", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", + "id": "relationship--9dc4df30-f394-4cfd-b66d-a94549722774", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.539263Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Memory Dump Evasion", - "description": "Malware hinders retrieval and/or discovery of the contents of the physical memory of the system on which the malware instance is executing [[1]](#1).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", - "external_id": "B0006" - }, - { - "source_name": "external_source", - "description": "J. Stuttgen, M. Cohen, Anti-forensic resilient memory acquisition,", - "url": "https://www.dfrws.org/sites/default/files/session-files/paper-anti-forensic_resilient_memory_acquisition.pdf" - }, - { - "source_name": "external_source", - "url": "http://blog.threatexpert.com/2008/04/kraken-changes-tactics.html" - }, - { - "source_name": "external_source", - "url": "http://waleedassar.blogspot.com/search/label/anti-dump" - }, - { - "source_name": "external_source", - "url": "https://www.gironsec.com/code/packers.pdf" - } - ], + "created": "2021-02-10T06:49:35.564484Z", + "modified": "2021-02-10T06:49:35.564484Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--acddeb41-5339-4148-8a12-04b9ca687086", + "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--79e12011-d4af-449f-b2da-6b4227564808", + "id": "relationship--25804a0b-df29-4056-aff8-f04d3eb71745", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.466263Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "OutputDebugString", - "description": "(GetLastError); The OutputDebugString function will demonstrate different behavior depending whether or not a debugger is present. See for details.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.016" - }, - { - "source_name": "external_source", - "description": "Anti Debugging Tricks, Al-Khaser.", - "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" - } - ], + "created": "2022-02-04T23:52:40.97859Z", + "modified": "2022-02-04T23:52:40.97859Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--21399f14-f429-48f6-be04-d971783ba531", + "target_ref": "attack-pattern--1a89f398-f3ef-484a-8735-024823241a11", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--7aa33db8-4800-430a-8068-8b57b85a9b8a", + "id": "relationship--8bdc3076-c065-4fc1-a9e6-3a3f0f3080ca", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.512264Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Inlining", - "description": "Variation of static linking where full API code inserted everywhere it would have been called.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.011" - } - ], + "created": "2021-02-10T06:49:35.470482Z", + "modified": "2021-02-10T06:49:35.470482Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--903b44e8-0547-4945-ac5a-ee21d0898d4d", + "target_ref": "attack-pattern--187b4cd8-132e-4514-9ad2-e0b20abc2b70", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--7adc736f-d3ca-438a-8bce-46967e062ea3", + "id": "relationship--ee6de7aa-11e1-442a-bbf8-2a8a110e57b4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.886262Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Create Process via Shellcode::Create Process", - "description": "Malware uses shellcode to create a process.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "process-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/create-process.md", - "external_id": "C0017.001" - } - ], + "created": "2022-02-04T23:52:40.994215Z", + "modified": "2022-02-04T23:52:40.994215Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a60432c5-54ee-4c76-be1b-409f3f0e4795", + "target_ref": "attack-pattern--33ac3946-4bd9-4904-b02e-45e2d17dbfdd", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--7ae3202c-73b7-4153-a577-4d3084e2675f", + "id": "relationship--7cc7dc4b-552c-4bb6-8201-be33f91eaae2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.031479Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Set Registry Key::Registry", - "description": "Malware sets a registry key.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "operating-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/registry.md", - "external_id": "C0036.001" - } - ], + "created": "2021-02-10T06:49:35.662504Z", + "modified": "2021-02-10T06:49:35.662504Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--39df68e5-9065-4b60-8ad1-ff626707b95a", + "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--7c01a0a6-5081-4609-9546-120f0652f1d4", + "id": "relationship--c1521290-d1f9-4e3d-871f-5e553e143d2b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.483264Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Human User Check", - "description": "Detects whether there is any \"user\" activity on the machine, such as the movement of the mouse cursor, non-default wallpaper, or recently opened Office files. Directories or file might be counted. If there is no human activity, the machine is suspected to be a virtualized machine and/or sandbox. Other items used to detect a user: mouse clicks (single/double), DialogBox, scrolling, color of background pixel, change in foreground window . This method is very similar to ATT&CK's [Virtualization/Sandbox Evasion: User Activity Based Checks](https://attack.mitre.org/techniques/T1497/002/) sub-technique.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.012" - }, - { - "source_name": "external_source", - "url": "https://github.com/LordNoteworthy/al-khaser" - } - ], + "created": "2021-02-10T06:49:35.715443Z", + "modified": "2021-02-10T06:49:35.715443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--006afc45-b6df-4e75-8102-b38ccb09db58", + "target_ref": "attack-pattern--66639ad1-1214-46af-9ce6-31b526ef6d9c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--7c1bb00d-f8cb-4ca8-aa11-b59f5b108996", + "id": "relationship--557af9e7-def2-4117-9b51-a75469fc90d2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.754261Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Automated Exfiltration", - "description": "Malware may exfiltrate data via automated processing or scripting.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "exfiltration" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/auto-exfiltrate.md", - "external_id": "E1020" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1020/", - "external_id": "T1020" - } - ], + "created": "2021-02-10T06:49:35.482442Z", + "modified": "2021-02-10T06:49:35.482442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--4283aa07-89f3-40d8-b45f-87ef48c8a86d", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--7c5cb62b-9374-47b1-8a2f-82204b8640b6", + "id": "relationship--217e7f76-04aa-4f8e-8fc2-273c2631dee3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.923443Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Encryption-Custom Algorithm", - "description": "A custom algorithm is used to encrypt a malware sample, file, or other information.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/obfuscate-files.md", - "external_id": "E1027.m08" - } - ], + "created": "2021-02-10T06:49:35.667444Z", + "modified": "2021-02-10T06:49:35.667444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b62ec15e-4b56-482f-9721-72733c520d1b", + "target_ref": "attack-pattern--7c9e2694-0dce-4dc3-aa06-199d5d002a05", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--7c77b8ac-f548-48ae-813d-028de1a8d9fd", + "id": "relationship--de493b3b-3b2d-4cf8-bc7c-c5831cb22a8d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.70226Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Self Deletion", - "description": "Malware may uninstall itself to avoid detection.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/self-deletion.md", - "external_id": "F0007" - } - ], + "created": "2022-02-04T23:52:40.945699Z", + "modified": "2022-02-04T23:52:40.945699Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a03af833-a578-465a-bf8c-43c9db4f4775", + "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--7c7b98c3-b136-439f-83ce-4dd357e76c89", + "id": "relationship--fab038b8-deb8-48ac-a137-eb4b5a2203dc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.86526Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "Create File", - "description": "Malware creates a file.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "file-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/create-file.md", - "external_id": "C0016" - } - ], + "created": "2021-02-10T06:49:35.634427Z", + "modified": "2021-02-10T06:49:35.634427Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--4a062538-03cd-44da-a19f-6ed4401a4c36", + "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--7c9e2694-0dce-4dc3-aa06-199d5d002a05", + "id": "relationship--82fe7e83-1dcb-4c39-a6c7-0613d0ee6412", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.844259Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "WinINet", - "description": "The Windows Internet (WinINet) application programming interface (API) is used by malware to interact with FTP and HTTP protocols to access Internet resources.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/wininet.md", - "external_id": "C0005" - }, - { - "source_name": "external_source", - "url": "https://docs.microsoft.com/en-us/windows/win32/wininet/wininet-functions" - } - ], + "created": "2021-02-10T06:49:35.527917Z", + "modified": "2021-02-10T06:49:35.527917Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--55040e64-313d-4656-8e1c-1146ff2f47d7", + "target_ref": "attack-pattern--c6c8f32e-7d92-401e-930f-d193a59e4c95", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--7d349643-5ab8-4dc6-934f-bf16d0b0ea29", + "id": "relationship--8650287d-c065-4a52-9772-435273ffae82", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.638268Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Alternative Installation Location", - "description": "Malware may install itself not as a file on the hard drive.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/alter-install-location.md", - "external_id": "B0027" - }, - { - "source_name": "external_source", - "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" - } - ], + "created": "2021-02-10T06:49:35.506476Z", + "modified": "2021-02-10T06:49:35.506476Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--795aa535-959e-44b7-9f5e-2d5d0ca3cd1c", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--7f30f323-51eb-42a6-8331-834b0da343cc", + "id": "relationship--fc27e964-55a5-42c3-bf7b-28fcc8d8b136", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.512264Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Loop Escapes", - "description": "Use SEH or other methods to break out of a loop instead of a conditional jump.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.012" - } - ], + "created": "2021-02-10T06:49:35.585443Z", + "modified": "2021-02-10T06:49:35.585443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--3dc536c2-fa47-4acd-9043-1b0a0c2b2db6", + "target_ref": "attack-pattern--7c77b8ac-f548-48ae-813d-028de1a8d9fd", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--7f779291-853e-4e30-a57c-0b3276b70905", + "id": "relationship--2593056e-06be-46de-b8c3-6c05773ecc2c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:36.093464Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Minifilter::Install Driver", - "description": "Malware registers a minifilter.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "hardware-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/hardware/install-driver.md", - "external_id": "C0037.001" - } - ], + "created": "2021-02-10T06:49:35.680442Z", + "modified": "2021-02-10T06:49:35.680442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1057fe1c-c844-4de3-b72d-05313572a36c", + "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--7fac651b-a6ae-494c-9386-d75a454776da", + "id": "relationship--3c99c563-b702-4611-98da-18d07b825dd0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.893484Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "ASPack", - "description": "Uses ASPack.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", - "external_id": "F0001.013" - } - ], + "created": "2022-02-04T23:52:40.945699Z", + "modified": "2022-02-04T23:52:40.945699Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b3030683-9d60-4b63-8498-f7fac91c244d", + "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--7fb51daf-9a09-4cab-b202-fec90ad30e03", + "id": "relationship--5b844d1a-0ade-4a6f-a5f8-99feb4aef74f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.798261Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Spamming", - "description": "Malware may use a victim machine to create and send spam.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/spamming.md", - "external_id": "B0039" - }, - { - "source_name": "external_source", - "url": "https://techcrunch.com/2019/07/12/trickbot-spam-millions-emails/" - } - ], + "created": "2021-02-10T06:49:35.712898Z", + "modified": "2021-02-10T06:49:35.712898Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--7ae3202c-73b7-4153-a577-4d3084e2675f", + "target_ref": "attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--80d3bfbb-e88b-4396-9233-9fc88096a938", + "id": "relationship--fe43e943-72cf-47df-892a-96ad269cc626", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.974485Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Read Header::HTTP Communication", - "description": "HTTP read header.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", - "external_id": "C0002.014" - } - ], + "created": "2021-02-10T06:49:35.684783Z", + "modified": "2021-02-10T06:49:35.684783Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--66f0b43c-19fd-40b8-ae4f-de356df77371", + "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--80ee5a98-6e25-4cb6-a6d2-3321855e14e2", + "id": "relationship--826a0d8f-b98b-4025-8148-bc20c9cbdfc6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Hidden Processes", - "description": "Hides processes used by the adversary or malware instance. This can involve techniques such as process list unlinking.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hide-artifacts.md", - "external_id": "E1564.m03" - } - ], + "created": "2022-02-04T23:52:40.89883Z", + "modified": "2022-02-04T23:52:40.89883Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--195e17be-fac3-4ffe-a961-631e2af205bb", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--81062418-20ac-4df8-86e0-856587b02533", + "id": "relationship--e995ac4c-4fa0-4166-b29c-241a37dafc41", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Inline Patching", - "description": "Inline patching (inline hooking) is done by modifying the beginning of a function in order to redirect the execution flow to custom code (i.e. redirecting code flow) before jumping back to the original function.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hijack-execution-flow.md", - "external_id": "F0015.002" - }, - { - "source_name": "external_source", - "url": "https://www.oreilly.com/library/view/learning-malware-analysis/9781788392501/a0a506d6-d062-48c1-a0a8-57d6acb77785.xhtml" - } - ], + "created": "2022-02-04T23:52:40.962929Z", + "modified": "2022-02-04T23:52:40.962929Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--c44b1c58-8da1-4ebe-a427-a9f2821e7a85", + "target_ref": "attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--81090849-4ac4-4838-9e06-6a027036d936", + "id": "relationship--43824188-5804-4e65-9ed8-0cd21ba1947a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.031479Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Delete Registry Value::Registry", - "description": "Malware deletes a registry value.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "operating-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/registry.md", - "external_id": "C0036.007" - } - ], + "created": "2021-02-10T06:49:35.515492Z", + "modified": "2021-02-10T06:49:35.515492Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--24d2552e-d0ee-4ab5-8e75-743b233379e1", + "target_ref": "attack-pattern--64ec233c-8762-4e4a-af40-475ebd3aa127", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--81bed55c-e336-4637-bae0-07d7d4d82ebe", + "id": "relationship--b00f5d07-0800-4d73-a10d-01e7453b15b5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Encryption", - "description": "A malware sample, file, or other information is encrypted.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/obfuscate-files.md", - "external_id": "E1027.m04" - } - ], + "created": "2021-02-10T06:49:35.454445Z", + "modified": "2021-02-10T06:49:35.454445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--fb0ec928-14d1-49f3-9897-14e3613b4ad7", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--81c902fa-0862-4f21-b951-f82a5d39f204", + "id": "relationship--1cc24541-f26d-49e9-82fc-5d662a764e54", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.500263Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Modern Specs Check", - "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.013" - } - ], + "created": "2021-02-10T06:49:35.511492Z", + "modified": "2021-02-10T06:49:35.511492Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d61dcb50-dcf8-408d-96e2-f3cd75f93be0", + "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--8226e7fa-8e78-497b-9967-32e5d1395e12", + "id": "relationship--07235f37-4424-4d68-a0f9-f2ae7df3fbd9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Hidden Kernel Modules", - "description": "Hides the use of kernel modules by the malware instance (e.g. rootkit). Techniques include kernel module list unlinking.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hide-artifacts.md", - "external_id": "E1564.m05" - } - ], + "created": "2021-02-10T06:49:35.659443Z", + "modified": "2021-02-10T06:49:35.659443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--cfa8658b-c504-41eb-9886-05de4962319c", + "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--82b547ba-e0b0-457f-95fc-c661d1aa0942", + "id": "relationship--1257776e-5303-4cdb-98c4-f2041eacb3ee", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.980486Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Create Socket::Socket Communication", - "description": "A server or client creates a UDP or TCP socket.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", - "external_id": "C0001.003" - } - ], + "created": "2021-02-10T06:49:35.700442Z", + "modified": "2021-02-10T06:49:35.700442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--31c2f227-2583-4f36-a24f-0f2610f1e055", + "target_ref": "attack-pattern--7855768b-8130-4981-8420-6e8a8d2a277a", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--83145b10-974b-4bcd-8547-1f441be18d36", + "id": "relationship--4b164a76-c735-48bd-867f-475b5ffbaa72", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.965484Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Modify Hardware", - "description": "Malware modifies hardware.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/modify-hardware.md", - "external_id": "B0042" - } - ], + "created": "2021-02-10T06:49:35.553443Z", + "modified": "2021-02-10T06:49:35.553443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--13631209-26c3-481c-bd8c-fa6c57c3dbe5", + "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--83576712-779f-4c76-9459-939092f6cd70", + "id": "relationship--c32e1ecd-2484-43db-900b-a91b5c12313b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.845581Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Application Rootkit", - "description": "Application rootkits operate by exchanging standard application files with rootkit files, or changing applications by injecting code or patching.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/rootkit-behavior.md", - "external_id": "E1014.m12" - } - ], + "created": "2021-02-10T06:49:35.487484Z", + "modified": "2021-02-10T06:49:35.487484Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--7850a582-f8c8-4582-a473-1b12e1f45929", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--83892ea2-fded-49dd-bca7-d415f8fea8f9", + "id": "relationship--528345e9-514a-4620-afd8-ba7295737682", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.583262Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "UPX", - "description": "Uses UPX packer.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", - "external_id": "F0001.008" - } - ], + "created": "2021-02-10T06:49:35.623442Z", + "modified": "2021-02-10T06:49:35.623442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--cbfcfc30-2fa3-4160-a9ba-4cc6c0f48345", + "target_ref": "attack-pattern--83145b10-974b-4bcd-8547-1f441be18d36", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--838d57ce-1e63-4898-9054-14851119e5fc", + "id": "relationship--c53091e2-0a17-400c-9b94-a14064d8e51c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.000444Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "CRC32::Checksum", - "description": "Malware computes a CRC32 checksum.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/checksum.md", - "external_id": "C0032.001" - } - ], + "created": "2021-02-10T06:49:35.587443Z", + "modified": "2021-02-10T06:49:35.587443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--791870bd-2325-4d30-b437-5e90ee997f3c", + "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--84157800-81cd-4b3a-abb0-5f7ada18a28f", + "id": "relationship--fb64183a-4e8c-49b0-82a1-009363e19e52", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.474262Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "TLS Callbacks", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.029" - }, - { - "source_name": "external_source", - "description": "Anti Debugging Tricks, Al-Khaser.", - "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" - } - ], + "created": "2021-02-10T06:49:35.67747Z", + "modified": "2021-02-10T06:49:35.67747Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d37365f4-63c4-4c3e-a81e-be518e7561f1", + "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--84b9dfc5-4109-40fb-8378-52ecc2919cb4", + "id": "relationship--13de7558-6a22-43ec-ab37-1c914ff46320", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.577262Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Armadillo", - "description": "Uses Armadillo.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", - "external_id": "F0001.012" - } - ], + "created": "2021-02-10T06:49:35.68425Z", + "modified": "2021-02-10T06:49:35.68425Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a6c50b34-3247-4e39-91d5-75f4fb97a9f9", + "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--85137da0-876b-4ce2-a1ce-d582043ed578", + "id": "relationship--9036a685-bb6f-4ce5-a00e-4b20720ebd7c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.017471Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Read Virtual Disk", - "description": "Malware reads a virtual disk.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "file-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/read-virtual-disk.md", - "external_id": "C0056" - } - ], + "created": "2021-02-10T06:49:35.501442Z", + "modified": "2021-02-10T06:49:35.501442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b7225469-01b6-4708-8bf9-aff549a703ce", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--856d6d11-4b8a-47d6-afb0-b79aa462fa26", + "id": "relationship--05ebcbe4-c162-4160-ba6c-0651b1950fb5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.990485Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "Skipjack::Decrypt Data", - "description": "Malware decrypts data encrypted with the Skipjack block cipher algorithm.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", - "external_id": "C0031.011" - } - ], + "created": "2022-02-04T23:52:40.89883Z", + "modified": "2022-02-04T23:52:40.89883Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--17e05846-68f4-4f0c-bc23-88e01515bfcf", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--85809708-79ee-4bff-824e-471b7bbd30a9", + "id": "relationship--17a27085-ee15-47d8-b2c5-5f7ea721b6af", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.976483Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Echo Request::ICMP Communication", - "description": "Send ICMP echo request.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/icmp-comm.md", - "external_id": "C0014.002" - } - ], + "created": "2021-02-10T06:49:35.500442Z", + "modified": "2021-02-10T06:49:35.500442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b40aba49-57d9-4a99-a29e-2629e35991c9", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--85d9ce2b-1b52-4de5-8b03-74ed590639d6", + "id": "relationship--c3b2136c-216f-47e7-a621-b38bd2bf5477", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.465264Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "NtSetInformationThread", - "description": "Calling this API with a fake class length or thread handle can indicate whether it is hooked. After calling NtSetInformationThread properly, the HideThreadFromDebugger flag is checked with the NtQueryInformationThread API.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.014" - }, - { - "source_name": "external_source", - "description": "Anti Debugging Tricks, Al-Khaser.", - "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" - } - ], + "created": "2022-09-08T18:26:19.12996Z", + "modified": "2022-09-08T18:26:19.12996Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--7781ebfd-13bd-4a00-9c51-ed98a45f8749", + "target_ref": "attack-pattern--c6f384e3-bf80-4251-8591-265ab51480cc", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--85da3a4e-287a-45b9-91d2-019b59af07e3", + "id": "relationship--48fec1d5-1bc4-4803-88ad-9220672885c6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.473261Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Software Breakpoints", - "description": "(INT3/0xCC)", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.025" - } - ], + "created": "2022-09-08T18:26:19.145194Z", + "modified": "2022-09-08T18:26:19.145194Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--6a958b33-6517-459c-afda-7f4f490ac15d", + "target_ref": "attack-pattern--098a700a-4cc0-4d0a-8bc5-42e7181eff1e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--8736d370-3b61-4b4d-a371-0a01e988cbde", + "id": "relationship--a47bdcdb-748c-420c-977f-9917f0628b5e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.52426Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Illusion", - "description": "Creates an illusion; makes the analyst think something happened when it didn't.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", - "external_id": "B0003.009" - } - ], + "created": "2021-02-10T06:49:35.462442Z", + "modified": "2021-02-10T06:49:35.462442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--683507af-37f1-4db4-a922-d41cceaa8789", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--87414f49-bf46-4a09-9999-979d71eb16a5", + "id": "relationship--b2b54083-f0bb-419c-a8f6-7ac666e429da", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.907374Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "MSDTC", - "description": "The Distributed Transaction Coordinator (MSDTC) coordinates transaction across multiple resource managers (databases, message queues and file systems). This legitimate Microsoft service is part of Windows 2000 and later and can be used to import and load DLLs. Malware may abuse MSDTC to import and load DLLs.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/system-services.md", - "external_id": "E1569.m01" - }, - { - "source_name": "external_source", - "url": "https://support.resolver.com/hc/en-ca/articles/207161116-Configure-Microsoft-Distributed-Transaction-Coordinator-MSDTC-" - } - ], + "created": "2021-02-10T06:49:35.504443Z", + "modified": "2021-02-10T06:49:35.504443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d5e09700-cfae-43b7-831e-958a4e64251b", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--878a631a-286b-4df2-bd6c-29a14053c402", + "id": "relationship--1dc1a459-f855-473c-b647-c891d5ab7136", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.57026Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Multiple VMs", - "description": "Multiple virtual machines with different architectures (CISC, RISC, etc.) can be used inside of a single executable in order to make reverse engineering even more difficult.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-virtualize.md", - "external_id": "B0008.001" - } - ], + "created": "2021-02-10T06:49:35.642443Z", + "modified": "2021-02-10T06:49:35.642443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1afb242c-883b-40c2-8a37-fc5064dd7d2b", + "target_ref": "attack-pattern--ded5f278-1acc-4f7b-be58-abc38e6b8436", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "id": "relationship--3fa431f8-8f27-4543-9f7b-1fbf52464fb4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.562264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Executable Code Obfuscation", - "description": "Executable code can be obfuscated to hinder disassembly and static code analysis. This behavior is specific to a malware sample's executable code (data and text sections).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", - "external_id": "B0032" - }, - { - "source_name": "external_source", - "url": "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html" - }, - { - "source_name": "external_source", - "url": "https://cofense.com/recent-geodo-malware-campaigns-feature-heavily-obfuscated-macros/" - }, - { - "source_name": "external_source", - "description": "Rob Simmons, \"Comparing Malicious Files,\" BSides, 2019.", - "url": "http://www.irongeek.com/i.php?page=videos/bsidescharm2019/2-04-comparing-malicious-files-robert-simmons" - } - ], + "created": "2021-02-10T06:49:35.563442Z", + "modified": "2021-02-10T06:49:35.563442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--76206161-2e14-48a0-9191-998ef774b345", + "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--87b6586d-145f-47d9-8183-755ca03e5921", + "id": "relationship--bfc1713b-29d0-47b0-8f7d-d6be58027d61", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.590269Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Cryptocurrency", - "description": "Malware accesses files that contain sensitive data or credentials related to Bitcoin and other cryptocurrency wallets.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/cryptocurrency.md", - "external_id": "B0028" - } - ], + "created": "2021-02-10T06:49:35.534443Z", + "modified": "2021-02-10T06:49:35.534443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--c8d17860-f4e4-4403-a28b-02c784a3ca70", + "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--8845345d-4d1d-4527-9b6a-93f23f247992", + "id": "relationship--a1fc39ac-cee5-4bb3-bea5-f356e08e2e6e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.871262Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Allocate Memory", - "description": "Malware allocates memory, often to unpack itself.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "memory-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/memory/allocate-memory.md", - "external_id": "C0007" - } - ], + "created": "2022-02-04T23:52:40.97859Z", + "modified": "2022-02-04T23:52:40.97859Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--da0fe52b-e2c5-4574-a572-09c999c86b59", + "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--88906eb3-c6df-452f-a16d-d276a39a39d4", + "id": "relationship--22ac23f2-a367-41e2-a1c2-29828cdcb864", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.87726Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Executable Heap::Change Memory Protection", - "description": "The heap is made executable.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "memory-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/memory/memory-protect.md", - "external_id": "C0008.002" - } - ], + "created": "2021-02-10T06:49:35.468521Z", + "modified": "2021-02-10T06:49:35.468521Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--dcfb5c52-a6e0-4c64-a937-91d730cd7a5b", + "target_ref": "attack-pattern--187b4cd8-132e-4514-9ad2-e0b20abc2b70", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--8911f215-156e-489a-a1fb-f2cdb69772f8", + "id": "relationship--eea1dce5-cb18-42da-8ca2-cbf2ca30cbb7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.616261Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Remote File Copy", - "description": "Malware may copy files from one system to another.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "command-and-control" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "lateral-movement" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/remote-file-copy.md", - "external_id": "E1105" - }, - { - "source_name": "external_source", - "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1105/", - "external_id": "T1105" - } - ], + "created": "2022-02-04T23:52:40.97859Z", + "modified": "2022-02-04T23:52:40.97859Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--fdc4b63d-2ee4-49af-b2d4-2defeff3d87d", + "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--89594c9d-1e28-49a2-8969-694ade43e857", + "id": "relationship--8c10f244-a9c2-4815-8040-0f36189df0f0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.464262Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Monitoring Thread", - "description": "Malware may spawn a monitoring thread to detect tampering, breakpoints, etc.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.011" - } - ], + "created": "2021-02-10T06:49:35.490481Z", + "modified": "2021-02-10T06:49:35.490481Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a0033d2f-e4c5-4bbf-854b-198fd82d0c0b", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--89a1d613-7163-493b-8aa9-7a528dd1dd3e", + "id": "relationship--6512566b-ff2b-4f16-9cbf-17e2fb4d06de", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.515309Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "RtlAdjustPrivilege", - "description": "Calling RtlAdjustPrivilege to either prevent a debugger from attaching or to detect if a debugger is attached.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.022" - } - ], + "created": "2021-02-10T06:49:35.53757Z", + "modified": "2021-02-10T06:49:35.53757Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1212c336-4105-477e-9e3a-0789790a3941", + "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--89bb05dd-fd11-40c4-918e-db0c3cde0955", + "id": "relationship--00518fe5-bc55-413f-a3d3-54ec08afe2a1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.922442Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Encoding-Custom Algorithm", - "description": "A custom algorithm is used to encode a malware sample, file or other information.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/obfuscate-files.md", - "external_id": "E1027.m03" - } - ], + "created": "2021-02-10T06:49:35.603442Z", + "modified": "2021-02-10T06:49:35.603442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a5bc5daf-255e-4e9b-a4c4-508dc3a434ff", + "target_ref": "attack-pattern--7c1bb00d-f8cb-4ca8-aa11-b59f5b108996", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--89cee1bf-b7ab-4c13-8011-22364628422d", + "id": "relationship--8299bd93-7c36-4c35-a732-5abda6ba8dab", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.677261Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Encryption - Custom Encryption", - "description": "Data is encrypted. A custom algorithm is used to encrypt the exfiltrated data.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "exfiltration" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/data-encrypted.md", - "external_id": "E1560.m06" - } - ], - "object_marking_refs": [ + "created": "2022-02-04T23:52:40.962929Z", + "modified": "2022-02-04T23:52:40.962929Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1540ed37-87c4-485f-b729-1e418a63762c", + "target_ref": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", + "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--8a7350ca-f1f6-42db-9fbf-aa110d02e338", + "id": "relationship--76e0d327-5877-43d1-957d-4b07239f216f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.798698Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "System Service Dispatch Table Hooking", - "description": "Hooks the system service dispatch table (SSDT), also called the system service descriptor table. The SSDT contains information about the service tables used by the operating system for dispatching system calls. Hooking the SSDT enables malware to hide files, registry keys, and network connections.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/credential-access/hooking.md", - "external_id": "F0003.004" - } - ], + "created": "2022-09-08T18:26:19.081235Z", + "modified": "2022-09-08T18:26:19.081235Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--97ebea10-8852-4c4f-bf50-8b866ebc90ab", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--8abe31b2-7123-41f1-9ca3-5653bc1c0fdc", + "id": "relationship--5d1c50b2-4901-4d80-b15f-26548a0cfc4a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.788262Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Cryptojacking", - "description": "Consume system resources to mine for cryptocurrency (e.g., Bitcoin, Litecoin, etc.).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/hijack-sys-resources.md", - "external_id": "B0018.002" - } - ], + "created": "2021-02-10T06:49:35.711465Z", + "modified": "2021-02-10T06:49:35.711465Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--9aa6cbcb-2654-4533-a47c-3b44b62cb6a2", + "target_ref": "attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--8b1810b0-5885-47ec-963b-b3fecbe1825a", + "id": "relationship--56821799-dd4f-4317-abb6-79d3a7d71dc0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.996445Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "RC4 PRGA::Generate Pseudo-random Sequence", - "description": "Malware generates a pseudo-random sequence using the RC4 Pseudo Random (Byte) Generation Algorithm (PRGA).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/gen-random.md", - "external_id": "C0021.004" - } - ], + "created": "2021-02-10T06:49:35.577443Z", + "modified": "2021-02-10T06:49:35.577443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--dad3c536-a9a6-492b-baae-4353f2c6f601", + "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--8b39b092-d827-4e58-9b67-a9b9e8c6f297", + "id": "relationship--8e82c079-e3e6-4f74-bdf8-54eb7eddbbc8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.465264Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "NtQueryObject", - "description": "The ObjectTypeInformation and ObjectAllTypesInformation flags are checked for debugger detection.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.013" - } - ], + "created": "2021-02-10T06:49:35.599445Z", + "modified": "2021-02-10T06:49:35.599445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--6479f655-1a26-4a37-96b4-170c5a57a31d", + "target_ref": "attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--8bf7607c-b292-40e6-9372-8624fc971a66", + "id": "relationship--b4bd5caa-febb-4ac2-82f0-f22836bdfaf1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.501259Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Modern Specs Check - Processor count", - "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment. Checks number of processors; single CPU machines are suspect.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.018" - } - ], + "created": "2021-02-10T06:49:35.710275Z", + "modified": "2021-02-10T06:49:35.710275Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--81090849-4ac4-4838-9e06-6a027036d936", + "target_ref": "attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--8c5ccf4d-b443-4803-8e69-eb83b1564c48", + "id": "relationship--aa33bb23-b570-4b9c-94ff-a25d0ff61572", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.798698Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Procedure Hooking", - "description": "Intercepts and executes designated code in response to events such as messages, keystrokes, and mouse inputs.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/credential-access/hooking.md", - "external_id": "F0003.003" - }, - { - "source_name": "external_source", - "url": "https://docs.microsoft.com/en-us/windows/win32/winmsg/about-hooks?redirectedfrom=MSDN#hook-procedures" - } - ], + "created": "2022-02-04T23:52:40.914452Z", + "modified": "2022-02-04T23:52:40.914452Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--14abf3a5-065b-4a7b-b5d7-16ba7ae62e3a", + "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--8c803835-6fd8-4af8-a178-be3e2dc43687", + "id": "relationship--39af8459-c0a2-40c0-b35c-5646b651d05e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.965484Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Printer", - "description": "The printer is modified.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/modify-hardware.md", - "external_id": "B0042.003" - } - ], + "created": "2021-02-10T06:49:35.657447Z", + "modified": "2021-02-10T06:49:35.657447Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--6ffd281c-acc5-4543-9fb5-aa0002339ea8", + "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--8cae892e-69de-4f27-a49c-a369c2f8f20a", + "id": "relationship--a6d7f695-1c7d-4eda-b493-a58b49428f03", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.003478Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "Decode Data", - "description": "Malware may decode data.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/decode.md", - "external_id": "C0053" - } - ], + "created": "2021-02-10T06:49:35.588443Z", + "modified": "2021-02-10T06:49:35.588443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--6287eb18-a197-4822-b0f5-99b4237fe18a", + "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--8cf4e8d0-21b6-4e35-97c2-97e6c5322509", + "id": "relationship--a60acc51-7a7a-4346-b015-f74485f0beb1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.985484Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "MD5::Cryptographic Hash", - "description": "Malware uses an MD5 hash.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/crypto-hash.md", - "external_id": "C0029.001" - } - ], + "created": "2022-09-08T18:26:19.144826Z", + "modified": "2022-09-08T18:26:19.144826Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--80ee5a98-6e25-4cb6-a6d2-3321855e14e2", + "target_ref": "attack-pattern--098a700a-4cc0-4d0a-8bc5-42e7181eff1e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--8d788ace-f057-449d-bd8b-b0db3fdb5b07", + "id": "relationship--73d8c064-876d-4735-aca1-371a05bd0d54", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.974485Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Send Response::HTTP Communication", - "description": "HTTP server sends response.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", - "external_id": "C0002.016" - } - ], + "created": "2022-02-04T23:52:40.962929Z", + "modified": "2022-02-04T23:52:40.962929Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--2c55e74c-c066-43e0-bdaa-8d74959b7694", + "target_ref": "attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--8d901ae3-1492-4090-b730-438071314947", + "id": "relationship--516562a4-11aa-4bdc-87a6-a65c127e16a0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.65626Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Disable System File Overwrite Protection", - "description": "Disables system file overwrite protection mechanisms such as Windows file protection, thereby enabling system files to be modified or replaced.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", - "external_id": "F0004.002" - } - ], + "created": "2021-02-10T06:49:35.651444Z", + "modified": "2021-02-10T06:49:35.651444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--37eb387f-ecb3-4098-926b-2e1d2c3da16e", + "target_ref": "attack-pattern--541b3b19-6e67-4c06-9f03-1b3f5a4395c4", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--8df78326-a8e8-4039-82a7-3dd375910e71", + "id": "relationship--2b019698-7439-411a-a014-6d213ab076ce", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.031479Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Open Registry Key::Registry", - "description": "Malware opens a registry key.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "operating-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/registry.md", - "external_id": "C0036.003" - } - ], + "created": "2021-02-10T06:49:35.464445Z", + "modified": "2021-02-10T06:49:35.464445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--84157800-81cd-4b3a-abb0-5f7ada18a28f", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "id": "relationship--5b9305b5-84da-48d9-a66f-5d6b0f0a0083", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.47626Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Debugger Detection", - "description": "Malware detects whether it's being executed inside a debugger. If so, conditional execution selects a benign execution path.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001" - }, - { - "source_name": "external_source", - "description": "Alexander Antukh, \"Anti-debugging Techniques Cheat Sheet,\" 19 January 2015.", - "url": "http://antukh.com/blog/2015/01/19/malware-techniques-cheat-sheet." - }, - { - "source_name": "external_source", - "description": "Joshua Cannell, Malwarebytes Labs, \"Five Anti-Analysis Tricks that sometimes Fool Analysts,\" 31 March 2016.", - "url": "https://blog.malwarebytes.com/threat-analysis/2014/09/five-anti-debugging-tricks-that-sometimes-fool-analysts." - }, - { - "source_name": "external_source", - "description": "Peter Ferrie, \"The 'Ultimate' Anti-Debugging Reference,\" 4 May 2011.", - "url": "https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf." - }, - { - "source_name": "external_source", - "description": "Atif Mushtaq, FireEye, \"The Dead Giveaways of VM-Aware Malware,\" 27 January 2011.", - "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html." - }, - { - "source_name": "external_source", - "description": "Ayoub Faouzi (LordNoteworthy), Al-Khaser v0.79.", - "url": "https://github.com/LordNoteworthy/al-khaser" - }, - { - "source_name": "external_source", - "description": "Nicolas Falliere, Symantec, \"Windows Anti-Debug Reference,\" 11 September 2007.", - "url": "https://www.symantec.com/connect/articles/windows-anti-debug-reference." - }, - { - "source_name": "external_source", - "description": "Anti Debugging Tricks, Al-Khaser.", - "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" - } - ], + "created": "2021-02-10T06:49:35.498442Z", + "modified": "2021-02-10T06:49:35.498442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--23949fea-4e13-41e3-b8c7-b25efd93f346", + "target_ref": "attack-pattern--243d3475-704e-4bc1-b8a6-42ca4bda02fc", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--8fb51611-3f2a-42e3-9af0-fd8eda882cf8", + "id": "relationship--2e8603db-3b75-4248-b9f0-70716c08b727", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.513264Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Nanomites", - "description": "int3 with code replacement table; debugs itself.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.015" - } - ], + "created": "2021-02-10T06:49:35.487484Z", + "modified": "2021-02-10T06:49:35.487484Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--91b7e621-49fe-4f7b-a8c6-0a377ceac3cd", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--8fcb44c9-dec3-4358-bf3d-35b4174f7d2b", + "id": "relationship--fd07a2aa-1723-4b81-b2bd-5c3f9082bb49", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.516301Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Self-Debugging", - "description": "Debug itself to prevent another debugger to be attached.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.024" - } - ], + "created": "2021-02-10T06:49:35.661442Z", + "modified": "2021-02-10T06:49:35.661442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--ced26a03-d356-4f8e-8337-9a07c0becd86", + "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--90006260-5019-4c35-8c88-6ee23826734e", + "id": "relationship--2245504c-9398-4e7e-86c9-ed407c029308", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.796261Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Reverse Shell", - "description": "Malware may create a reverse shell. For example, malware can invoke cmd.exe and create three pipes (stdin, stdout, stderr) to forward data between cmd.exe and an adversary.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/remote-access.md", - "external_id": "B0022.001" - } - ], + "created": "2021-02-10T06:49:35.562442Z", + "modified": "2021-02-10T06:49:35.562442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--04e25839-3207-4600-8972-618aa7cf44af", + "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--90206369-0c71-47cd-abf2-65e4e75fee99", + "id": "relationship--10d783c3-6935-4e70-82b4-064bd6c7684b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.980486Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Start TCP Server::Socket Communication", - "description": "A TCP server listens for client requests.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", - "external_id": "C0001.005" - } - ], + "created": "2021-02-10T06:49:35.695455Z", + "modified": "2021-02-10T06:49:35.695455Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--91859e1a-022e-420a-bc00-af0546d891cb", + "target_ref": "attack-pattern--8cae892e-69de-4f27-a49c-a369c2f8f20a", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--903b44e8-0547-4945-ac5a-ee21d0898d4d", + "id": "relationship--6e80f69c-e08f-4d12-9e61-affb609bfe7b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.479261Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Check for WINE Version", - "description": "Checks for WINE via the `get_wine_version` function from WINE's `ntdll.dll`.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-emulator.md", - "external_id": "B0004.002" - } - ], + "created": "2021-02-10T06:49:35.574482Z", + "modified": "2021-02-10T06:49:35.574482Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--89bb05dd-fd11-40c4-918e-db0c3cde0955", + "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--9048df12-c89f-45a6-99ac-caaa7446d6db", + "id": "relationship--072fb602-b48c-4e95-9ed8-e836c6e89336", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.918444Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Timestamp", - "description": "Malware may change the timestamp on a file to prevent detection.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hidden-files.md", - "external_id": "F0005.004" - } - ], + "created": "2021-02-10T06:49:35.644023Z", + "modified": "2021-02-10T06:49:35.644023Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--fd682f82-1a49-4f4f-8ff8-18ef8c3d0f8b", + "target_ref": "attack-pattern--e57c3d95-67fc-4d26-a74e-12953fff494b", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--904b465b-d733-4619-b0d5-5c394cd2b7f3", + "id": "relationship--42b86dee-4ac0-41ac-9a0b-1ceb62a65683", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.466263Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "NtYieldExecution/SwitchToThread", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.015" - }, - { - "source_name": "external_source", - "description": "Anti Debugging Tricks, Al-Khaser.", - "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" - } - ], + "created": "2021-02-10T06:49:35.685993Z", + "modified": "2021-02-10T06:49:35.685993Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b74af853-9674-4bc7-9d30-be251db05e3d", + "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--90bb4fe0-057f-40b0-8fba-37005e7f6524", + "id": "relationship--7e1a826f-411b-4735-bed7-7f72aecfaae7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.490263Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Check Registry Keys", - "description": "Virtual machines register artifacts in the registry, which can be detected by malware. For example, a search for \"VMware\" or \"VBOX\" in the registry might reveal keys that include information about a virtual hard drive, adapters, running services, or virtual mouse. Example registry key value artifacts include \"HARDWARE\\Description\\System (SystemBiosVersion) (VBOX)\" and \"SYSTEM\\ControlSet001\\Control\\SystemInformation (SystemManufacturer) (VMWARE)\"; example registry key artifacts include \"SOFTWARE\\VMware, Inc.\\VMware Tools (VMWARE)\" and \"SOFTWARE\\Oracle\\VirtualBox Guest Additions (VBOX)\".", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.005" - }, - { - "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" - }, - { - "source_name": "external_source", - "url": "https://github.com/LordNoteworthy/al-khaser" - } - ], + "created": "2021-02-10T06:49:35.489479Z", + "modified": "2021-02-10T06:49:35.489479Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--db58e527-5e81-489f-b05a-537ea9b6bae9", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--9108b308-b962-4468-86bf-8921f77c963c", + "id": "relationship--65457d14-1221-4a06-a652-f28ffc31c866", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.461261Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Interrupt 0x2d", - "description": "If int 0x2d is mishandled by the debugger, it can cause a single-byte instruction to be inadvertently skipped, which can be detected by malware.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.006" - } - ], + "created": "2021-02-10T06:49:35.538467Z", + "modified": "2021-02-10T06:49:35.538467Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b4931f82-5f27-4329-a0c4-4f953195e6f1", + "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--916d6dca-adbc-4af9-b810-eb7cd72779c8", + "id": "relationship--7584f133-0c09-41d6-b3b5-1610bf14ca6a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.868262Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Load Driver", - "description": "Malware loads a device driver or minifilter.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "hardware-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/hardware/load-driver.md", - "external_id": "C0023" - } - ], + "created": "2022-02-04T23:52:40.97859Z", + "modified": "2022-02-04T23:52:40.97859Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--c9223618-2865-499f-890e-2848db80a6d9", + "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--91859e1a-022e-420a-bc00-af0546d891cb", + "id": "relationship--8cb22e7d-ca70-4070-96bf-c0b6c3f0bc84", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.003478Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "Base64::Decode Data", - "description": "Malware may decode data using Base64.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/decode.md", - "external_id": "C0053.001" - } - ], + "created": "2021-02-10T06:49:35.707444Z", + "modified": "2021-02-10T06:49:35.707444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--88906eb3-c6df-452f-a16d-d276a39a39d4", + "target_ref": "attack-pattern--531f2659-2119-40c0-b3a6-d921feabb3ce", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--91b7e621-49fe-4f7b-a8c6-0a377ceac3cd", + "id": "relationship--5e97acfb-5d93-4324-abda-2a162e187794", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.494264Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "HTML5 Performance Object Check", - "description": "In three browser families, it is possible to extract the frequency of the Windows performance counter frequency, using standard HTML and Javascript. This value can then be used to detect whether the code is being executed in a virtual machine, by detecting two specific frequencies commonly used in virtual but not physical machines.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.011" - } - ], + "created": "2021-02-10T06:49:35.493443Z", + "modified": "2021-02-10T06:49:35.493443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b6679c6a-6312-44ec-a6fe-628a66d0cefe", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--91e25008-204c-4723-9c53-ca041c5fd2b1", + "id": "relationship--8ff14244-fcb2-4ab1-a1d5-b9f890d352c4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.917484Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Extension", - "description": "Malware may change or use a particular file extension to hide a file.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hidden-files.md", - "external_id": "F0005.001" - } - ], + "created": "2021-02-10T06:49:35.687789Z", + "modified": "2021-02-10T06:49:35.687789Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d4b96b74-7cf9-46c2-8c09-ea8fd124b15a", + "target_ref": "attack-pattern--2f605aaf-790b-4ba1-9603-3b14cf2f1c52", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--92ac0cef-de80-4baa-869c-dc993492c0da", + "id": "relationship--b59c70f6-dd4c-44b9-bf95-d8ea33bf78b2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.986482Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "SHA256::Cryptographic Hash", - "description": "Malware uses a SHA-256 hash.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/crypto-hash.md", - "external_id": "C0029.003" - } - ], + "created": "2022-09-08T18:26:19.082428Z", + "modified": "2022-09-08T18:26:19.082428Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--0a5b94d6-6800-4855-8cd9-d100af9f67d9", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--9398839c-520f-4aab-9c81-92d6518800e7", + "id": "relationship--90d7b068-4825-407d-b547-9cce9f083ba2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.853263Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "Check String", - "description": "Malware may check a string for some characteristics, such as being ascii content; credit card number; or length.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/check-string.md", - "external_id": "C0019" - } - ], + "created": "2021-02-10T06:49:35.681443Z", + "modified": "2021-02-10T06:49:35.681443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--648530a1-e16b-45c6-ae10-d3d47fc8bcb7", + "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--93ac6386-6f04-44cd-b7a5-78da3ced8b13", + "id": "relationship--a042cf35-5394-4403-90da-07bc34d7c536", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.467265Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Parent Process", - "description": "(Explorer.exe); Executing an application by a debugger will result in the parent process being the debugger process rather than the shell process (Explorer.exe) or the command line. Malware checks its parent process; if it's not explorer.exe, it's assumed to be a debugger.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.018" - }, - { - "source_name": "external_source", - "description": "Anti Debugging Tricks, Al-Khaser.", - "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" - } - ], + "created": "2021-02-10T06:49:35.490481Z", + "modified": "2021-02-10T06:49:35.490481Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--cd438b37-74b0-433b-85d2-8530724401fa", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--93bd89e3-9cfd-47f6-9fed-bb13b58acd82", + "id": "relationship--9b05c93c-83de-4024-9fb4-5d655db76140", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.491263Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Check Virtual Devices", - "description": "The presence of virtual devices can indicate a virtualized environment (e.g., \"\\\\.\\VBoxTrayIPC\").", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.008" - }, - { - "source_name": "external_source", - "url": "https://github.com/LordNoteworthy/al-khaser" - } - ], + "created": "2022-02-04T23:52:40.962929Z", + "modified": "2022-02-04T23:52:40.962929Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--81062418-20ac-4df8-86e0-856587b02533", + "target_ref": "attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--9406d0e3-7e61-42c9-8532-a35459deb4e7", + "id": "relationship--9ce01c99-722e-403e-8f24-b9859a9b8912", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.492261Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Check Windows - Title bars", - "description": "Malware may check windows for VM-related characteristics. May inject malicious code to svchost.exe to check all open window title bar text to a list of strings indicating virtualized environment.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.022" - } - ], + "created": "2022-02-04T23:52:40.97859Z", + "modified": "2022-02-04T23:52:40.97859Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--fd9f551a-f0ef-42e2-bf82-acdf1062852b", + "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--94813d2d-0eb5-4037-8c03-07896bd7233b", + "id": "relationship--d0259a59-21f5-4e14-8d25-9af86df83bb1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.842259Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "InternetConnect::WinINet", - "description": "Opens an FTP or HTTP session for a given site.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/wininet.md", - "external_id": "C0005.001" - } - ], + "created": "2021-02-10T06:49:35.672443Z", + "modified": "2021-02-10T06:49:35.672443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a0021942-1e00-442e-8ed8-285293eeb5e9", + "target_ref": "attack-pattern--1cca12fe-f5c4-4c35-979b-5c6962dd9484", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--948cdf0e-8ac2-46a4-8bc0-a5ab5eda55a2", + "id": "relationship--4e60ed0e-a71a-4e33-90e4-17d90076aa45", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.981483Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Send Data::Socket Communication", - "description": "Send data on socket.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", - "external_id": "C0001.007" - } - ], + "created": "2022-02-04T23:52:40.97859Z", + "modified": "2022-02-04T23:52:40.97859Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d5762c67-a576-4aa8-aacd-3fba3a7f4599", + "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--957f9b42-4f80-4da0-8dd1-75738e470fe2", + "id": "relationship--51ca1656-ea81-4547-9319-e9cf419a33fc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.037481Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Create Thread", - "description": "Malware creates a thread.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "process-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/create-thread.md", - "external_id": "C0038" - } - ], + "created": "2021-02-10T06:49:35.699097Z", + "modified": "2021-02-10T06:49:35.699097Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--69401771-6ed2-45b5-bc81-68444a3dc4c9", + "target_ref": "attack-pattern--a9530e23-d959-40a7-870a-bd6b29bee078", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--95c86aee-57b2-4cc2-9354-772a30b4024f", + "id": "relationship--567dba20-4c5a-4091-a9a0-742c742a94af", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.707263Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Process detection - Process Utilities", - "description": "Malware can scan for the process name associated with common analysis tools. ProcessHacker / SysAnalyzer / HookExplorer / SysInspector", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", - "external_id": "B0013.005" - } - ], + "created": "2021-02-10T06:49:35.532854Z", + "modified": "2021-02-10T06:49:35.532854Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--415ff076-0f63-4040-940e-439321695a67", + "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--9615d610-999a-417d-bf19-54da01c38b89", + "id": "relationship--0f5c1e90-c9d6-4503-8180-21380d6aa4f4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.502264Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Unique Hardware/Firmware Check", - "description": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.023" - } - ], + "created": "2021-02-10T06:49:35.483443Z", + "modified": "2021-02-10T06:49:35.483443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--90bb4fe0-057f-40b0-8fba-37005e7f6524", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--963d7b96-04f2-4c34-82ae-64bc6d5d37dc", + "id": "relationship--af859378-d408-42c6-87d5-0e61269535e0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.606261Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Request Email Template", - "description": "Request email template.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "command-and-control" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", - "external_id": "B0030.009" - } - ], + "created": "2021-02-10T06:49:35.703048Z", + "modified": "2021-02-10T06:49:35.703048Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--bbcbbd85-689f-486f-b3be-e36852dfe5c5", + "target_ref": "attack-pattern--7855768b-8130-4981-8420-6e8a8d2a277a", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", + "id": "relationship--5be82a40-6219-481d-bc8c-3c07a1ed98e4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.708261Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Analysis Tool Discovery", - "description": "Malware can employ various means to detect whether analysis tools are present or running on the system on which it is executing. Note that analysis tools are used to *analyze* malware whereas security software (see [Software Discovery: Security Software Discovery](https://attack.mitre.org/techniques/T1518/001/)) aims to *detect/mitigate* malware on a system or network.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", - "external_id": "B0013" - } - ], + "created": "2021-02-10T06:49:35.707444Z", + "modified": "2021-02-10T06:49:35.707444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--97dff623-9e06-4810-b316-8eedabe893f0", + "target_ref": "attack-pattern--531f2659-2119-40c0-b3a6-d921feabb3ce", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--966c59f0-e5f7-4c3f-80f8-49091c015ad7", + "id": "relationship--54b2b002-a735-49e5-adcf-2fdd110ff811", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Encoding", - "description": "A malware sample, file, or other information is encoded.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/obfuscate-files.md", - "external_id": "E1027.m01" - } - ], + "created": "2021-02-10T06:49:35.507477Z", + "modified": "2021-02-10T06:49:35.507477Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--3fe270a3-09a5-4ca9-937f-d2bee9afed96", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--968a2baa-33b0-4c2a-afb8-b899e1acbc0a", + "id": "relationship--0bf1731d-6b65-4367-abd3-5739d66816f1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.936476Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Log File", - "description": "Malware may look for system log files.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/file-discover.md", - "external_id": "E1083.m01" - } - ], + "created": "2022-02-04T23:52:41.041094Z", + "modified": "2022-02-04T23:52:41.041094Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--42a50e42-61c1-4eb0-a7a2-f7f278feb391", + "target_ref": "attack-pattern--ef5fd901-d515-4842-9119-c330c900e2e1", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--97024953-18b1-43d8-adf2-207ac2dca44e", + "id": "relationship--9633c105-2f8e-4b77-8d1d-7f237fd85950", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.479261Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Check for Emulator-related Files", - "description": "Checks whether particular files (e.g., QEMU files) exist.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-emulator.md", - "external_id": "B0004.001" - } - ], + "created": "2021-02-10T06:49:35.637467Z", + "modified": "2021-02-10T06:49:35.637467Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--8d788ace-f057-449d-bd8b-b0db3fdb5b07", + "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--97a53670-fbd8-40bb-a950-acec7a6e7958", + "id": "relationship--2fe88d4c-7381-435c-94c4-c2fcfb042f0d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.980486Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Initialize Winsock Library::Socket Communication", - "description": "Winsock is initialized for TCP communication.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", - "external_id": "C0001.009" - } - ], + "created": "2021-02-10T06:49:35.67747Z", + "modified": "2021-02-10T06:49:35.67747Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--856d6d11-4b8a-47d6-afb0-b79aa462fa26", + "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--97dff623-9e06-4810-b316-8eedabe893f0", + "id": "relationship--78d819da-3841-4091-afac-7ab38b3ed476", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.87726Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Executable Stack::Change Memory Protection", - "description": "The stack is made executable.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "memory-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/memory/memory-protect.md", - "external_id": "C0008.001" - } - ], + "created": "2022-09-08T18:26:19.129589Z", + "modified": "2022-09-08T18:26:19.129589Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a385dfe3-ba5e-4cc7-9a6d-a38349b44739", + "target_ref": "attack-pattern--c6f384e3-bf80-4251-8591-265ab51480cc", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--97fc67af-9ec6-44a7-8187-32e07b5cdcb5", + "id": "relationship--f1127fa4-bfd7-43ad-844c-258d37622784", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.469264Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Process Environment Block NtGlobalFlag", - "description": "The NtGlobalFlag field is tested to determine whether the process is being debugged.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.036" - } - ], + "created": "2021-02-10T06:49:35.641176Z", + "modified": "2021-02-10T06:49:35.641176Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--2fdbb4b2-a02a-42de-a6de-2263b48392f1", + "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--98cc634e-8ebb-4c19-b3f1-bea0abef18ae", + "id": "relationship--8955eb81-a5c8-4ded-964b-4d227ee2c7d2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.503263Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Unique Hardware/Firmware Check - CPU Name", - "description": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment. Checks the CPU name to determine virtualization.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.026" - } - ], + "created": "2021-02-10T06:49:35.680442Z", + "modified": "2021-02-10T06:49:35.680442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--0f77be56-a5ef-4c06-8557-46782bb2cd67", + "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--999fdac4-2cd5-471e-960e-993f82214902", + "id": "relationship--79dd668f-7c39-4f76-acb6-828bf36df88d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.558264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Import Compression", - "description": "Store and load imports with a compact import table format. Each DLL needed by the executable is mentioned in the IAT, but only one function from each/most is imported; the rest are imported via GetProcAddress calls.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", - "external_id": "B0032.012" - } - ], + "created": "2021-02-10T06:49:35.670445Z", + "modified": "2021-02-10T06:49:35.670445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--8cf4e8d0-21b6-4e35-97c2-97e6c5322509", + "target_ref": "attack-pattern--1cca12fe-f5c4-4c35-979b-5c6962dd9484", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--99bd055e-cadd-4ed3-94a4-b21570cd8350", + "id": "relationship--cd158b97-3a64-416d-88ce-92fab92241cb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.598261Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Polling", - "description": "Keystrokes are captured via polling (e.g., user32.GetAsyncKeyState, user32.GetKeyState).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/keylogging.md", - "external_id": "F0002.002" - } - ], + "created": "2021-02-10T06:49:35.505442Z", + "modified": "2021-02-10T06:49:35.505442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--68791849-d1ec-436a-983a-b6ca41bea52c", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--9a20e319-4340-469f-a31c-5153dbd05bd0", + "id": "relationship--f536601a-3c17-4267-986a-51e27a08ada5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.845581Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Hardware/Firmware Rootkit", - "description": "A firmware rootkit compromises hardware (e.g. network card, hard drive), system BIOS, UEFI firmware. LoJack is the first in-the-wild UEFI rootkit. See ATT&CK: [System Firmware](https://attack.mitre.org/techniques/T1542/001/).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/rootkit-behavior.md", - "external_id": "E1014.m14" - } - ], + "created": "2021-02-10T06:49:35.514444Z", + "modified": "2021-02-10T06:49:35.514444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--48964591-554c-420d-896b-89ad16f17eec", + "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--9a5f43f7-dd94-4035-b335-9d0d388c93ae", + "id": "relationship--7ae9beee-acbe-4274-bb88-de255765168e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.678261Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Encryption - Standard Encryption", - "description": "Data is encrypted. A standard algorithm, such as Rijndael/AES, DES, RC4, is used to encrypt the exfiltrated data.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "exfiltration" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/data-encrypted.md", - "external_id": "E1560.m05" - } - ], + "created": "2021-02-10T06:49:35.682848Z", + "modified": "2021-02-10T06:49:35.682848Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b7a3c18a-0a7c-407a-8857-3e2e8d941775", + "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--9aa48852-5d9f-45e3-a094-113bc10c1cbc", + "id": "relationship--094b167c-34e7-45cb-8514-a77b0d664dfe", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.483264Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Check Files", - "description": "Sandboxes create files on the file system. Malware can check the different folders to find sandbox artifacts.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", - "external_id": "B0007.002" - } - ], + "created": "2021-02-10T06:49:35.501442Z", + "modified": "2021-02-10T06:49:35.501442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5eef016e-6366-41e1-a33d-d85727dd5d65", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--9aa6cbcb-2654-4533-a47c-3b44b62cb6a2", + "id": "relationship--8b28534f-1bdb-4794-92d3-a3d63ba71145", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.031479Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Query Registry Key::Registry", - "description": "Malware queries a registry key.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "operating-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/registry.md", - "external_id": "C0036.005" - } - ], + "created": "2021-02-10T06:49:35.484529Z", + "modified": "2021-02-10T06:49:35.484529Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a67c8a5d-cce9-4892-9338-9fec55e45419", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--9b4638cb-2e9b-480e-a502-4ac8acfa4dd8", + "id": "relationship--6dcabe56-17b8-491b-8fd9-87edae835658", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.983492Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "UDP Client::Socket Communication", - "description": "UDP client behavior.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", - "external_id": "C0001.013" - } - ], + "created": "2022-09-08T18:26:19.143737Z", + "modified": "2022-09-08T18:26:19.143737Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--f1f9a410-ce13-4c3d-8728-69e517d71fb9", + "target_ref": "attack-pattern--098a700a-4cc0-4d0a-8bc5-42e7181eff1e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--9c6a7353-74f8-468b-94d8-faee128fa78d", + "id": "relationship--372550b4-1de4-47e9-9f7b-b623c0424c52", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.007478Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "dhash::Non-Cryptographic Hash", - "description": "Malware uses the dhash hash function.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/noncrypto-hash.md", - "external_id": "C0030.004" - } - ], + "created": "2021-02-10T06:49:35.577443Z", + "modified": "2021-02-10T06:49:35.577443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--f5f683c9-7cc4-41b9-a607-16e3c09461f4", + "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--9dd6ef57-b3b3-48e8-a77e-233ffee5d45b", + "id": "relationship--4c9acfd0-38e0-4895-936a-1c1a4b25e057", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.870658Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Inspect Section Memory Permissions", - "description": "Malware identifies section memory permissions from image section header.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/code-discover.md", - "external_id": "B0046.002" - } - ], + "created": "2021-02-10T06:49:35.519481Z", + "modified": "2021-02-10T06:49:35.519481Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--e60f2ef0-615c-4158-92f6-4db808bc116d", + "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--9f4141a2-af76-4a8e-b493-f3c1f5bdc9ac", + "id": "relationship--c15c2d7e-945f-4bd9-a19c-cf002adf6398", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.990485Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "Twofish::Decrypt Data", - "description": "Malware decrypts data encrypted with the Twofish algorithm.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", - "external_id": "C0031.014" - } - ], + "created": "2021-02-10T06:49:35.540444Z", + "modified": "2021-02-10T06:49:35.540444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--3cb4d50f-649d-4b09-b9a4-151bcc7ebc43", + "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--9f6817c0-0ec9-4097-a55b-b39b08db2b92", + "id": "relationship--533de0a3-baba-41e1-9291-18f5f6b58dd4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.57926Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Custom Compression of Code", - "description": "Uses a custom algorithm to compress opcode mnemonics.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", - "external_id": "F0001.006" - } - ], + "created": "2021-02-10T06:49:35.512444Z", + "modified": "2021-02-10T06:49:35.512444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--f286389b-6374-4b58-ae99-975a32ad18ce", + "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--9fb8ebbb-efc5-4f9c-8059-dca2a21412fd", + "id": "relationship--9d9b9523-ee0e-4ba0-a34e-de3dc1d90981", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.523261Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Hook File System", - "description": "Execution happens when a particular file or directory is accessed, often through hooking certain API calls such as CreateFileA and CreateFileW.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", - "external_id": "B0003.007" - } - ], + "created": "2021-02-10T06:49:35.548449Z", + "modified": "2021-02-10T06:49:35.548449Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--7fac651b-a6ae-494c-9386-d75a454776da", + "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a0021942-1e00-442e-8ed8-285293eeb5e9", + "id": "relationship--021cf0f3-d938-45e8-812c-b4f8dbefc0c5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.986482Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "Snefru::Cryptographic Hash", - "description": "Malware uses a Snefru hash.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/crypto-hash.md", - "external_id": "C0029.006" - } - ], + "created": "2021-02-10T06:49:35.653444Z", + "modified": "2021-02-10T06:49:35.653444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--90206369-0c71-47cd-abf2-65e4e75fee99", + "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a0033d2f-e4c5-4bbf-854b-198fd82d0c0b", + "id": "relationship--868c6012-4082-4b0d-a18e-c641ac0bb05e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.498264Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Instruction Testing - SMSW", - "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.032" - }, - { - "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" - } - ], + "created": "2021-02-10T06:49:35.657447Z", + "modified": "2021-02-10T06:49:35.657447Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d27a6bf4-7e7b-4007-9301-20eec9d8fe20", + "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a03af833-a578-465a-bf8c-43c9db4f4775", + "id": "relationship--19bca99f-27c8-44ea-b49f-496a72ab87d1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.783046Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Authenticate", - "description": "Implant may authenticate itself to the controller, controller may authenticate itself to implant, or both. This is often at or near the start of communication. Examples include but are not limited to a simple shared secret (e.g. password), challenge-response with symmetric encryption, or challenge-response with asymmetric encryption.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "command-and-control" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", - "external_id": "B0030.011" - } - ], + "created": "2021-02-10T06:49:35.561442Z", + "modified": "2021-02-10T06:49:35.561442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--46d77a13-9d20-4c9c-9846-cf6f298f6836", + "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a438adb9-e8d8-40da-8fb3-0500b0c812f5", + "id": "relationship--4ec4c126-c142-44b6-843a-3269d3dab081", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.736174Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Hook memory mapping APIs", - "description": "Hooking prevents memory dumps by preventing mapping of memory into the kernel's virtual address space.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", - "external_id": "B0006.010" - }, - { - "source_name": "external_source", - "description": "J. Stuttgen, M. Cohen, Anti-forensic resilient memory acquisition,", - "url": "https://www.dfrws.org/sites/default/files/session-files/paper-anti-forensic_resilient_memory_acquisition.pdf" - } - ], + "created": "2021-02-10T06:49:35.683632Z", + "modified": "2021-02-10T06:49:35.683632Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1ef444d5-6292-4701-be04-7d8bbd677b95", + "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a453cf88-1389-4ffd-8f3c-e95475f10a9f", + "id": "relationship--e2cbbfd6-92c0-4058-979e-2d61ff9c49e2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.989483Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "Blowfish::Decrypt Data", - "description": "Malware decrypts data encrypted with the Blowfish algorithm.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", - "external_id": "C0031.003" - } - ], + "created": "2021-02-10T06:49:35.467445Z", + "modified": "2021-02-10T06:49:35.467445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--ae167f71-8166-4906-97ba-8b9efb6daca2", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a46f5dce-2530-4823-8253-d702c8b2abeb", + "id": "relationship--2759c5db-58e0-4756-ad34-e44d9c3a4140", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.783046Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Directory Listing", - "description": "Controller requests a directory listing from the implant, optionally from a given path, optionally recursive.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "command-and-control" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", - "external_id": "B0030.012" - } - ], + "created": "2022-02-04T23:52:40.962929Z", + "modified": "2022-02-04T23:52:40.962929Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d71d433d-6815-4cca-940c-b21b05ab9a47", + "target_ref": "attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a53ab24d-020a-46dc-8a13-7ef51ab07f35", + "id": "relationship--21e79dff-bedc-4d95-902e-49a933b1b2da", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.883261Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Stack Pivot", - "description": "Stack pivoting involves pointing the stack pointer to an attacker-owned buffer, such as the heap, and facilitates exploits such as ROP-based exploits (see [Bypass DEP](https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/bypass-dep.md) behavior).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "memory-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/memory/stack-pivot.md", - "external_id": "C0009" - } - ], + "created": "2021-02-10T06:49:35.507477Z", + "modified": "2021-02-10T06:49:35.507477Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--e35d4dd6-591c-4f6d-b182-16adc70ce74f", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a5490a04-b672-4587-ae13-f0a25eb1cea4", + "id": "relationship--947ee67a-bd5a-4c47-a3f6-45c9c4dd3fcf", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.927259Z", - "modified": "2022-02-05T00:37:22.835477Z", - "name": "Shutdown Event", - "description": "Malware can register the shutdown event triggered by WinLogon to allow a malicious DLL to execute every time the machine shuts down: when the machine is shutdown the malware will be loaded into memory; then it will download the primary malware and reinfect the machine. The malware will also lie dormant during incident reporting processes. To check whether malware has registered for login events, check the registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify. If a subkey with any name exists and it has a \"shutdown\" value then the dll in the \"DLLName\" key will be launched during the shutdown process.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/persistence/shutdown-event.md", - "external_id": "B0035" - }, - { - "source_name": "external_source", - "url": "https://isc.sans.edu/diary/Wipe+the+drive!++Stealthy+Malware+Persistence+-+Part+4/15460" - } - ], + "created": "2021-02-10T06:49:35.533442Z", + "modified": "2021-02-10T06:49:35.533442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--0fe6e31d-fd22-4140-8e31-6ff5ad8cd47f", + "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a5589cd0-a6ee-4d1a-9963-3c44e9734242", + "id": "relationship--60ed723b-ddd5-4ca0-9417-aee98ae94c3a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.706262Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Process detection - Debuggers", - "description": "Malware can scan for the process name associated with common analysis tools. OllyDBG / ImmunityDebugger / WinDbg / IDA Pro", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", - "external_id": "B0013.002" - } - ], + "created": "2021-02-10T06:49:35.587443Z", + "modified": "2021-02-10T06:49:35.587443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b1937ce5-4376-4b5d-944e-5406d8501413", + "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a5bc5daf-255e-4e9b-a4c4-508dc3a434ff", + "id": "relationship--228bc713-19f0-4546-b0b3-b684c42254c3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.754261Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Exfiltrate via File Hosting Service", - "description": "Malware may exfiltrate files to a file hosting location.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "exfiltration" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/auto-exfiltrate.md", - "external_id": "E1020.m01" - } - ], + "created": "2021-02-10T06:49:35.571485Z", + "modified": "2021-02-10T06:49:35.571485Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--c863faee-3dcc-4fc0-9d16-9d0b7e75051c", + "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a60432c5-54ee-4c76-be1b-409f3f0e4795", + "id": "relationship--3f24aa3d-155d-4425-8a05-a2af71aac43b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.928367Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Ransom Note", - "description": "Ransomware displays a ransom note. Ransom notes are sometimes used to link instances of ransomware, even when the code or anti-analysis techniques change.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/encrypt-impact.md", - "external_id": "E1486.001" - } - ], + "created": "2021-02-10T06:49:35.629502Z", + "modified": "2021-02-10T06:49:35.629502Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--063274b5-04c4-4987-98d6-850c2598b601", + "target_ref": "attack-pattern--2f16f65d-4fba-4574-882d-97d54392f5bb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a6389b1f-c2f4-4bb7-8b52-6725b00f6052", + "id": "relationship--92c3ba76-4b47-4b21-a2d4-ca47fcdc7643", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.688263Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Injection and Persistence via Registry Modification", - "description": "Malware may insert the location of its malicious library under a registry key (e.g., Appinit_DLL, AppCertDlls, IFEO) to have another process load its library.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/process-inject.md", - "external_id": "E1055.m02" - }, - { - "source_name": "external_source", - "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" - } - ], + "created": "2021-02-10T06:49:35.511492Z", + "modified": "2021-02-10T06:49:35.511492Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--664457b6-7f76-4745-a92d-6acbfe3ee384", + "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a67c8a5d-cce9-4892-9338-9fec55e45419", + "id": "relationship--33f47112-8545-49fe-94cf-eb546eedcc4f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.491263Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Check Software", - "description": "Malware may check software version; for example, to determine whether the software is relatively current.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.007" - } - ], + "created": "2021-02-10T06:49:35.664444Z", + "modified": "2021-02-10T06:49:35.664444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--9b4638cb-2e9b-480e-a502-4ac8acfa4dd8", + "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a6c50b34-3247-4e39-91d5-75f4fb97a9f9", + "id": "relationship--2b282061-d14c-4e3e-9b4e-f1d37841c9dd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.993484Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "RSA::Encrypt Data", - "description": "Malware encrypts with the RSA algorithm.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", - "external_id": "C0027.011" - } - ], + "created": "2021-02-10T06:49:35.692798Z", + "modified": "2021-02-10T06:49:35.692798Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--c3a03554-f52e-49bd-ad0d-f01d4ded7f39", + "target_ref": "attack-pattern--64b0c35c-a5fc-4410-aff8-0c85f9689f60", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a6d7b549-6392-47dd-a5b3-f5ba522166c4", + "id": "relationship--924962bf-6608-44d7-9b51-43ffe4276f89", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.75026Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "User Interaction", - "description": "Malware may include code that relies on specific actions by a user to execute. Note that this MBC behavior differs from [User Execution](https://attack.mitre.org/techniques/T1204) in that it does do not include direct code execution (user action for *initial* execution) - MBE does not encompass ATT&CK's Initial Access Tactic.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/user-interaction.md", - "external_id": "E1204" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1204", - "external_id": "T1204" - } - ], + "created": "2021-02-10T06:49:35.476444Z", + "modified": "2021-02-10T06:49:35.476444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--0469984a-07e7-4160-ba64-f1abf02346bb", + "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a7d53e43-1336-49be-bf6b-9cc3fb832ab2", + "id": "relationship--46785d2f-2931-4800-86d2-101cdfdaaec2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.473261Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Stack Canary", - "description": "Similar to the anti-exploitation method of the same name, malware may try to detect mucking with values on the stack.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.026" - } - ], + "created": "2021-02-10T06:49:35.494443Z", + "modified": "2021-02-10T06:49:35.494443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--0b1371c5-4bec-466a-b643-43b719537894", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a8761808-d474-430a-9bd9-c770bc1163be", + "id": "relationship--bb344d99-00e5-4697-a116-9968d5ab9ddc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.989483Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "3DES::Decrypt Data", - "description": "Malware decrypts data encrypted with the 3DES algorithm.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", - "external_id": "C0031.005" - } - ], + "created": "2022-02-04T23:52:40.867574Z", + "modified": "2022-02-04T23:52:40.867574Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--02f5dda2-da92-4e5b-88bb-67e9e542c444", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a894c73b-8a05-4d53-86e8-39434b189fb6", + "id": "relationship--038bff96-2d64-4bd9-abde-f5c5e1260782", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.751794Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Implicit Flows", - "description": "Data is propagated via semantic relationships, for example one variable not changing its state could imply the state of another variable.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-data-flow-analysis.md", - "external_id": "B0045.002" - }, - { - "source_name": "external_source", - "url": "http://www.seclab.cs.sunysb.edu/seclab/pubs/antitaint.pdf" - } - ], + "created": "2021-02-10T06:49:35.641721Z", + "modified": "2021-02-10T06:49:35.641721Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--85809708-79ee-4bff-824e-471b7bbd30a9", + "target_ref": "attack-pattern--ded5f278-1acc-4f7b-be58-abc38e6b8436", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a90fbac2-8ec1-486c-85bf-6cb6269a5ea6", + "id": "relationship--79fbdd05-ec26-4596-b45c-f6396038c57c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.788262Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Password Cracking", - "description": "Consume system resources for the purpose of password cracking.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/hijack-sys-resources.md", - "external_id": "B0018.001" - } - ], + "created": "2021-02-10T06:49:35.673442Z", + "modified": "2021-02-10T06:49:35.673442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--6495c1d8-c694-4fc0-8063-05f0a42cad27", + "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a9364e83-2893-4989-b01a-e74ea9ced03a", + "id": "relationship--1b5e37fc-70fa-4307-b151-92bc978ef97c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.493266Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Check Windows - Window size", - "description": "Malware may check windows for VM-related characteristics. Tiny window size may indicate a VM.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.020" - } - ], + "created": "2021-02-10T06:49:35.516445Z", + "modified": "2021-02-10T06:49:35.516445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--35d551ab-014b-4fab-8ba8-b91fb42a3985", + "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a9530e23-d959-40a7-870a-bd6b29bee078", + "id": "relationship--2cacef1b-b542-4244-9b4f-306fff39aae2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.00648Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "Encode Data", - "description": "Malware may encode data.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/encode.md", - "external_id": "C0026" - } - ], + "created": "2021-02-10T06:49:35.703804Z", + "modified": "2021-02-10T06:49:35.703804Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--c31eb81c-b21c-4ae2-aed3-bcc77821d3ca", + "target_ref": "attack-pattern--4ec39934-4cf3-4e7a-96fb-425ea2f56d15", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a962a19b-79e6-4154-a634-b85d9e9d0264", + "id": "relationship--c057643c-3bdf-4ec3-b571-a33917bc2848", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.689293Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Human User Check", - "description": "Detects whether there is any \"user\" activity on the machine, such as the movement of the mouse cursor, non-default wallpaper, or recently opened Office files. Directories or file might be counted. If there is no human activity, the machine is suspected to be a virtualized machine and/or sandbox. Other items used to detect a user: mouse clicks (single/double), DialogBox, scrolling, color of background pixel . This method is very similar to ATT&CK's [Virtualization/Sandbox Evasion: User Activity Based Checks](https://attack.mitre.org/techniques/T1497/002/) sub-technique.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", - "external_id": "B0007.003" - }, - { - "source_name": "external_source", - "url": "https://github.com/LordNoteworthy/al-khaser" - } - ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "created": "2021-02-10T06:49:35.622442Z", + "modified": "2021-02-10T06:49:35.622442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--c2c8a6d7-c5be-40c2-98ae-96640b2048af", + "target_ref": "attack-pattern--83145b10-974b-4bcd-8547-1f441be18d36", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--a9dd9c1d-b3dd-4dec-9ab2-1a99f1f3e483", + "id": "relationship--f6d8f34b-6a1e-4805-9482-962c26017251", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.736174Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Patch MmGetPhysicalMemoryRanges", - "description": "Patching this function to always return NULL prevents drivers from getting information about the physical address space layout, preventing memory dumps.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", - "external_id": "B0006.011" - }, - { - "source_name": "external_source", - "description": "J. Stuttgen, M. Cohen, Anti-forensic resilient memory acquisition,", - "url": "https://www.dfrws.org/sites/default/files/session-files/paper-anti-forensic_resilient_memory_acquisition.pdf" - } - ], + "created": "2021-02-10T06:49:35.512444Z", + "modified": "2021-02-10T06:49:35.512444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--75109dae-5db7-4582-be8b-edcea907659d", + "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--aaa5cf52-8414-4ac3-9bbb-3a45ba1f6d0d", + "id": "relationship--6e718457-ce04-42b7-8e37-d8e4c6d62f5c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.65626Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Disable Kernel Patch Protection", - "description": "Bypasses or disables kernel patch protection mechanisms such as Windows' PatchGuard, enabling the malware instance to operate at the same level as the operating system kernel and kernel mode drivers (KMD).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", - "external_id": "F0004.001" - } - ], + "created": "2021-02-10T06:49:35.569485Z", + "modified": "2021-02-10T06:49:35.569485Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--8d901ae3-1492-4090-b730-438071314947", + "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--aaa95359-3220-45fe-9ae6-397718608ee4", + "id": "relationship--1c79627d-1601-45b1-9ff4-6667bc888fae", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.637267Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Fileless Malware", - "description": "Stores itself in memory.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/alter-install-location.md", - "external_id": "B0027.001" - } - ], + "created": "2021-02-10T06:49:35.462442Z", + "modified": "2021-02-10T06:49:35.462442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--0aeb39aa-febf-463e-97e0-546f558daed6", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--ab2e210b-f2a3-4f50-b42a-7304b875429c", + "id": "relationship--e15715b4-5c0e-4cc9-8e53-570f49781ea7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.915483Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Force Lazy Writing", - "description": "Some operating systems will sometimes use a form of \"lazy writing\" for disk I/O, which may obscure the true provenance of the write operation. This method occurs when code intentionally forces the operating system to perform a lazy writing operation. For example, in Windows, a file may be opened, memory mapped, and closed, but the memory map will still exist and can be written to, which will cause a lazy write that looks like it is coming from the System process.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", - "external_id": "F0004.006" - }, - { - "source_name": "external_source", - "description": "Alexander Adamov, Stealthy WastedLocker: eluding behavior blockers, but not only. Online:", - "url": "https://vblocalhost.com/conference/presentations/stealthy-wastedlocker-eluding-behaviour-blockers-but-not-only/" - } - ], + "created": "2022-02-04T23:52:40.994215Z", + "modified": "2022-02-04T23:52:40.994215Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--74d536e7-5fb3-4633-8f42-ca413aa2beea", + "target_ref": "attack-pattern--2ff4ce39-a726-471a-92d9-21a5c51a0bc3", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--ab699bec-3a3f-498f-a658-1eabe6fe90c9", + "id": "relationship--f17d5ec4-580d-4000-9110-b817e63a7e8b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.981483Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Create UDP Socket::Socket Communication", - "description": "A UDP socket is created.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", - "external_id": "C0001.010" - } - ], + "created": "2021-02-10T06:49:35.481442Z", + "modified": "2021-02-10T06:49:35.481442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--45c5ccc6-f44e-4b7e-b2af-d5b1a0d01cd2", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--ac446754-73f8-4642-ac66-26b41c5f24ce", + "id": "relationship--e8f8a804-2731-4b39-b6d5-198c6be769ad", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.517264Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Tampering", - "description": "Erase or corrupt specific file parts to prevent rebuilding (header, packer stub, etc.).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", - "external_id": "B0006.005" - } - ], + "created": "2021-02-10T06:49:35.502442Z", + "modified": "2021-02-10T06:49:35.502442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--3a9b6fab-01af-47ef-9563-69427ed4090c", + "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--acddeb41-5339-4148-8a12-04b9ca687086", + "id": "relationship--6c4bf2aa-075f-4da3-92ad-a8ce670b02d6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.608264Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Server to Client File Transfer", - "description": "File is transferred from controller to implant.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "command-and-control" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", - "external_id": "B0030.003" - } - ], + "created": "2021-02-10T06:49:35.458443Z", + "modified": "2021-02-10T06:49:35.458443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1e5a85a2-73fc-467c-a94b-ec867885b4c3", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--ad4ab2e7-0491-4ef3-b69b-f4a73a5a7cd4", + "id": "relationship--70efaea9-7c21-4e6a-8771-3ef2ec3834ab", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.71926Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Command and Scripting Interpreter", - "description": "Malware may abuse command and script interpreters to execute commands, scripts, or binaries.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/command-line.md", - "external_id": "E1059" - }, - { - "source_name": "external_source", - "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1059", - "external_id": "T1059" - } - ], + "created": "2021-02-10T06:49:35.593443Z", + "modified": "2021-02-10T06:49:35.593443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--0eb664b8-73e1-4799-9e22-277ab898579d", + "target_ref": "attack-pattern--767a1acf-9e83-4181-82cd-2bcb9d8871d9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--ad80fa16-a148-4562-951c-be0510a866fb", + "id": "relationship--ea3c0465-c8bd-402a-a907-35c32d0b4d67", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.041477Z", - "modified": "2022-02-05T00:37:22.835477Z", - "name": "Terminate Thread", - "description": "Malware terminates a thread.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "process-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/terminate-thread.md", - "external_id": "C0039" - } - ], + "created": "2021-02-10T06:49:35.461442Z", + "modified": "2021-02-10T06:49:35.461442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--ff838892-3d1a-46ba-a3f5-5787e0e82830", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--adac5b9d-77f6-4c07-898d-1515fbf37162", + "id": "relationship--b06d3a5c-a043-40bf-9499-acce8fbc521e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.689263Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Injection using Shims", - "description": "Malware may use shims to target an executable (shims are a way of hooking into APIs and targeting specific executables and are provided by Microsoft for backward compatibility, allowing developers to apply program fixes without rewriting code).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/process-inject.md", - "external_id": "E1055.m03" - }, - { - "source_name": "external_source", - "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" - } - ], + "created": "2021-02-10T06:49:35.472483Z", + "modified": "2021-02-10T06:49:35.472483Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--35284c4d-652f-40bd-b49b-7d625914bc75", + "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--add320e6-3798-40f7-91be-5062eb3a9e00", + "id": "relationship--58c445bd-ac54-4861-b172-e7263a7a942f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.458263Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Anti-debugging Instructions", - "description": "Malware code contains mnemonics related to anti-debugging (e.g., rdtsc, icebp).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.034" - } - ], + "created": "2022-02-04T23:52:40.914452Z", + "modified": "2022-02-04T23:52:40.914452Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a894c73b-8a05-4d53-86e8-39434b189fb6", + "target_ref": "attack-pattern--f78bf329-48e4-4f8c-9468-0f8cd2ec08b5", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--adf43bd9-7112-42fe-8024-7f7fe5a2225f", + "id": "relationship--092ccd5c-5107-4ab0-b58d-108f5dc3f04a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.485265Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Timing/Date Check", - "description": "Calling GetSystemTime or equiv and only executing code if the current date/hour/minute/second passes some check. Often this is for running only after or only until a specific date. This behavior can be mitigated in non-automated analysis environments.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", - "external_id": "B0007.008" - } - ], + "created": "2021-02-10T06:49:35.463442Z", + "modified": "2021-02-10T06:49:35.463442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--85da3a4e-287a-45b9-91d2-019b59af07e3", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--ae167f71-8166-4906-97ba-8b9efb6daca2", + "id": "relationship--06550a91-434c-466e-aef6-c41e08d5f9a9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.475261Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "UnhandledExceptionFilter", - "description": "The UnhandledExceptionFilter function is called if no registered exception handlers exist, but it will not be reached if a debugger is present. See for details.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.030" - }, - { - "source_name": "external_source", - "description": "Anti Debugging Tricks, Al-Khaser.", - "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" - } - ], + "created": "2021-02-10T06:49:35.467445Z", + "modified": "2021-02-10T06:49:35.467445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--be9f9f28-01bb-4b94-b973-14f06a71c968", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--ae865c4b-d90b-46be-aae6-6fbe897b76d9", + "id": "relationship--2e49dee1-bad0-4604-bf16-7064059d864c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.769263Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Empty Recycle Bin", - "description": "Empties the recycle bin, which can be related to ransomware.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/data-destruction.md", - "external_id": "E1485.m02" - } - ], + "created": "2022-02-04T23:52:40.962929Z", + "modified": "2022-02-04T23:52:40.962929Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--83576712-779f-4c76-9459-939092f6cd70", + "target_ref": "attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", + "id": "relationship--c9f504bf-f2c6-4016-a6b7-9f283209a07f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.68026Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Obfuscated Files or Information", - "description": "Malware may make files or information difficult to discover or analyze by encoding, encrypting, or otherwise obfuscating the content. In addition, a malware sample itself can be encoded or encrypted (i.e., encoding/encryption is a code characteristic).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/obfuscate-files.md", - "external_id": "E1027" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1027", - "external_id": "T1027" - } - ], + "created": "2021-02-10T06:49:35.579443Z", + "modified": "2021-02-10T06:49:35.579443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--adac5b9d-77f6-4c07-898d-1515fbf37162", + "target_ref": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--af706b89-56dd-4b02-81e6-eb64fe57c2e6", + "id": "relationship--2df976a9-445b-4615-837c-87feedf4c4f6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.516301Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Static Linking", - "description": "Copy locally the whole content of API code.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.026" - } - ], + "created": "2021-02-10T06:49:35.492443Z", + "modified": "2021-02-10T06:49:35.492443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--cc89a8c1-00d2-4ae2-bda2-a35398a63214", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--af70b2f4-e552-4ec0-b6ce-1c8c38e6748c", + "id": "relationship--20b13fc8-e827-4438-8271-71a5f1e965c3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.783046Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Implant to Controller File Transfer", - "description": "File is transferred from implant to controller.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "command-and-control" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", - "external_id": "B0030.004" - } - ], + "created": "2021-02-10T06:49:35.476444Z", + "modified": "2021-02-10T06:49:35.476444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--69d4e839-b6ce-4299-b242-83192d6b62c2", + "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b0cd3324-b762-4e02-8e9d-7dd3708d5e0a", + "id": "relationship--1980f0f7-5535-4b70-891c-ba65bf51c3c9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.03448Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Check Mutex", - "description": "Malware checks a mutex.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "process-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/check-mutex.md", - "external_id": "C0043" - } - ], + "created": "2021-02-10T06:49:35.48848Z", + "modified": "2021-02-10T06:49:35.48848Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--2c90706d-0b4a-45e1-b9f0-0292ebb69edf", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b1089154-3ee0-4713-893f-af97047f8ab5", + "id": "relationship--7474dc42-a5b4-4eec-a8e4-813e358ad306", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.459263Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "CheckRemoteDebuggerPresent", - "description": "The kernel32!CheckRemoteDebuggerPresent function calls NtQueryInformationProcess with ProcessInformationClass parameter set to 7 (ProcessDebugPort constant).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.002" - } - ], + "created": "2021-02-10T06:49:35.471485Z", + "modified": "2021-02-10T06:49:35.471485Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--f7d5a289-5ab3-4b74-912a-c7ab2748770c", + "target_ref": "attack-pattern--187b4cd8-132e-4514-9ad2-e0b20abc2b70", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b16029de-92c1-4b77-b334-733f0d099ecd", + "id": "relationship--24f8940b-c901-4629-8c66-228b95f7f57a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.561265Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Structured Exception Handling (SEH)", - "description": "A portion of the code always generates an exception so that malicious code is executed with the exception handling. See .", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", - "external_id": "B0032.016" - }, - { - "source_name": "external_source", - "description": "Rob Simmons, \"Comparing Malicious Files,\" BSides, 2019.", - "url": "http://www.irongeek.com/i.php?page=videos/bsidescharm2019/2-04-comparing-malicious-files-robert-simmons" - } - ], + "created": "2021-02-10T06:49:35.549487Z", + "modified": "2021-02-10T06:49:35.549487Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--e22860a9-1026-46ee-a75e-feedc26196d5", + "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", + "id": "relationship--5d8c1fbc-c4ea-4d60-8879-3305c474c651", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.722263Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Conditional Execution", - "description": "Malware checks system environment conditions or characteristics to determine execution path. For example, malware may not run or be dormant unless system conditions are right, or file that is dropped may vary according to execution environment. Conditional execution in malware happens autonomously, not because of an attacker's command.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md", - "external_id": "B0025" - }, - { - "source_name": "external_source", - "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1480", - "external_id": "T1480" - } - ], + "created": "2021-02-10T06:49:35.509442Z", + "modified": "2021-02-10T06:49:35.509442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--ac446754-73f8-4642-ac66-26b41c5f24ce", + "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b1937ce5-4376-4b5d-944e-5406d8501413", + "id": "relationship--e27c5b46-0731-4c9b-8428-f92a0a636b4b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.706262Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Process detection - PCAP Utilities", - "description": "Malware can scan for the process name associated with common analysis tools. Wireshark / Dumpcap", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", - "external_id": "B0013.004" - } - ], + "created": "2021-02-10T06:49:35.665444Z", + "modified": "2021-02-10T06:49:35.665444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--94813d2d-0eb5-4037-8c03-07896bd7233b", + "target_ref": "attack-pattern--7c9e2694-0dce-4dc3-aa06-199d5d002a05", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b1c9e70b-d514-4924-848d-c6403560e6c5", + "id": "relationship--8c00c944-8bec-46bb-a219-2d31dfd3e97b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.90926Z", - "modified": "2022-02-05T00:37:22.835477Z", - "name": "Device Driver", - "description": "Allows kernel to access hardware connected to the system.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/persistence/kernel-modules-ext.md", - "external_id": "F0010.001" - } - ], + "created": "2021-02-10T06:49:35.521443Z", + "modified": "2021-02-10T06:49:35.521443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--71d88456-13b6-48de-b779-e6ff71aa3b5e", + "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58", + "id": "relationship--003b45ca-148c-4ae8-889c-de9339540f2a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Hijack Execution Flow", - "description": "Malware may execute by hijacking the way operating systems run programs. Malware (e.g. rootkit) alters API behavior or redirects execution to a malicious API version for a variety of purposes. Malware may use hooking to load and execute code within the context of another process, hiding execution and gaining elevated privileges and access to the process's memory. Different types of hooking are defined as methods below.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hijack-execution-flow.md", - "external_id": "F0015" - }, - { - "source_name": "external_source", - "url": "https://www.sans.org/media/score/checklists/rootkits-investigation-procedures.pdf" - }, - { - "source_name": "external_source", - "url": "https://www.oreilly.com/library/view/learning-malware-analysis/9781788392501/a0a506d6-d062-48c1-a0a8-57d6acb77785.xhtml" - }, - { - "source_name": "external_source", - "url": "https://www.mdpi.com/1999-5903/4/4/971/html" - }, - { - "source_name": "external_source", - "url": "http://ropgadget.com/posts/abusing_win_functions.html" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1574/", - "external_id": "T1574" - } - ], + "created": "2021-02-10T06:49:35.659443Z", + "modified": "2021-02-10T06:49:35.659443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b3369595-ed1a-4660-a239-08f6abd5810c", + "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b2320873-c5bb-4691-80f6-ffbd143b8b9a", + "id": "relationship--bfcc06d1-954c-4114-a40c-c2255744c773", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.783046Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Execute Shell Command", - "description": "Execute/run the given command using a built-in program (e.g. cmd.exe, PowerShell, bash). This differs from Start Interactive Shell because the shell process is started only for the received command or set of commands and then exits. There is no loop looking for additional commands while the shell process is still running.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "command-and-control" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", - "external_id": "B0030.014" - } - ], + "created": "2022-02-04T23:52:41.041094Z", + "modified": "2022-02-04T23:52:41.041094Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--befe8d09-ebeb-4a60-89a4-9efaaf325e9b", + "target_ref": "attack-pattern--e04595b9-234a-4495-a9ca-25c78e137291", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b3030683-9d60-4b63-8498-f7fac91c244d", + "id": "relationship--68231d54-c9c8-4f0d-a39c-675a36464c1c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.814301Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Disable Code Integrity", - "description": "Malware disables Code Integrity driver.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", - "external_id": "F0004.009" - } - ], + "created": "2021-02-10T06:49:35.517138Z", + "modified": "2021-02-10T06:49:35.517138Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--2bef87a4-e803-4bb7-8f8f-fac4f63a02e1", + "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b3369595-ed1a-4660-a239-08f6abd5810c", + "id": "relationship--c9e4809e-6742-470f-8721-65acaa27e6c1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.982483Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Send UDP Data::Socket Communication", - "description": "Send UDP data.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", - "external_id": "C0001.015" - } - ], + "created": "2021-02-10T06:49:35.68898Z", + "modified": "2021-02-10T06:49:35.68898Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--8b1810b0-5885-47ec-963b-b3fecbe1825a", + "target_ref": "attack-pattern--2f605aaf-790b-4ba1-9603-3b14cf2f1c52", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b3bc7ff9-4ea7-4b1a-9301-ea0e07e4a85f", + "id": "relationship--80ae5c69-ce3c-4fdb-a023-5c120334f321", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:36.093464Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Minifilter::Load Driver", - "description": "Malware starts a minifilter.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "hardware-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/hardware/load-driver.md", - "external_id": "C0023.001" - } - ], + "created": "2021-02-10T06:49:35.551476Z", + "modified": "2021-02-10T06:49:35.551476Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5c5601b2-b0ce-4732-a2b2-d45c30efef8c", + "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b40aba49-57d9-4a99-a29e-2629e35991c9", + "id": "relationship--fc64766c-e137-4801-9206-cfd145ffb001", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.510265Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Change SizeOfImage", - "description": "Changing this value during run time can prevent some debuggers from attaching. Also confuses some unpackers and dumpers.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.004" - } - ], + "created": "2021-02-10T06:49:35.459442Z", + "modified": "2021-02-10T06:49:35.459442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--39d98cff-ebf0-4824-8a7a-55ba1058664b", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b4931f82-5f27-4329-a0c4-4f953195e6f1", + "id": "relationship--343529d8-feaf-4a4b-8f87-124c1a812480", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.559264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Jump Insertion", - "description": "Insert jumps to make analysis visually harder.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", - "external_id": "B0032.005" - } - ], + "created": "2021-02-10T06:49:35.531443Z", + "modified": "2021-02-10T06:49:35.531443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--36074f02-7b9b-4052-998f-cb6c56447031", + "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b535d57f-a2e0-427b-8f4d-69d948e6ebf4", + "id": "relationship--b050267b-3c92-47fc-993d-705b150c924f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.975482Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "WinINet::HTTP Communication", - "description": "A HTTP request is made via the Windows Internet (WinINet) application programming interface (API). A specific function can be specified as a method on the [WinInet](../communication/wininet.md) microbehavior.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", - "external_id": "C0002.007" - } - ], + "created": "2021-02-10T06:49:35.675442Z", + "modified": "2021-02-10T06:49:35.675442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--e5fd1ce1-e1a7-4f9c-b757-58b6895fef2d", + "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b5d3d3c7-f9bd-4d61-8a73-593972018a8b", + "id": "relationship--9d173469-1a57-4c12-a13d-09d6bf6012bf", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.643261Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "ROP Chains", - "description": "Return-Oriented Programming can be used to bypass DEP. It can also be used to bypass code signing.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/bypass-dep.md", - "external_id": "B0037.001" - }, - { - "source_name": "external_source", - "url": "https://medium.com/cybersecurityservices/dep-bypass-using-rop-chains-garima-chopra-e8b3361e50ce" - } - ], + "created": "2021-02-10T06:49:35.644697Z", + "modified": "2021-02-10T06:49:35.644697Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--0947cd27-a2b6-466f-b47c-4d36e4ce06cb", + "target_ref": "attack-pattern--e57c3d95-67fc-4d26-a74e-12953fff494b", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b5f07958-9aea-4414-ab2c-d5a46399dc23", + "id": "relationship--99d393f2-6357-4e85-b991-b443290b1eb5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.989483Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "Camellia::Decrypt Data", - "description": "Malware decrypts data encrypted with the Camellia algorithm.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", - "external_id": "C0031.004" - } - ], + "created": "2021-02-10T06:49:35.514444Z", + "modified": "2021-02-10T06:49:35.514444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--41746d12-dfb1-4e7d-bd7e-81678b93b977", + "target_ref": "attack-pattern--64ec233c-8762-4e4a-af40-475ebd3aa127", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b5f930c9-ea8f-45dd-9317-60b270606cb2", + "id": "relationship--7704d7a4-91da-4a53-a4f9-ae8f8912da6a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.877737Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Execution Dependency", - "description": "Software may require certain run-time or library dependencies consistent with normal software development and deployment. For example, software may require the presence of a .NET or Java runtime or to be run by a webserver that supports PHP. Unlike in [Conditional Execution](https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md) this dependency is not because of an explicit check coded into the malware by the author.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/execution-dependency.md", - "external_id": "B0044" - } - ], + "created": "2021-02-10T06:49:35.579443Z", + "modified": "2021-02-10T06:49:35.579443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--e23ee3ae-6960-4b56-b962-33184f999657", + "target_ref": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b62ec15e-4b56-482f-9721-72733c520d1b", + "id": "relationship--765f09f5-bc92-4cd1-a350-605b90422e43", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.843259Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "InternetOpenURL::WinINet", - "description": "Opens a resource specified by a complete FTP or HTTP URL.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/wininet.md", - "external_id": "C0005.003" - } - ], + "created": "2021-02-10T06:49:35.590482Z", + "modified": "2021-02-10T06:49:35.590482Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--69f9ba6a-eb9e-4486-ae5e-fb7de1012c90", + "target_ref": "attack-pattern--767a1acf-9e83-4181-82cd-2bcb9d8871d9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b6679c6a-6312-44ec-a6fe-628a66d0cefe", + "id": "relationship--5b7e6ad0-a129-4d6f-bd52-266371a85030", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.501259Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Modern Specs Check - Printer", - "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment. Checks whether there is a potential connected printer or default Windows printers; if not a virtual environment is suspected.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.017" - } - ], + "created": "2021-02-10T06:49:35.491483Z", + "modified": "2021-02-10T06:49:35.491483Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--2b01bf8e-63cf-495c-8e2f-d18a8c286ad5", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b67d0824-50d3-4066-906b-93dd26a9f05f", + "id": "relationship--c6e86df7-3fb6-4344-9588-672172c2441a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.923443Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Encryption-Standard Algorithm", - "description": "A standard algorithm (e.g., Rijndael/AES, DES, RC4) is used to encrypt a malware sample, file, or other information.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/obfuscate-files.md", - "external_id": "E1027.m05" - } - ], + "created": "2021-02-10T06:49:35.550117Z", + "modified": "2021-02-10T06:49:35.550117Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--9f6817c0-0ec9-4097-a55b-b39b08db2b92", + "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b7225469-01b6-4708-8bf9-aff549a703ce", + "id": "relationship--6876ea16-d686-4e54-9eee-f4f22efb8e51", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.511265Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Exception Misdirection", - "description": "Using exception handling (SEH) to cause flow of program to non-obvious paths.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.006" - } - ], + "created": "2021-02-10T06:49:35.658443Z", + "modified": "2021-02-10T06:49:35.658443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5ef50fb5-9da5-4926-85a6-8049dc0be9b3", + "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b729ab37-a73c-4d87-a72b-4123385a2581", + "id": "relationship--50235d87-37e8-4405-a5c7-b491b5c20012", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.608264Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Send System Information", - "description": "Implant sends system information.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "command-and-control" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", - "external_id": "B0030.006" - } - ], + "created": "2021-02-10T06:49:35.552443Z", + "modified": "2021-02-10T06:49:35.552443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--38dad326-aeb6-4341-9a2b-233fcd5698cd", + "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b74af853-9674-4bc7-9d30-be251db05e3d", + "id": "relationship--a1cbd858-4fda-4a25-9a48-575ccd20f8b6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.994484Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "Stream Cipher::Encrypt Data", - "description": "Malware encrypts with a stream cipher.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", - "external_id": "C0027.012" - } - ], + "created": "2021-02-10T06:49:35.452445Z", + "modified": "2021-02-10T06:49:35.452445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--4f3bc817-8162-41b5-b617-5c9a261b66e0", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b7727763-8ffd-4588-b8a1-15168d18f0dd", + "id": "relationship--10a17f9c-c8fa-4fa9-a87f-1c80d0f8f5ff", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.493266Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Check Windows - Unique windows", - "description": "Malware may check windows for VM-related characteristics. May check for the presence of known windows from analysis tools running in a VM.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.021" - } - ], + "created": "2021-02-10T06:49:35.484529Z", + "modified": "2021-02-10T06:49:35.484529Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1b5c05fd-3785-4710-8ee2-efadad6ef437", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b7a3c18a-0a7c-407a-8857-3e2e8d941775", + "id": "relationship--d1fbba93-1094-40ba-b1d7-a34a205cb8bf", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.993484Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "HC-256::Encrypt Data", - "description": "Malware encrypts with the HC-256 algorithm.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", - "external_id": "C0027.007" - } - ], + "created": "2021-02-10T06:49:35.682848Z", + "modified": "2021-02-10T06:49:35.682848Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--f4ee9b7f-24f9-4c1c-9f4d-54d3e6eb47da", + "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b7d3d8a7-75a8-4e3b-a1e8-c20844d0a8cf", + "id": "relationship--c7bc58bb-cf17-4f4a-a465-81e038754c60", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:36.124706Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Open Thread", - "description": "Malware opens a thread.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "process-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/open-thread.md", - "external_id": "C0066" - } - ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "created": "2021-02-10T06:49:35.451445Z", + "modified": "2021-02-10T06:49:35.451445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b1089154-3ee0-4713-893f-af97047f8ab5", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b82bbd87-e936-4b0e-a708-a277630fec11", + "id": "relationship--dd6e0f89-378c-40df-ae01-6700146fd7f5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.017471Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Read File", - "description": "Malware reads a file.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "file-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/read-file.md", - "external_id": "C0051" - } - ], + "created": "2021-02-10T06:49:35.48848Z", + "modified": "2021-02-10T06:49:35.48848Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d83c8fbc-c7bf-4108-ba64-f1a9ac737da1", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b82faecb-bcb2-4dcc-9155-bbd52d31c35d", + "id": "relationship--521e80bd-0b4b-4b45-abeb-0a5b7bfee750", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.713265Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "SMTP Connection Discovery", - "description": "Malware may test whether an outgoing SMTP connection can be made from the system on which the malware instance is executing to some SMTP server, by sending a test SMTP transaction.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/smtp-connect-discover.md", - "external_id": "B0014" - } - ], + "created": "2021-02-10T06:49:35.673442Z", + "modified": "2021-02-10T06:49:35.673442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--4ce382af-356c-4906-b6f1-e44b4d71ed02", + "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b8311cd4-85f0-4e4c-83c5-0af831e6d7f1", + "id": "relationship--f138118b-38d7-40b0-beb2-155b691ade87", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.772261Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Denial of Service", - "description": "Malware may make a network unavailable, for example, by launching a network-based denial of service (DoS) attack.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/denial-of-service.md", - "external_id": "B0033" - }, - { - "source_name": "external_source", - "url": "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1498/", - "external_id": "T1498" - } - ], + "created": "2021-02-10T06:49:35.676443Z", + "modified": "2021-02-10T06:49:35.676443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--f62b419a-6b84-4bc4-865c-b58abc012795", + "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b85681f8-57a9-485e-bc46-ab3602990675", + "id": "relationship--d6637fcf-167b-40d3-9f07-194ccc99689b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.042481Z", - "modified": "2022-02-05T00:37:22.835477Z", - "name": "Set Thread Local Storage Value", - "description": "Malware allocates thread local storage.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "process-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/thread-storage-set-value.md", - "external_id": "C0041" - } - ], + "created": "2021-02-10T06:49:35.536444Z", + "modified": "2021-02-10T06:49:35.536444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--3aa1c4d4-06c4-4d48-bc44-601b29abded8", + "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b87f5902-5985-4b45-b8df-b3b24f214650", + "id": "relationship--e4653e74-bf01-43da-966a-bfb8e878d2e4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.028478Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Console", - "description": "Malware modifies the console.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "operating-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/console.md", - "external_id": "C0033" - } - ], + "created": "2021-02-10T06:49:35.502442Z", + "modified": "2021-02-10T06:49:35.502442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--0e87261d-5234-4ccb-87c1-2f9bb32b5c11", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b9a7ebfb-ce75-4050-b9ac-79d2bf146c4f", + "id": "relationship--cc0b0c2b-71f8-4b42-ade1-c89395b15d28", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.020479Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Install Driver", - "description": "Malware installs a driver or minifilter.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "hardware-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/hardware/install-driver.md", - "external_id": "C0037" - } - ], + "created": "2021-02-10T06:49:35.513484Z", + "modified": "2021-02-10T06:49:35.513484Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--cb329a09-0291-4a05-ac20-3b35500bfd9b", + "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--b9cf6d75-631e-4209-b84d-63a7dcaf9b65", + "id": "relationship--25b6629b-5e98-4f16-ac49-69fd757b62dc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.999444Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "BSD::Checksum", - "description": "Malware computes a BSD checksum.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/checksum.md", - "external_id": "C0032.003" - } - ], + "created": "2021-02-10T06:49:35.568481Z", + "modified": "2021-02-10T06:49:35.568481Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--4e6169c5-7791-4c39-b6c9-d79628a85448", + "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--baae0d7a-88a9-479c-879e-9bbd0dea3bf0", + "id": "relationship--01ed5997-0953-4720-bcaa-ee6b6b274a5b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.523261Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Hook Interrupt", - "description": "Modification of interrupt vector or descriptor tables.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", - "external_id": "B0003.008" - } - ], + "created": "2021-02-10T06:49:35.660443Z", + "modified": "2021-02-10T06:49:35.660443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--cefefa87-2f06-4008-afcf-847a8bd746af", + "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--bab113ca-bbe4-4b39-bcac-d7fa7325b1e9", + "id": "relationship--82d74673-595f-4bac-9f5d-074122c8f59f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.547264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Two-layer Function Return", - "description": "Two layer jumping confuses tools plotting call graphs.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-call-graph.md", - "external_id": "B0010.001" - }, - { - "source_name": "external_source", - "url": "http://fumalwareanalysis.blogspot.com/2012/01/malware-analysis-tutorial-10-tricks-for.html" - } - ], + "created": "2022-02-04T23:52:41.041094Z", + "modified": "2022-02-04T23:52:41.041094Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b3bc7ff9-4ea7-4b1a-9301-ea0e07e4a85f", + "target_ref": "attack-pattern--916d6dca-adbc-4af9-b810-eb7cd72779c8", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--bad6ec3f-e218-4190-8033-3e4e8dae8d00", + "id": "relationship--87b820ed-3140-4a12-a9bf-48274ba5df8c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.580266Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Nested Packing", - "description": "The malware is packed by one packer, the result is packed, etc.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", - "external_id": "F0001.001" - } - ], + "created": "2021-02-10T06:49:35.461442Z", + "modified": "2021-02-10T06:49:35.461442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--dc49a540-64a4-47e7-8931-0ad5ce595cb7", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--bb0c753c-31a4-48b9-9548-47a29cce149a", + "id": "relationship--19242b55-3844-41b4-857a-16cc60710375", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.935444Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Window Text", - "description": "After finding an open application window, malware gets graphical window text.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/app-window-discover.md", - "external_id": "E1010.m01" - } - ], + "created": "2021-02-10T06:49:35.503442Z", + "modified": "2021-02-10T06:49:35.503442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1d9b88e8-2bab-44ac-b1ae-26faf8f07f48", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--bb3514c7-f3ad-4236-b5b9-a38aa432ea17", + "id": "relationship--6dada824-1e59-4ceb-aa22-b995e42a8347", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.764262Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Compromise Data Integrity", - "description": "Data stored on the file system of a compromised system is manipulated to compromise its integrity.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/compromise-data.md", - "external_id": "B0016" - } - ], + "created": "2021-02-10T06:49:35.560441Z", + "modified": "2021-02-10T06:49:35.560441Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--69af89da-bf40-4b9e-93c5-baa8fb937099", + "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--bb61fa8d-d4d6-492b-9885-17b320bddf36", + "id": "relationship--6c6e7b24-3e47-4e1b-8291-9ea1db133089", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.751794Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Control Dependence", - "description": "Data is propagated via an if-then-else clause instead of direct assignment.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-data-flow-analysis.md", - "external_id": "B0045.001" - }, - { - "source_name": "external_source", - "url": "http://www.seclab.cs.sunysb.edu/seclab/pubs/antitaint.pdf" - } - ], + "created": "2021-02-10T06:49:35.596443Z", + "modified": "2021-02-10T06:49:35.596443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--65ac0031-387e-41f5-8c05-4a7484fa460d", + "target_ref": "attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--bbcbbd85-689f-486f-b3be-e36852dfe5c5", + "id": "relationship--48b8f0a2-952c-4ff7-a239-272755858d3b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.008483Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "pHash::Non-Cryptographic Hash", - "description": "Malware uses the pHash hash function.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/noncrypto-hash.md", - "external_id": "C0030.002" - } - ], + "created": "2021-02-10T06:49:35.633444Z", + "modified": "2021-02-10T06:49:35.633444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--46c39f69-1900-4558-9c0d-2d9fe322dd41", + "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--bc6ed4f1-4e73-477a-b05c-a49a3dd52642", + "id": "relationship--5871f99e-1801-46fd-a35b-45c9f2c35762", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.462262Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Interrupt 1", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.007" - }, - { - "source_name": "external_source", - "description": "Anti Debugging Tricks, Al-Khaser.", - "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" - } - ], + "created": "2021-02-10T06:49:35.671443Z", + "modified": "2021-02-10T06:49:35.671443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--92ac0cef-de80-4baa-869c-dc993492c0da", + "target_ref": "attack-pattern--1cca12fe-f5c4-4c35-979b-5c6962dd9484", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--bd879126-0126-4f7a-a1b7-d9944efb251f", + "id": "relationship--a3391c54-85a9-4153-b9a2-19cb36534ab6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.716259Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "System Information Discovery", - "description": "Malware may attempt to get detailed information about the system.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/system-info-discover.md", - "external_id": "E1082" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1082", - "external_id": "T1082" - } - ], + "created": "2021-02-10T06:49:35.568481Z", + "modified": "2021-02-10T06:49:35.568481Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--6636c8bd-41a4-4a1e-965d-642c08be68db", + "target_ref": "attack-pattern--e365ec9c-2c0b-41fe-9a6a-f2b4042f37f3", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--bdeba524-0f2d-4d2f-a107-2b7516a0b496", + "id": "relationship--e05cfe37-204c-40d0-9c8e-6634941d59d8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.475261Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Timing/Delay Check GetTickCount", - "description": "Malware uses GetTickCount function in a timing/delay check.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.032" - } - ], + "created": "2021-02-10T06:49:35.559442Z", + "modified": "2021-02-10T06:49:35.559442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--42cea877-6723-4126-a016-6f2b8954eb6b", + "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--bdf66c87-1488-4eed-ae9c-2482bc93e93d", + "id": "relationship--96eda907-3cd1-41bc-b0cf-64b687f1ca53", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.970483Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Send File::FTP Communication", - "description": "Send FTP file.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/ftp-comm.md", - "external_id": "C0004.001" - } - ], + "created": "2021-02-10T06:49:35.653444Z", + "modified": "2021-02-10T06:49:35.653444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--82b547ba-e0b0-457f-95fc-c661d1aa0942", + "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--be6d8982-3619-4f2f-b5c7-64d9e934ac43", + "id": "relationship--20fda836-e720-4ac1-9864-0192cd8fad3d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.784263Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Click Hijacking", - "description": "Malware alters DNS server settings to route to a rogue DNS server: when the user clicks on a search result link displayed through a search engine query, malware re-routes the user to different website. Instead of going to the requested site, the user is taken to an alternate website such that the click triggers payment to the threat actor.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/generate-fraud-rev.md", - "external_id": "E1472.m01" - }, - { - "source_name": "external_source", - "url": "https://www.itworld.com/article/2734253/security/behind-the--massive--malware-ad-revenue-fraud-case.html" - } - ], + "created": "2021-02-10T06:49:35.573481Z", + "modified": "2021-02-10T06:49:35.573481Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--146be7e5-feeb-4dd2-8283-796b29394ac1", + "target_ref": "attack-pattern--27a1c173-3d93-430b-9544-8dd2db602b87", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--be9f9f28-01bb-4b94-b973-14f06a71c968", + "id": "relationship--74774a28-cd8c-4ceb-ab30-53dab39e8578", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.47626Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "WudfIsAnyDebuggerPresent", - "description": "Includes use of WudfIsAnyDebuggerPresent, WudfIsKernelDebuggerPresent, WudfIsUserDebuggerPresent.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.031" - } - ], + "created": "2021-02-10T06:49:35.533442Z", + "modified": "2021-02-10T06:49:35.533442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--04da331b-6112-420c-9358-58cb21e5a4af", + "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--becb5385-146e-42a3-a343-5beffc43a15c", + "id": "relationship--0bfa0cee-9802-4e76-baf0-03b903d0e28b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.992483Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "3DES::Encrypt Data", - "description": "Malware encrypts with the 3DES algorithm.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", - "external_id": "C0027.004" - } - ], + "created": "2021-02-10T06:49:35.542445Z", + "modified": "2021-02-10T06:49:35.542445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--168ed95b-0c10-42c4-9f0a-c1c462b39f6c", + "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--befe8d09-ebeb-4a60-89a4-9efaaf325e9b", + "id": "relationship--8e7f6ea7-0241-4cd5-8eea-a7ac14ba0d5b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:36.109082Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Get Variable::Environment Variable", - "description": "Malware gets an environment variable.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "operating-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/enviro-var.md", - "external_id": "C0034.002" - } - ], + "created": "2021-02-10T06:49:35.630659Z", + "modified": "2021-02-10T06:49:35.630659Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5cd1a1ce-0012-4e78-9449-24a8e3b0f4e2", + "target_ref": "attack-pattern--2f16f65d-4fba-4574-882d-97d54392f5bb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--bf25a194-496a-4db2-801b-f2c5d3f951b5", + "id": "relationship--deed659f-e020-4b4a-a83c-fe7216aa5cc9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.008483Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "MurmurHash::Non-Cryptographic Hash", - "description": "Malware uses the MurmurHash hash function.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/noncrypto-hash.md", - "external_id": "C0030.001" - } - ], + "created": "2021-02-10T06:49:35.691089Z", + "modified": "2021-02-10T06:49:35.691089Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--3d502650-c707-4d28-b520-f440faa33ade", + "target_ref": "attack-pattern--64b0c35c-a5fc-4410-aff8-0c85f9689f60", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--bf339932-e456-44db-a711-b2d3482d9065", + "id": "relationship--ebfc4b94-6f8a-4c15-b814-788439c3a0d3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.996445Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "Mersenne Twister::Generate Pseudo-random Sequence", - "description": "Malware generates a pseudo-random sequence using the Mersenne Twister PRNG.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/gen-random.md", - "external_id": "C0021.005" - } - ], + "created": "2021-02-10T06:49:35.693726Z", + "modified": "2021-02-10T06:49:35.693726Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--3bb917e7-25d9-42de-8b23-d040a51c08e5", + "target_ref": "attack-pattern--64b0c35c-a5fc-4410-aff8-0c85f9689f60", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--c08285dc-2707-4016-9db1-187e19f504f6", + "id": "relationship--a248db8d-1741-4285-8c3a-28b4ca1d536d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.499265Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Instruction Testing - VPCEXT", - "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.038" - }, - { - "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" - } - ], + "created": "2021-02-10T06:49:35.589482Z", + "modified": "2021-02-10T06:49:35.589482Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--968a2baa-33b0-4c2a-afb8-b899e1acbc0a", + "target_ref": "attack-pattern--e2558f71-7409-4203-bd5b-8a331f29327a", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--c09b91df-e723-4ad4-b021-04d2773094f9", + "id": "relationship--98fa4156-cb44-4e34-9529-82f857d4e683", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.566267Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Executable Code Optimization", - "description": "Code is optimized, making it harder to statically analyze.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-optimize.md", - "external_id": "B0034" - }, - { - "source_name": "external_source", - "url": "https://en.wikipedia.org/wiki/Minification_(programming)" - } - ], + "created": "2021-02-10T06:49:35.692442Z", + "modified": "2021-02-10T06:49:35.692442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--838d57ce-1e63-4898-9054-14851119e5fc", + "target_ref": "attack-pattern--64b0c35c-a5fc-4410-aff8-0c85f9689f60", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--c1e8e932-3864-444e-b56b-70292bb7695c", + "id": "relationship--bc7ade6d-84f2-43b6-9a70-3b75b784346e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.82226Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Connect Pipe::Interprocess Communication", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/inter-process.md", - "external_id": "C0003.002" - } - ], + "created": "2021-02-10T06:49:35.555449Z", + "modified": "2021-02-10T06:49:35.555449Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--4c1e6e56-1c8d-4bce-b696-68ac83cb33f6", + "target_ref": "attack-pattern--1d1b8b46-c3d7-49e5-8856-367b48272f5e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--c25f5d58-e8e5-49ef-a54d-68e17b4ac824", + "id": "relationship--e75305d8-b1a5-40e9-a116-b3ed4bf97c45", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.796261Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Remote Access", - "description": "Malware may provide an attacker with potentially full access to a system via a remote network connection, which may also provide persistence.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/remote-access.md", - "external_id": "B0022" - }, - { - "source_name": "external_source", - "url": "https://en.wikipedia.org/wiki/Remote_access_trojan" - }, - { - "source_name": "external_source", - "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" - }, - { - "source_name": "external_source", - "url": "https://en.wikipedia.org/wiki/DarkComet" - } - ], + "created": "2021-02-10T06:49:35.475444Z", + "modified": "2021-02-10T06:49:35.475444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--0985829f-204f-4760-8ece-ff0f3031a715", + "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--c2c8a6d7-c5be-40c2-98ae-96640b2048af", + "id": "relationship--4f8381a1-5302-477f-b4b2-8c0f9daf40b3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.964486Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "CDROM", - "description": "The CD-ROM is modified.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/modify-hardware.md", - "external_id": "B0042.001" - } - ], + "created": "2021-02-10T06:49:35.528504Z", + "modified": "2021-02-10T06:49:35.528504Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--772c8a08-0dbb-4059-8459-7ac1193840bc", + "target_ref": "attack-pattern--5146900f-415f-4817-9153-a9a3f857b3cd", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--c2e926cc-5d54-4cce-91f3-acf946574563", + "id": "relationship--38f040a5-f925-40ea-aa8b-0699c2abe7d7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.737262Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Download File", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/remote-commands.md", - "external_id": "B0011.002" - } - ], + "created": "2021-02-10T06:49:35.679444Z", + "modified": "2021-02-10T06:49:35.679444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--2e82d33e-a804-42a2-9931-57f7b7af78f9", + "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--c31eb81c-b21c-4ae2-aed3-bcc77821d3ca", + "id": "relationship--c37e1721-4c87-49d5-9693-c80b59b07d46", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.861259Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "Append Extension::Alter File Extension", - "description": "A new extension is appended.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "file-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/alter-extend.md", - "external_id": "C0015.001" - } - ], + "created": "2021-02-10T06:49:35.551476Z", + "modified": "2021-02-10T06:49:35.551476Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--405c94b9-4f0e-476b-982d-72bb1905daa9", + "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--c3a03554-f52e-49bd-ad0d-f01d4ded7f39", + "id": "relationship--e145ee98-24cb-466b-b8c8-ed6ebea0c410", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.000444Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "Luhn::Checksum", - "description": "Malware uses Luhn algorithm, often to validate identification numbers (e.g, credit card number).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/checksum.md", - "external_id": "C0032.002" - } - ], + "created": "2021-02-10T06:49:35.457445Z", + "modified": "2021-02-10T06:49:35.457445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--8b39b092-d827-4e58-9b67-a9b9e8c6f297", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--c4004f59-4494-4ba9-b5d0-334fd96068ee", + "id": "relationship--7b608625-85f3-4a55-a8c0-6fb72a61b604", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.00648Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "Modulo", - "description": "Malware calculates a modulo value.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/modulo.md", - "external_id": "C0058" - } - ], + "created": "2021-02-10T06:49:35.686444Z", + "modified": "2021-02-10T06:49:35.686444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--e84f764e-ace1-4149-b73d-664b17954d7b", + "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--c44b1c58-8da1-4ebe-a427-a9f2821e7a85", + "id": "relationship--b7758519-6971-4cf9-8ece-36d21527efdc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.845581Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Bootloader", - "description": "A bootloader rootkit modifies the bootloader, enabling activation before the operating system is started. Also known as a Bootkit. See ATT&CK: [Bootkit](https://attack.mitre.org/techniques/T1542/003/).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/rootkit-behavior.md", - "external_id": "E1014.m13" - } - ], + "created": "2021-02-10T06:49:35.517444Z", + "modified": "2021-02-10T06:49:35.517444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--758df510-b765-4172-94ad-70561cd0ef62", + "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--c484a07a-2c0e-4141-bfd0-161a38812c64", + "id": "relationship--4182f75a-8270-47e2-96fe-156dc6f70dd8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.75826Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Encoding - Standard Encoding", - "description": "Data is encoded. A standard algorithm, such as base64 encoding, is used to encode the exfiltrated data.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "exfiltration" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/data-encrypted.md", - "external_id": "E1560.m03" - } - ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "created": "2021-02-10T06:49:35.699498Z", + "modified": "2021-02-10T06:49:35.699498Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--9c6a7353-74f8-468b-94d8-faee128fa78d", + "target_ref": "attack-pattern--7855768b-8130-4981-8420-6e8a8d2a277a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63", + "id": "relationship--8f0f82ff-639b-4c7a-8d5f-46b8ca84f642", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.69826Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Rootkit", - "description": "Behaviors of a rootkit: \"A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that is not otherwise allowed and often masks its existence or the existence of other software.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/rootkit-behavior.md", - "external_id": "E1014" - }, - { - "source_name": "external_source", - "url": "https://en.wikipedia.org/wiki/Rootkit" - }, - { - "source_name": "external_source", - "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1014", - "external_id": "T1014" - } - ], + "created": "2021-02-10T06:49:35.566483Z", + "modified": "2021-02-10T06:49:35.566483Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--aaa95359-3220-45fe-9ae6-397718608ee4", + "target_ref": "attack-pattern--7d349643-5ab8-4dc6-934f-bf16d0b0ea29", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--c6c8f32e-7d92-401e-930f-d193a59e4c95", + "id": "relationship--bb7c22ee-0b34-4097-aa2f-4bc8cd53b271", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.548264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Call Graph Generation Evasion", - "description": "Malware code evades accurate call graph generation during disassembly. Call graphs are used by malware similarity tools and algorithms ([[1]](#1), [[4]](#4)), as well as for malware detection [[2]](#2).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-call-graph.md", - "external_id": "B0010" - }, - { - "source_name": "external_source", - "description": "K. Blokhin, D. Mentis, J. Saxe, \"Malware Similarity Identification Using Call Graph Based System Call Subsequence Features,\" 2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops, July 2013.", - "url": "https://www.researchgate.net/publication/269326967_Malware_Similarity_Identification_Using_Call_Graph_Based_System_Call_Subsequence_Features" - }, - { - "source_name": "external_source", - "description": "P. Deshpande, M. Stamp, \"Metamorphic Malware Detection Using Function Call Graph Analysis,\" MIS Review Vol. 21, Nos. 1/2, September(2015)/March(2016).", - "url": "https://pdfs.semanticscholar.org/8db2/69106ea6e1f59e4dac0889665dd3336ee9b1.pdf" - }, - { - "source_name": "external_source", - "url": "http://fumalwareanalysis.blogspot.com/2012/01/malware-analysis-tutorial-10-tricks-for.html" - }, - { - "source_name": "external_source", - "description": "S. Shang, N. Zheng, J. Xu, M. Xu, H. Zhang, \"Detecting Malware Variants via Function-call Graph Similarity,\" IEEE 2010 5th International Conference on Malicious and Unwanted Software, 2010.", - "url": "http://seclab.hdu.edu.cn/static/uploads/paper/10-05.pdf" - } - ], + "created": "2021-02-10T06:49:35.505442Z", + "modified": "2021-02-10T06:49:35.505442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--dd5fd5f1-cc85-409b-a4c0-96cea106cd82", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--c6f384e3-bf80-4251-8591-265ab51480cc", + "id": "relationship--e5832f12-846f-4b6d-9c75-f88815a156c3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.987483Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "Crypto Library", - "description": "Malware uses a crypto library.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/crypto-lib.md", - "external_id": "C0059" - } - ], + "created": "2021-02-10T06:49:35.577443Z", + "modified": "2021-02-10T06:49:35.577443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5280b393-729d-43d5-b9e7-81da3d31b450", + "target_ref": "attack-pattern--f05383f9-1d15-4eb9-97a4-13812f310acd", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "id": "relationship--fca68d5f-25cb-4d48-a88b-ac71774471f8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.518266Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Debugger Evasion", - "description": "Behaviors that make debugging difficult.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002" - }, - { - "source_name": "external_source", - "url": "https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf" - }, - { - "source_name": "external_source", - "url": "https://www.synack.com/2016/02/17/analyzing-the-anti-analysis-logic-of-an-adware-installer/" - }, - { - "source_name": "external_source", - "url": "http://phishme.com/dridex-code-breaking-modify-the-malware-to-bypass-the-vm-bypass/" - }, - { - "source_name": "external_source", - "url": "http://antukh.com/blog/2015/01/19/malware-techniques-cheat-sheet/" - }, - { - "source_name": "external_source", - "url": "https://search.unprotect.it/map/" - }, - { - "source_name": "external_source", - "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" - } - ], + "created": "2022-09-08T18:26:19.048454Z", + "modified": "2022-09-08T18:26:19.048454Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--0c59fe14-659a-4248-b205-7fc3371af6c7", + "target_ref": "attack-pattern--7533526d-569f-460b-9e00-5ef2d6eff9e2", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--c863faee-3dcc-4fc0-9d16-9d0b7e75051c", + "id": "relationship--ece75804-24e6-4f71-9c07-e8d812e62918", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.65626Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Modify Policy", - "description": "Malware may modify policies to make software less effective.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", - "external_id": "F0004.005" - } - ], + "created": "2021-02-10T06:49:35.715443Z", + "modified": "2021-02-10T06:49:35.715443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b1c9e70b-d514-4924-848d-c6403560e6c5", + "target_ref": "attack-pattern--d10a18cc-23b6-4421-82e1-1ba28319012b", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--c8a2e7c9-e359-43de-ba00-ca147397701e", + "id": "relationship--65eb30ae-9fc5-4945-a2c5-1983a7771682", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.011483Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "Copy File", - "description": "Malware copies a file.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "file-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/copy-file.md", - "external_id": "C0045" - } - ], + "created": "2021-02-10T06:49:35.576443Z", + "modified": "2021-02-10T06:49:35.576443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b67d0824-50d3-4066-906b-93dd26a9f05f", + "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--c8d17860-f4e4-4403-a28b-02c784a3ca70", + "id": "relationship--1fe09442-6d77-4094-86f7-e23f9d898791", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.557264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Import Address Table Obfuscation", - "description": "Obfuscate the import address table.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", - "external_id": "B0032.011" - } - ], + "created": "2021-02-10T06:49:35.666446Z", + "modified": "2021-02-10T06:49:35.666446Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--010c8801-3ad4-479b-8c56-c29e108121c9", + "target_ref": "attack-pattern--7c9e2694-0dce-4dc3-aa06-199d5d002a05", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--c9223618-2865-499f-890e-2848db80a6d9", + "id": "relationship--a2efeee6-b13f-42c8-ab8d-288eeaad4905", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.877737Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "GetVolumeInformation", - "description": "This Windows API call is used to get the GUID on a system drive. Malware compares it to a previous (targeted) GUID value and only executes maliciously if they match. This behavior can be mitigated in non-automated analysis environments.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md", - "external_id": "B0025.003" - } - ], + "created": "2021-02-10T06:49:35.599445Z", + "modified": "2021-02-10T06:49:35.599445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--373415cb-bc3b-4602-8032-584b7cf758c5", + "target_ref": "attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--ca32295b-c968-4099-a010-e8758c066be6", + "id": "relationship--c37197a3-9115-4308-810d-45e2c34336e9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.845581Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Hypervisor/Virtualized Rootkit", - "description": "A hypervisor (virtualized) rootkit hosts the target operating system as a virtual machine, enabling interception of all hardware calls. Also called, virtual-machine-based rootkit (VMBR).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/rootkit-behavior.md", - "external_id": "E1014.m15" - } - ], + "created": "2021-02-10T06:49:35.625442Z", + "modified": "2021-02-10T06:49:35.625442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--90006260-5019-4c35-8c88-6ee23826734e", + "target_ref": "attack-pattern--c25f5d58-e8e5-49ef-a54d-68e17b4ac824", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--cada9d62-2163-42e3-88ec-d37e2ade1030", + "id": "relationship--3a47d7e2-9bd4-4462-8653-026774d34df5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.502264Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Unique Hardware/Firmware Check - BIOS", - "description": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment. Characteristics of the BIOS, such as version, can indicate virtualization.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.024" - } - ], + "created": "2021-02-10T06:49:35.550479Z", + "modified": "2021-02-10T06:49:35.550479Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--4e688c01-10a1-41e9-a909-5442531069ac", + "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--cb1c9047-e589-4aed-b5d5-c6062a1ab340", + "id": "relationship--7ce27e33-57a1-4f7c-be2a-bc1c02895dc1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.801263Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Abuse Enterprise Certificates", - "description": "Abusing enterprise certificates enables malware to exploit private APIs and infect a wide range of users (see *Exploit Private APIs* below).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "lateral-movement" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/lateral-movement/supply-chain-compromise.md", - "external_id": "E1195.m01" - } - ], + "created": "2021-02-10T06:49:35.604442Z", + "modified": "2021-02-10T06:49:35.604442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--68d12b85-7712-4572-a801-222a375b7033", + "target_ref": "attack-pattern--6168e69c-f827-4f92-8404-cd24fff9802c", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--cb329a09-0291-4a05-ac20-3b35500bfd9b", + "id": "relationship--906b23a2-308a-464c-9779-f337b7865b17", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.522264Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Encode File", - "description": "Encode a file on disk, such as an implant's config file.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", - "external_id": "B0003.006" - } - ], + "created": "2022-02-04T23:52:40.914452Z", + "modified": "2022-02-04T23:52:40.914452Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a9dd9c1d-b3dd-4dec-9ab2-1a99f1f3e483", + "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--cb5e801d-a60f-497e-93b6-23d5e29c09fd", + "id": "relationship--8d7c4d84-81ac-4339-9990-1bb3675f8571", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.538265Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "On-the-Fly APIs", - "description": "Resolve API addresses before each use to prevent complete dumping.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", - "external_id": "B0006.007" - } - ], + "created": "2022-02-04T23:52:40.945699Z", + "modified": "2022-02-04T23:52:40.945699Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--af70b2f4-e552-4ec0-b6ce-1c8c38e6748c", + "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae", + "id": "relationship--bf274f8b-4ec2-45e0-ba44-49e4de17bff1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.73126Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Install Additional Program", - "description": "Installs another, different program on the system. The additional program can be any secondary module; examples include backdoors, malicious drivers, kernel modules, and OS X Apps.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/install-prog.md", - "external_id": "B0023" - }, - { - "source_name": "external_source", - "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" - }, - { - "source_name": "external_source", - "url": "https://www.fortinet.com/blog/threat-research/deep-analysis-of-driver-based-mitm-malware-itranslator.html" - }, - { - "source_name": "external_source", - "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" - } - ], + "created": "2021-02-10T06:49:35.571485Z", + "modified": "2021-02-10T06:49:35.571485Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--10bee884-590b-45f4-8577-5cbe6d6efa1a", + "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--cbfcfc30-2fa3-4160-a9ba-4cc6c0f48345", + "id": "relationship--2e7a50d1-fe73-4543-8001-157ab23a0b0a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.964486Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Mouse", - "description": "The mouse is modified.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/modify-hardware.md", - "external_id": "B0042.002" - } - ], + "created": "2021-02-10T06:49:35.627444Z", + "modified": "2021-02-10T06:49:35.627444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--f93d127d-164b-47c1-81e9-e7011cb478f8", + "target_ref": "attack-pattern--2f16f65d-4fba-4574-882d-97d54392f5bb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--cc396380-d266-4e87-8fc7-412e89a2b4b0", + "id": "relationship--00bf70ee-e091-4898-897c-ee93b69fdd1a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.908377Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "System Services", - "description": "Malware may abuse system services or daemons to execute.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/system-services.md", - "external_id": "E1569" - }, - { - "source_name": "external_source", - "url": "https://support.resolver.com/hc/en-ca/articles/207161116-Configure-Microsoft-Distributed-Transaction-Coordinator-MSDTC-" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1569/", - "external_id": "T1569" - } - ], + "created": "2021-02-10T06:49:35.48548Z", + "modified": "2021-02-10T06:49:35.48548Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--2620e845-cb45-43b5-91a4-dd72dcf3339d", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--cc89a8c1-00d2-4ae2-bda2-a35398a63214", + "id": "relationship--3de5f447-d5fe-417a-a775-afbc85f6e093", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.501259Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Modern Specs Check - Keyboard layout", - "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment. Check keyboard layout.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.019" - } - ], + "created": "2021-02-10T06:49:35.503442Z", + "modified": "2021-02-10T06:49:35.503442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--7aa33db8-4800-430a-8068-8b57b85a9b8a", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--cd438b37-74b0-433b-85d2-8530724401fa", + "id": "relationship--5e47a989-fee8-427e-a93f-503db3d69253", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.499265Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Instruction Testing - STR", - "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.033" - }, - { - "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" - } - ], + "created": "2021-02-10T06:49:35.590482Z", + "modified": "2021-02-10T06:49:35.590482Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--fbaedc87-7d0b-447c-a9e5-0f6c2658770a", + "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--ce322a95-0385-40cb-af25-96e377a7de8f", + "id": "relationship--75f5c30a-ad85-4f2e-87b0-ac7f45cd1f8c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.565262Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Jump/Call Absolute Address", - "description": "Relative operands of jumps and calls into are made absolute (better compression). May confuse some basic block detection algorithms.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-optimize.md", - "external_id": "B0034.001" - } - ], + "created": "2021-02-10T06:49:35.590482Z", + "modified": "2021-02-10T06:49:35.590482Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--f1e8e35a-e893-403a-b34c-1b5d54945764", + "target_ref": "attack-pattern--bd879126-0126-4f7a-a1b7-d9944efb251f", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--ce6015e7-3065-420f-aea8-c9e0e5d5ed74", + "id": "relationship--fe8e6a43-aaf5-4d90-9171-fb68dd154b20", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.67026Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Modify Registry", - "description": "Malware may make changes to the Windows Registry to hide execution or to persist on the system (note that ATT&CK does not extend this behavior to the Persistence objective).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/modify-reg.md", - "external_id": "E1112" - }, - { - "source_name": "external_source", - "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1112", - "external_id": "T1112" - } - ], + "created": "2021-02-10T06:49:35.672443Z", + "modified": "2021-02-10T06:49:35.672443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d2dd9838-ea8f-4a2f-99f4-8a8a468110a4", + "target_ref": "attack-pattern--1cca12fe-f5c4-4c35-979b-5c6962dd9484", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--ced26a03-d356-4f8e-8337-9a07c0becd86", + "id": "relationship--03f09bec-9d2d-4219-8b1f-d81b8e136ed5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.982483Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "TCP Server::Socket Communication", - "description": "TCP server behavior.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", - "external_id": "C0001.002" - } - ], + "created": "2021-02-10T06:49:35.708629Z", + "modified": "2021-02-10T06:49:35.708629Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--e72b1f9b-69a5-44fa-8de6-fa7d4ccc726c", + "target_ref": "attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--cefefa87-2f06-4008-afcf-847a8bd746af", + "id": "relationship--241f08dc-6295-4679-91de-c94cff8fa0a3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.982483Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Receive TCP Data::Socket Communication", - "description": "Receive TCP data.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", - "external_id": "C0001.016" - } - ], + "created": "2021-02-10T06:49:35.630062Z", + "modified": "2021-02-10T06:49:35.630062Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--f30b55fa-0ddf-49d9-884b-8cdb9e567758", + "target_ref": "attack-pattern--2f16f65d-4fba-4574-882d-97d54392f5bb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--cfa8658b-c504-41eb-9886-05de4962319c", + "id": "relationship--de5218cb-6a46-4b8b-bbd7-511edbd5ee67", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.982483Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Receive Data::Socket Communication", - "description": "Receive data on socket.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", - "external_id": "C0001.006" - } - ], + "created": "2021-02-10T06:49:35.69636Z", + "modified": "2021-02-10T06:49:35.69636Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--20bb8954-7d15-4f3f-b015-6de301407391", + "target_ref": "attack-pattern--8cae892e-69de-4f27-a49c-a369c2f8f20a", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--d10a18cc-23b6-4421-82e1-1ba28319012b", + "id": "relationship--83f2e82d-a763-4aa2-bae2-c80d2d4aef3b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.90926Z", - "modified": "2022-02-05T00:37:22.835477Z", - "name": "Kernel Modules and Extensions", - "description": "Malware may use loadable kernel modules to persist on a system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. Malware may try to hide drivers or modules by creating them without a name.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/persistence/kernel-modules-ext.md", - "external_id": "F0010" - } - ], + "created": "2021-02-10T06:49:35.588443Z", + "modified": "2021-02-10T06:49:35.588443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--95c86aee-57b2-4cc2-9354-772a30b4024f", + "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263", + "id": "relationship--07642f24-b50f-44ff-8b66-7c1032543d6d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.634261Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Hooking", - "description": "Malware alters API behavior or redirects execution to a malicious API version for a variety of purposes. Malware may use hooking to load and execute code within the context of another process, hiding execution and gaining elevated privileges and access to the process's memory. Methods related to anti-behavioral analysis are below. For example, hooking can be used to prevent memory dumps - see also [Memory Dump Evasion](https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/credential-access/hooking.md", - "external_id": "F0003" - }, - { - "source_name": "external_source", - "url": "https://docs.microsoft.com/en-us/windows/win32/winmsg/about-hooks?redirectedfrom=MSDN#hook-procedures" - }, - { - "source_name": "external_source", - "url": "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/" - } - ], + "created": "2021-02-10T06:49:35.562442Z", + "modified": "2021-02-10T06:49:35.562442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--963d7b96-04f2-4c34-82ae-64bc6d5d37dc", + "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--d1a3a19c-bcd0-40fc-8b5f-9e755260abc2", + "id": "relationship--20cb96ec-81d9-4f79-bc94-5cf1074a5144", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.002478Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "Compress Data", - "description": "Malware may compress data.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/compress.md", - "external_id": "C0024" - } - ], + "created": "2022-02-04T23:52:40.914452Z", + "modified": "2022-02-04T23:52:40.914452Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--bb61fa8d-d4d6-492b-9885-17b320bddf36", + "target_ref": "attack-pattern--f78bf329-48e4-4f8c-9468-0f8cd2ec08b5", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--d26aaa4d-5143-4888-b81c-346d3b51641b", + "id": "relationship--7c97afe2-429f-4a23-9654-ae96a117ed8f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.86526Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "Create Ransomware File::Create File", - "description": "Create a file used by ransomware.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "file-system-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/create-file.md", - "external_id": "C0016.002" - } - ], + "created": "2021-02-10T06:49:35.628442Z", + "modified": "2021-02-10T06:49:35.628442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--e0563aa9-70e1-41b8-ae78-0434ece93e36", + "target_ref": "attack-pattern--2f16f65d-4fba-4574-882d-97d54392f5bb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--d27a6bf4-7e7b-4007-9301-20eec9d8fe20", + "id": "relationship--07c21597-9ec5-4667-8ed3-a31e0de953bb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.981483Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Connect Socket::Socket Communication", - "description": "A server or client connects via a TCP socket.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", - "external_id": "C0001.004" - } - ], + "created": "2021-02-10T06:49:35.50848Z", + "modified": "2021-02-10T06:49:35.50848Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--3c0f36be-c4c0-4769-9be4-50682bc6a467", + "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--d2dd9838-ea8f-4a2f-99f4-8a8a468110a4", + "id": "relationship--0c5b75e3-70a1-4039-86b3-c8144f2ec4eb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.986482Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "Tiger::Cryptographic Hash", - "description": "Malware uses a Tiger hash.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/crypto-hash.md", - "external_id": "C0029.005" - } - ], + "created": "2021-02-10T06:49:35.546456Z", + "modified": "2021-02-10T06:49:35.546456Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--373bb770-4890-4e13-a0d6-94459bed37aa", + "target_ref": "attack-pattern--c09b91df-e723-4ad4-b021-04d2773094f9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--d320eec6-6fe3-4fd8-81f8-700742858f19", + "id": "relationship--a2ac4560-a53c-4584-82b6-0d63adfc3e98", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.891261Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Create Mutex::Synchronization", - "description": "Malware creates a mutex to enable synchronization.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "process-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/synchronization.md", - "external_id": "C0022.001" - } - ], + "created": "2021-02-10T06:49:35.539444Z", + "modified": "2021-02-10T06:49:35.539444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--677563ae-beb5-47f2-b85c-ece6d7c7dc7e", + "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--d3656287-db62-4856-860d-6b3ff60e23b2", + "id": "relationship--7aa24094-a0c9-40c9-b18a-66e5ce8158e4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.489264Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Check File and Directory Artifacts", - "description": "Virtual machines create files on the file system (e.g., VMware creates files in the installation directory C:\\Program Files\\VMware\\VMware Tools). Malware can check the different folders to find virtual machine artifacts (e.g., Virtualbox has the artifact VBoxMouse.sys).", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.001" - }, - { - "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" - } - ], + "created": "2021-02-10T06:49:35.652445Z", + "modified": "2021-02-10T06:49:35.652445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--97a53670-fbd8-40bb-a950-acec7a6e7958", + "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--d37365f4-63c4-4c3e-a81e-be518e7561f1", + "id": "relationship--7cd10bf9-ba46-4317-a85b-231e5c832076", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.990485Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "RSA::Decrypt Data", - "description": "Malware decrypts data encrypted with the RSA algorithm.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", - "external_id": "C0031.010" - } - ], + "created": "2021-02-10T06:49:35.492443Z", + "modified": "2021-02-10T06:49:35.492443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--81c902fa-0862-4f21-b951-f82a5d39f204", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--d447c221-2ab5-4378-bb19-78b97869fa58", + "id": "relationship--d93cf5e4-950c-4d4e-b943-0bfb615e266c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.990485Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "Sosemanuk::Decrypt Data", - "description": "Malware decrypts data encrypted with the Sosemanuk stream cipher.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", - "external_id": "C0031.012" - } - ], + "created": "2021-02-10T06:49:35.578443Z", + "modified": "2021-02-10T06:49:35.578443Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--74f89ee2-f4c0-4221-8951-e3a8f1fc449b", + "target_ref": "attack-pattern--f05383f9-1d15-4eb9-97a4-13812f310acd", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + ] }, { - "type": "attack-pattern", + "type": "relationship", "spec_version": "2.1", - "id": "attack-pattern--d4aefa59-0817-4916-ad93-6ef174e070d3", + "id": "relationship--f2b3c6e6-e5cd-40c3-a696-db320c47a2f8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2021-02-10T06:49:35.497442Z", + "modified": "2021-02-10T06:49:35.497442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--0be642a6-a030-4ecf-9c30-83f9cbc9fd56", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--c72e66be-ab97-46b7-b81c-1cab91d74cfc", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2021-02-10T06:49:35.455445Z", + "modified": "2021-02-10T06:49:35.455445Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--e97aa9eb-a7d6-4c4a-810f-140f1dda08ca", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--c2742004-51f3-444a-808a-340150b3b446", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2021-02-10T06:49:35.71359Z", + "modified": "2021-02-10T06:49:35.71359Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5b93eef5-683e-44cb-b737-0e80feb890d2", + "target_ref": "attack-pattern--3955de8e-1ab7-4ab0-b7ca-226822885913", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--f4652f50-9382-4d5c-9d3b-3b4bd79ce163", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2021-02-10T06:49:35.460442Z", + "modified": "2021-02-10T06:49:35.460442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--07181568-3663-4ade-ac99-3e32bd7d5400", + "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--243dea78-6022-4436-a953-b07912907883", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2021-02-10T06:49:35.48648Z", + "modified": "2021-02-10T06:49:35.48648Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a9364e83-2893-4989-b01a-e74ea9ced03a", + "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--f280014a-68d1-48d4-8049-9ce3fd3a17c8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2021-02-10T06:49:35.595442Z", + "modified": "2021-02-10T06:49:35.595442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1011a561-6f17-4f8d-874a-8ad491a2b470", + "target_ref": "attack-pattern--767a1acf-9e83-4181-82cd-2bcb9d8871d9", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--67732fa8-3cfc-421f-8ada-29e22ed938ea", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2021-02-10T06:49:35.636849Z", + "modified": "2021-02-10T06:49:35.636849Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--2847e96e-8080-4f95-96df-b2194e42ac25", + "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--e59f3937-5414-47ad-a701-e29e904dbea1", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2021-02-10T06:49:35.571485Z", + "modified": "2021-02-10T06:49:35.571485Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d61e7edf-865e-4d88-99cb-09dad9e44195", + "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--f4b8c20e-eece-4285-ae9d-b68a6cd0ac49", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2022-02-04T23:52:40.945699Z", + "modified": "2022-02-04T23:52:40.945699Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--2494ac41-5d2b-4112-903a-fdc2a09d376b", + "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--00f63103-9864-4fd0-80fd-4b4952d5bec2", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2021-02-10T06:49:35.679444Z", + "modified": "2021-02-10T06:49:35.679444Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--9f4141a2-af76-4a8e-b493-f3c1f5bdc9ac", + "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "created": "2020-01-01T00:00:00.000Z", + "spec_version": "2.1", + "description": "The Malware Behavior Catalog (MBC) is a catalog of malware objectives and behaviors, created to support malware analysis-oriented use cases, such as labeling, similarity analysis, and standardized reporting.", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.751794Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Arbitrary Memory Corruption", - "description": "Data is propagated by corrupting memory, for example overwriting a region of stack space where a file pointer is held.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-data-flow-analysis.md", - "external_id": "B0045.003" - }, - { - "source_name": "external_source", - "url": "http://www.seclab.cs.sunysb.edu/seclab/pubs/antitaint.pdf" + "external_id": "mbc", + "url": "https://github.com/MBCProject" } ], + "id": "x-mitre-matrix--d5eae189-586e-4f87-bf4f-51fa251f0ba6", + "modified": "2021-02-11T06:49:31.787443Z", + "name": "MBC", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true + "tactic_refs": [ + "x-mitre-tactic--da7738af-46f6-4bc6-bfa2-91a466439391", + "x-mitre-tactic--225d85b5-6806-4760-a9d7-b5e38ca66153", + "x-mitre-tactic--9f09f947-5fc6-455f-b7eb-504c2ba972aa", + "x-mitre-tactic--d896bd1c-d0e9-4281-9755-9b76a7c963d3", + "x-mitre-tactic--69c52ee6-8372-40be-8efc-200896493343", + "x-mitre-tactic--1f99e060-c0e8-449c-8629-216ef75d7828", + "x-mitre-tactic--5ca03153-2bfb-4540-acad-4eb54f188589", + "x-mitre-tactic--f95436cf-2e09-4541-b88a-f3fb6ec3b63b", + "x-mitre-tactic--6771a9e9-03e2-45df-bc92-2ce9249123bc", + "x-mitre-tactic--389367d2-9dea-4ffe-b794-cfeaba83bcf6", + "x-mitre-tactic--911377e6-b712-4754-a865-3e2989512b9a", + "x-mitre-tactic--eb6166b0-f3c9-4124-aeb9-662941baa19e", + "x-mitre-tactic--408ef4fa-de24-489a-ac9e-1f51af84bf5d", + "x-mitre-tactic--e4edf677-0ea0-474a-a14d-da3ea660d69f", + "x-mitre-tactic--578d34bc-28b7-4467-afe1-a969e00797d3", + "x-mitre-tactic--0735bfd3-bffa-4476-9e3b-e33cc5c553e0", + "x-mitre-tactic--dd9a101e-8fea-4b2e-afd0-4c0c3f0f864e", + "x-mitre-tactic--30f8323e-ca97-4067-bb76-b14edff2fa88", + "x-mitre-tactic--db22e244-4c56-4a42-9e3a-6285bde88a5d", + "x-mitre-tactic--7f07ea86-c44a-4f1f-86d0-3d904c7ddb59", + "x-mitre-tactic--9b3422b7-bc43-4b28-8d51-ba68782a9da2" + ], + "type": "x-mitre-matrix" }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--d4b96b74-7cf9-46c2-8c09-ea8fd124b15a", + "id": "attack-pattern--d6e1b096-1595-47e7-8230-223aa9cad622", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.849262Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "Use API::Generate Pseudo-random Sequence", - "description": "Malware generates a pseudo-random sequence using a Windows API.", + "created": "2020-08-21T20:49:59.823261Z", + "modified": "2022-09-08T18:26:13.368489Z", + "name": "Read Pipe::Interprocess Communication", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" + "phase_name": "communication-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/gen-random.md", - "external_id": "C0021.003" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/interprocess-communication.md", + "external_id": "C0003.003" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--d5762c67-a576-4aa8-aacd-3fba3a7f4599", + "id": "attack-pattern--b5f930c9-ea8f-45dd-9317-60b270606cb2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.877737Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Environmental Keys", - "description": "Malware reads certain attributes of the system (BIOS version string, hostname, MAC address, etc.) and encrypts/decrypts portions of its code or data using those attributes as input, thus preventing itself from being run on an unintended system (e.g., sandbox, emulator, etc.). Also see Deposited Keys Method.", + "modified": "2022-09-08T18:26:13.23535Z", + "name": "Execution Dependency", + "description": "Software may require certain run-time or library dependencies consistent with normal software development and deployment. For example, software may require the presence of a .NET or Java runtime or to be run by a webserver that supports PHP. Unlike in **Conditional Execution ([B0025](https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md))** this dependency is not because of an explicit check coded into the malware by the author.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", "phase_name": "execution" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md", - "external_id": "B0025.002" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/execution-dependency.md", + "external_id": "B0044" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_is_subtechnique": false }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--d5e09700-cfae-43b7-831e-958a4e64251b", + "id": "attack-pattern--b87f5902-5985-4b45-b8df-b3b24f214650", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.513264Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Modify PE Header", - "description": "Any part of the header is changed or erased.", + "created": "2021-02-10T06:49:32.028478Z", + "modified": "2022-02-05T00:37:22.819853Z", + "name": "Console", + "description": "Malware modifies the console.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" + "phase_name": "operating-system-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.014" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/console.md", + "external_id": "C0033" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_is_subtechnique": false }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--d6181cb9-7268-4ff7-99db-94df827e746e", + "id": "attack-pattern--7fac651b-a6ae-494c-9386-d75a454776da", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.601273Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "WinAPI", - "description": "Screen is captured using WinAPI functions (e.g., user32.GetDesktopWindow).", + "created": "2021-02-10T06:49:31.893484Z", + "modified": "2022-02-05T00:37:22.585511Z", + "name": "ASPack", + "description": "Uses ASPack.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "collection" + "phase_name": "anti-behavioral-analysis" }, { "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/screen-capture.md", - "external_id": "E1113.m01" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", + "external_id": "F0001.013" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--d61dcb50-dcf8-408d-96e2-f3cd75f93be0", + "id": "attack-pattern--42c0847a-d4e3-497e-9540-c691ae0364c1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.520265Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Alternative ntdll.dll", - "description": "A copy of ntdll.dll is dropped to the filesystem and then loaded. This alternative DLL is used to execute function calls to evade sandboxes which use hooking in the operating system's ntdll.dll.", + "created": "2020-08-21T20:49:59.707263Z", + "modified": "2022-09-08T18:26:13.216564Z", + "name": "Process detection - Sandboxes", + "description": "Malware can scan for the process name associated with common analysis tools. Joe Sandbox, etc.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" + "phase_name": "discovery" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", - "external_id": "B0003.001" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", + "external_id": "B0013.007" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--d61e7edf-865e-4d88-99cb-09dad9e44195", + "id": "attack-pattern--69d4e839-b6ce-4299-b242-83192d6b62c2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.657259Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Unhook APIs", - "description": "Security products may hook APIs to monitor the behavior of malware. To avoid being found, malware may load DLLs in memory and overwrite their bytes.", + "created": "2020-08-21T20:49:59.485265Z", + "modified": "2022-09-08T18:26:13.298083Z", + "name": "Screen Resolution Testing", + "description": "Sandboxes aren't used in the same manner as a typical user environment, so most of the time the screen resolution stays at the minimum 800x600 or lower. No one is actually working on a such small screen. Malware could potentially detect the screen resolution to determine if it's a user machine or a sandbox.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", - "external_id": "F0004.003" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", + "external_id": "B0007.006" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--d6e1b096-1595-47e7-8230-223aa9cad622", + "id": "attack-pattern--741edcac-607c-4ebf-a8d0-928e02fe1461", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.823261Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Read Pipe::Interprocess Communication", + "created": "2021-02-10T06:49:31.974485Z", + "modified": "2022-09-08T18:26:13.365539Z", + "name": "Get Response::HTTP Communication", + "description": "HTTP client receives response.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", "phase_name": "communication-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/inter-process.md", - "external_id": "C0003.003" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", + "external_id": "C0002.017" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--d7183ad6-af24-4400-9539-f3a70be04a76", + "id": "attack-pattern--7781ebfd-13bd-4a00-9c51-ed98a45f8749", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.953485Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Clipboard Modification", - "description": "ATT&CK defines Clipboard Modification as a Mobile technique (Android platform). MBC extends it to the Windows platform.", + "created": "2022-09-08T18:26:13.393654Z", + "modified": "2022-09-08T18:26:13.393654Z", + "name": "Static Public Library::Crypto Library", + "description": "A public crypto library is embedded in the code.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "impact" + "phase_name": "cryptography-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/clipboard-mod.md", - "external_id": "E1510" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1510/", - "external_id": "T1510" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/crypto-lib.md", + "external_id": "C0059.002" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--d71d433d-6815-4cca-940c-b21b05ab9a47", + "id": "attack-pattern--677563ae-beb5-47f2-b85c-ece6d7c7dc7e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Abuse Windows Function Calls", - "description": "Malware abuses native Windows function calls to transfer execution to shellcode that it loads into memory. A pointer to the callback function is used to supply the memory address of the shellcode. Functions that can be abused include EnumResourceTypesA and EnumUILanguagesW.", + "created": "2020-08-21T20:49:59.560265Z", + "modified": "2022-09-08T18:26:13.193867Z", + "name": "Junk Code Insertion", + "description": "Insert dummy code between relevant opcodes. Can make signature writing more complex.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "privilege-escalation" + "phase_name": "anti-static-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hijack-execution-flow.md", - "external_id": "F0015.006" - }, - { - "source_name": "external_source", - "url": "http://ropgadget.com/posts/abusing_win_functions.html" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", + "external_id": "B0032.007" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--d7c408e8-d813-46aa-8267-a76f8d53ec35", + "id": "attack-pattern--7c7b98c3-b136-439f-83ce-4dd357e76c89", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.510265Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Byte Stealing", - "description": "Move or copy the first bytes / instructions of the original code elsewhere. AKA stolen bytes or code splicing. For example, a packer may incorporate the first few instructions of the original EntryPoint (EP) into its unpacking stub before the tail transition in order to confuse automated unpackers and novice analysts. This can make it harder for rebuilding and may bypass breakpoints if set prematurely.", + "created": "2020-08-21T20:49:59.86526Z", + "modified": "2022-02-05T00:37:22.788643Z", + "name": "Create File", + "description": "Malware creates a file.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" + "phase_name": "file-system-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.003" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/create-file.md", + "external_id": "C0016" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_is_subtechnique": false }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--d83c8fbc-c7bf-4108-ba64-f1a9ac737da1", + "id": "attack-pattern--c3a03554-f52e-49bd-ad0d-f01d4ded7f39", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.496265Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Instruction Testing - IN", - "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", + "created": "2021-02-10T06:49:32.000444Z", + "modified": "2022-02-05T00:37:22.773011Z", + "name": "Luhn::Checksum", + "description": "Malware uses Luhn algorithm, often to validate identification numbers (e.g, credit card number).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" + "phase_name": "data-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.035" - }, - { - "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/checksum.md", + "external_id": "C0032.002" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--d850864e-1db4-40f3-b891-b1db177d48b3", + "id": "attack-pattern--d320eec6-6fe3-4fd8-81f8-700742858f19", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.917484Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Attribute", - "description": "Malware may change or choose an attribute to hide a file or directory.", + "created": "2020-08-21T20:49:59.891261Z", + "modified": "2022-02-05T00:37:22.819853Z", + "name": "Create Mutex::Synchronization", + "description": "Malware creates a mutex to enable synchronization.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" + "phase_name": "process-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hidden-files.md", - "external_id": "F0005.003" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/synchronization.md", + "external_id": "C0022.001" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", + "id": "attack-pattern--3aa1c4d4-06c4-4d48-bc44-601b29abded8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.817261Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "HTTP Communication", - "description": "This micro-behavior is related to HTTP communication.", + "created": "2020-08-21T20:49:59.558264Z", + "modified": "2022-09-08T18:26:13.193094Z", + "name": "Instruction Overlap", + "description": "Jump after the first byte of an instruction to confuse disassembler.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" + "phase_name": "anti-static-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", - "external_id": "C0002" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", + "external_id": "B0032.013" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--da0fe52b-e2c5-4574-a572-09c999c86b59", + "id": "attack-pattern--04da331b-6112-420c-9358-58cb21e5a4af", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.877737Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Deposited Keys", - "description": "Parts of the code and/or data is encrypted or otherwise relies on data external to the file itself. For example, malware that contains code that is encrypted with a key that is downloaded from a server; malware that only runs if certain other software is installed on the system. Also see Environmental Keys Method.", + "created": "2020-08-21T20:49:59.556264Z", + "modified": "2022-09-08T18:26:13.192025Z", + "name": "Fake Code Insertion", + "description": "Add fake code similar to known packers or known goods to fool identification. Can confuse some automated unpackers.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" + "phase_name": "anti-static-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md", - "external_id": "B0025.008" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", + "external_id": "B0032.004" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--da7d23d7-ead0-4926-a7ee-be9ea77bb2cd", + "id": "attack-pattern--903b44e8-0547-4945-ac5a-ee21d0898d4d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.551264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Variable Recomposition", - "description": "Variables, often strings, are broken into multiple parts and store out of order, in different memory ranges, or both. They must then be recomposed before use.", + "created": "2020-08-21T20:49:59.479261Z", + "modified": "2022-09-08T18:26:13.32387Z", + "name": "Check for WINE Version", + "description": "Checks for WINE via the `get_wine_version` function from WINE's `ntdll.dll`.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-disassembler.md", - "external_id": "B0012.004" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-detection.md", + "external_id": "B0004.002" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--dad3c536-a9a6-492b-baae-4353f2c6f601", + "id": "attack-pattern--5ef50fb5-9da5-4926-85a6-8049dc0be9b3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.923443Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Encryption of Code", - "description": "A file's executable code is encrypted, but not necessarily the file's data.", + "created": "2021-02-10T06:49:31.981483Z", + "modified": "2022-09-08T18:26:13.373675Z", + "name": "Send TCP Data::Socket Communication", + "description": "Send TCP data.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" + "phase_name": "communication-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/obfuscate-files.md", - "external_id": "E1027.m06" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", + "external_id": "C0001.014" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--db58e527-5e81-489f-b05a-537ea9b6bae9", + "id": "attack-pattern--c6c8f32e-7d92-401e-930f-d193a59e4c95", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.498264Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Instruction Testing - SIDT (red pill)", - "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM. Red Pill is an anti-VM technique that executes the SIDT instruction to grab the value of the IDTR register. The virtual machine monitor must relocate the guest's IDTR to avoid conflict with the host's IDTR. Since the virtual machine monitor is not notified when the virtual machine runs the SIDT instruction, the IDTR for the virtual machine is returned.", + "created": "2020-08-21T20:49:59.548264Z", + "modified": "2022-09-08T18:26:13.189627Z", + "name": "Call Graph Generation Evasion", + "description": "Malware code evades accurate call graph generation during disassembly. Call graphs are used by malware similarity tools and algorithms ([[1]](#1), [[4]](#4)), as well as for malware detection [[2]](#2).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" + "phase_name": "anti-static-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.030" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/call-graph-generation-evasion.md", + "external_id": "B0010" }, { "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" + "description": "K. Blokhin, D. Mentis, J. Saxe, \"Malware Similarity Identification Using Call Graph Based System Call Subsequence Features,\" 2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops, July 2013.", + "url": "https://www.researchgate.net/publication/269326967_Malware_Similarity_Identification_Using_Call_Graph_Based_System_Call_Subsequence_Features" + }, + { + "source_name": "external_source", + "description": "P. Deshpande, M. Stamp, \"Metamorphic Malware Detection Using Function Call Graph Analysis,\" MIS Review Vol. 21, Nos. 1/2, September(2015)/March(2016).", + "url": "https://pdfs.semanticscholar.org/8db2/69106ea6e1f59e4dac0889665dd3336ee9b1.pdf" + }, + { + "source_name": "external_source", + "url": "http://fumalwareanalysis.blogspot.com/2012/01/malware-analysis-tutorial-10-tricks-for.html" + }, + { + "source_name": "external_source", + "description": "S. Shang, N. Zheng, J. Xu, M. Xu, H. Zhang, \"Detecting Malware Variants via Function-call Graph Similarity,\" IEEE 2010 5th International Conference on Malicious and Unwanted Software, 2010.", + "url": "http://seclab.hdu.edu.cn/static/uploads/paper/10-05.pdf" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_is_subtechnique": false }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--dc49a540-64a4-47e7-8931-0ad5ce595cb7", + "id": "attack-pattern--f4d0e9ac-c868-42fa-9b1f-0d0bee913da1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.471262Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "ProcessHeap", - "description": "Process heaps are affected by debuggers. Malware can detect a debugger by checking heap header fields such as Flags (debugger present if value greater than 2) or ForceFlags (debugger present if value greater than 0).", + "created": "2021-02-10T06:49:31.980486Z", + "modified": "2022-09-08T18:26:13.371325Z", + "name": "Set Socket Config::Socket Communication", + "description": "Configure socket.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.021" + "phase_name": "communication-micro-objective" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true - }, - { - "type": "attack-pattern", - "spec_version": "2.1", - "id": "attack-pattern--dc5231d1-332e-45ab-9995-412a5da4c10d", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.485265Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Self Check", - "description": "Malware may check its own characteristics to determine whether it's running in a sandbox. For example, a malicious Office document might check its file name or VB project name.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md", - "external_id": "B0007.007" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", + "external_id": "C0001.001" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--dcd263ce-1f73-4f82-a7cf-5571498a8d36", + "id": "attack-pattern--12c16b13-65d4-49ea-9dcb-3a88553ac5d3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.517264Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Stolen API Code", - "description": "A variation of \"byte stealing\" where the first few instructions or bytes of an API are executed in user code, allowing the IAT to point into the middle of an API function. This confuses IAT rebuilders such as ImpRec and Scylla and may bypass breakpoints.", + "created": "2021-02-10T06:49:31.989483Z", + "modified": "2022-09-08T18:26:13.385292Z", + "name": "HC-128::Decrypt Data", + "description": "Malware decrypts data encrypted with the HC-128 algorithm.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" + "phase_name": "cryptography-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.027" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", + "external_id": "C0031.006" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--dcd29dd1-20d2-4387-90dd-95480c4e0f1c", + "id": "attack-pattern--b82bbd87-e936-4b0e-a708-a277630fec11", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.021478Z", + "created": "2021-02-10T06:49:32.017471Z", "modified": "2022-02-05T00:37:22.804261Z", - "name": "Mouse Click::Simulate Hardware", - "description": "Malware simulates mouse click.", + "name": "Read File", + "description": "Malware reads a file.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "hardware-micro-objective" + "phase_name": "file-system-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/hardware/simulate-hardware.md", - "external_id": "C0057.002" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/read-file.md", + "external_id": "C0051" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_is_subtechnique": false }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--dcfb5c52-a6e0-4c64-a937-91d730cd7a5b", + "id": "attack-pattern--1506d910-1208-4064-a633-8291f6d36e74", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.47826Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Check Emulator-related Registry Keys", - "description": "Emulators register artifacts in the registry, which can be detected by malware. For example, installation of QEMU results in the registry key: *HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0* with value=*Identifier* and data=*QEMU*, or registry key: *HARDWARE\\Description\\System* with value=*SystemBiosVersion* and data=*QEMU*.", + "created": "2020-08-21T20:49:59.554264Z", + "modified": "2022-09-08T18:26:13.190681Z", + "name": "API Hashing", + "description": "Instead of storing function names in the Import Address Table (IAT) and calling GetProcAddress, a DLL is loaded and the name of each of its exports is hashed until it matches a specific hash. Manual symbol resolution is then used to access and execute the exported function. This method is often used by shellcode because it reduces the size of each import from a human-readable string to a sequence of four bytes. The Method is also known as \"Imports by Hash\" and \"GET_APIS_WITH_CRC.\"", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" + "phase_name": "anti-static-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-emulator.md", - "external_id": "B0004.003" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", + "external_id": "B0032.001" }, { "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" + "url": "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--dd40dbb6-6220-4b7b-93e1-20fe081eb219", + "id": "attack-pattern--0c59fe14-659a-4248-b205-7fc3371af6c7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.496265Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Instruction Testing", - "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", + "created": "2022-09-08T18:26:13.257877Z", + "modified": "2022-09-08T18:26:13.257877Z", + "name": "Click Hijacking", + "description": "Malware alters DNS server settings to route to a rogue DNS server: when the user clicks on a search result link displayed through a search engine query, malware re-routes the user to different website. Instead of going to the requested site, the user is taken to an alternate website such that the click triggers payment to the threat actor.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" + "phase_name": "impact" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.029" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/generate-traffic-from-victim.md", + "external_id": "E1643.m01" }, { "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" + "url": "https://www.itworld.com/article/2734253/security/behind-the--massive--malware-ad-revenue-fraud-case.html" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--dd5c1c28-0fa4-4c34-8008-7a2fba8a4a25", + "id": "attack-pattern--98cc634e-8ebb-4c19-b3f1-bea0abef18ae", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.666262Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Indicator Blocking", - "description": "Malware blocks indicators or events that would indicate malicious activity. Methods relevant to the malware domain are below.", + "created": "2020-08-21T20:49:59.503263Z", + "modified": "2022-09-08T18:26:13.292708Z", + "name": "Unique Hardware/Firmware Check - CPU Name", + "description": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment. Checks the CPU name to determine virtualization.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/indicator-blocking.md", - "external_id": "F0006" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.026" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--dd5fd5f1-cc85-409b-a4c0-96cea106cd82", + "id": "attack-pattern--83576712-779f-4c76-9459-939092f6cd70", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.514301Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Parallel Threads", - "description": "Use several parallel threads to make analysis harder.", + "created": "2022-02-04T23:52:35.845581Z", + "modified": "2022-09-08T18:26:13.403344Z", + "name": "Application Rootkit", + "description": "Application rootkits operate by exchanging standard application files with rootkit files, or changing applications by injecting code or patching.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" + "phase_name": "defense-evasion" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.017" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/rootkit.md", + "external_id": "E1014.m12" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--dd600655-8b9a-4a67-be72-3088d96e0e5a", + "id": "attack-pattern--ca32295b-c968-4099-a010-e8758c066be6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.727262Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Red Hat JBoss Enterprise Products", + "created": "2022-02-04T23:52:35.845581Z", + "modified": "2022-09-08T18:26:13.404115Z", + "name": "Hypervisor/Virtualized Rootkit", + "description": "A hypervisor (virtualized) rootkit hosts the target operating system as a virtual machine, enabling interception of all hardware calls. Also called, virtual-machine-based rootkit (VMBR).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "impact" + "phase_name": "defense-evasion" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/exploit-software.md", - "external_id": "E1203.m04" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/rootkit.md", + "external_id": "E1014.m15" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--ded5f278-1acc-4f7b-be58-abc38e6b8436", + "id": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.820261Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "ICMP Communication", - "description": "This micro-behavior is related to ICMP communication.", + "created": "2020-08-21T20:49:59.562264Z", + "modified": "2022-09-08T18:26:13.195437Z", + "name": "Executable Code Obfuscation", + "description": "Executable code can be obfuscated to hinder disassembly and static code analysis. This behavior is specific to a malware sample's executable code (data and text sections).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/icmp-comm.md", - "external_id": "C0014" + "phase_name": "anti-static-analysis" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": false - }, - { - "type": "attack-pattern", - "spec_version": "2.1", - "id": "attack-pattern--e04595b9-234a-4495-a9ca-25c78e137291", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.029444Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Environment Variable", - "description": "Malware modifies environment variables.", + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", + "external_id": "B0032" + }, + { + "source_name": "external_source", + "url": "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html" + }, + { + "source_name": "external_source", + "url": "https://cofense.com/recent-geodo-malware-campaigns-feature-heavily-obfuscated-macros/" + }, + { + "source_name": "external_source", + "description": "Rob Simmons, \"Comparing Malicious Files,\" BSides, 2019.", + "url": "http://www.irongeek.com/i.php?page=videos/bsidescharm2019/2-04-comparing-malicious-files-robert-simmons" + }, + { + "source_name": "external_source", + "url": "https://blogs.cisco.com/security/talos/rombertik" + }, + { + "source_name": "external_source", + "url": "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf" + }, + { + "source_name": "external_source", + "url": "https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" + } + ], + "x_mitre_is_subtechnique": false + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b82faecb-bcb2-4dcc-9155-bbd52d31c35d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-08-21T20:49:59.713265Z", + "modified": "2022-09-08T18:26:13.20944Z", + "name": "SMTP Connection Discovery", + "description": "Malware may test whether an outgoing SMTP connection can be made from the system on which the malware instance is executing to some SMTP server, by sending a test SMTP transaction.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "operating-system-micro-objective" + "phase_name": "discovery" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/enviro-var.md", - "external_id": "C0034" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/smtp-connection-discovery.md", + "external_id": "B0014" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": false }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e0563aa9-70e1-41b8-ae78-0434ece93e36", + "id": "attack-pattern--14abf3a5-065b-4a7b-b5d7-16ba7ae62e3a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.805261Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Resolve::DNS Communication", - "description": "Resolves a domain.", + "created": "2022-02-04T23:52:35.736174Z", + "modified": "2022-09-08T18:26:13.275737Z", + "name": "Guard Pages", + "description": "Encrypt blocks of code individually and decrypt temporarily only upon execution.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/dns-comm.md", - "external_id": "C0011.001" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", + "external_id": "B0006.006" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b", + "id": "attack-pattern--51147afe-363a-4b8f-8bdd-2f3601c785f1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.032478Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Registry", - "description": "Malware modifies the registry.", + "created": "2020-08-21T20:49:59.748262Z", + "modified": "2022-09-08T18:26:13.250407Z", + "name": "Send Poisoned Text Message", + "description": "A malicious attachment is sent via spam SMS or MMS messages. When the user clicks the link, malware is installed.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "operating-system-micro-objective" + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/registry.md", - "external_id": "C0036" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/send-poisoned-text-message.md", + "external_id": "B0021" + }, + { + "source_name": "external_source", + "url": "https://us.norton.com/internetsecurity-emerging-threats-mazar-bot-malware-invades-and-erases-android-devices.html" + }, + { + "source_name": "external_source", + "url": "https://www.player.one/new-android-sms-malware-can-completely-own-your-phone-just-one-text-how-avoid-mazar-512363" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": false }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e1c3c48b-0b4d-418f-b7af-44715b214972", + "id": "attack-pattern--58245c62-d50e-40d4-b31e-63902657709f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.530265Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Undocumented Opcodes", - "description": "Use rare or undocumented opcodes to block non-exhaustive emulators.", + "created": "2021-02-10T06:49:32.029444Z", + "modified": "2022-09-08T18:26:13.401331Z", + "name": "Set Variable::Environment Variable", + "description": "Malware sets an environment variable.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" + "phase_name": "operating-system-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-emulator.md", - "external_id": "B0005.002" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/environment-variable.md", + "external_id": "C0034.001" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e22860a9-1026-46ee-a75e-feedc26196d5", + "id": "attack-pattern--2f82d3b5-c6f8-4f4b-89e1-8605ea457749", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.578264Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Custom Compression", - "description": "Uses a custom algorithm to compress an executable file.", + "created": "2021-02-10T06:49:31.939481Z", + "modified": "2022-09-08T18:26:13.218485Z", + "name": "Taskbar Discovery", + "description": "Malware may find the taskbar.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" + "phase_name": "discovery" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", - "external_id": "F0001.005" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/taskbar-discovery.md", + "external_id": "B0043" + } + ], + "x_mitre_is_subtechnique": false + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--5eef016e-6366-41e1-a33d-d85727dd5d65", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-08-21T20:49:59.511265Z", + "modified": "2022-09-08T18:26:13.304619Z", + "name": "Get Base Indirectly", + "description": "CALL to a POP; finds base of code or data, often the packed version of the code; also used often in obfuscated/packed shellcode.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.007" + } + ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e23ee3ae-6960-4b56-b962-33184f999657", + "id": "attack-pattern--d4b4af24-91a5-4f21-82c6-7f67f316239f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.688263Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Hook Injection via SetWindowsHooksEx", - "description": "Malware can leverage hooking functionality to have its malicious DLL loaded upon an event getting triggered in a specific thread, which is usually done by calling SetWindowsHookEx to install a hook routine into the hook chain.", + "created": "2022-09-08T18:26:13.419767Z", + "modified": "2022-09-08T18:26:13.419767Z", + "name": "Procedure Hooking", + "description": "Intercepts and executes designated code in response to events such as messages, keystrokes, and mouse inputs.", "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + }, { "kill_chain_name": "mitre-mbc", "phase_name": "defense-evasion" }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, { "kill_chain_name": "mitre-mbc", "phase_name": "privilege-escalation" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/process-inject.md", - "external_id": "E1055.m01" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hijack-execution-flow.md", + "external_id": "F0015.007" }, { "source_name": "external_source", - "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + "url": "https://docs.microsoft.com/en-us/windows/win32/winmsg/about-hooks?redirectedfrom=MSDN#hook-procedures" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e2558f71-7409-4203-bd5b-8a331f29327a", + "id": "attack-pattern--1e4a21a9-2d09-48fc-bcea-13d1359f2bbd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.937479Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "File and Directory Discovery", - "description": "Malware may enumerate files and directories or may search for specific files or in specific locations.", + "created": "2020-08-21T20:49:59.500263Z", + "modified": "2022-09-08T18:26:13.289535Z", + "name": "Modern Specs Check - Drive size", + "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment. Most modern machines have at least 80 GB disks. May use DeviceloControl (IOCTL_DISK_GET_LENGTH_INFO) or GetDiskFreeSpaceEx (TotalNumberOfBytes) .", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/file-discover.md", - "external_id": "E1083" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.015" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1083/", - "external_id": "T1083" + "source_name": "external_source", + "url": "https://github.com/LordNoteworthy/al-khaser" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e25edc0c-3631-4df8-a37f-4695d3cec86e", + "id": "attack-pattern--8fcb44c9-dec3-4358-bf3d-35b4174f7d2b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.788262Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Resource Hijacking", - "description": "Uses system resources for other purposes; as a result, the system may not be available for intended uses.", + "created": "2020-08-21T20:49:59.516301Z", + "modified": "2022-09-08T18:26:13.308858Z", + "name": "Self-Debugging", + "description": "Debug itself to prevent another debugger to be attached.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "impact" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/hijack-sys-resources.md", - "external_id": "B0018" - }, - { - "source_name": "external_source", - "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" - }, - { - "source_name": "external_source", - "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/wannacry-uiwix-ransomware-monero-mining-malware-follow-suit/" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1496/", - "external_id": "T1496" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.024" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e35d4dd6-591c-4f6d-b182-16adc70ce74f", + "id": "attack-pattern--7adc736f-d3ca-438a-8bce-46967e062ea3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.515309Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Return Obfuscation", - "description": "Overwrite the RET address on the stack or the code at the RET address. Variation seen that writes to the start-up code or main module that called the malware's WinMain or DllMain.", + "created": "2020-08-21T20:49:59.886262Z", + "modified": "2022-02-05T00:37:22.819853Z", + "name": "Create Process via Shellcode::Create Process", + "description": "Malware uses shellcode to create a process.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" + "phase_name": "process-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.021" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/create-process.md", + "external_id": "C0017.001" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e365ec9c-2c0b-41fe-9a6a-f2b4042f37f3", + "id": "attack-pattern--97a53670-fbd8-40bb-a950-acec7a6e7958", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.652263Z", - "modified": "2022-02-05T00:37:22.616726Z", - "name": "Covert Location", - "description": "Malware may hide data or binary files within other files, the registry, etc.", + "created": "2021-02-10T06:49:31.980486Z", + "modified": "2022-09-08T18:26:13.371634Z", + "name": "Initialize Winsock Library::Socket Communication", + "description": "Winsock is initialized for TCP communication.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" + "phase_name": "communication-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/covert-location.md", - "external_id": "B0040" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", + "external_id": "C0001.009" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e393c36e-9939-44df-8f4a-8e7cb57c9b4e", + "id": "attack-pattern--97fc67af-9ec6-44a7-8187-32e07b5cdcb5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:36.109082Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Open Process", - "description": "Malware opens a process.", + "created": "2020-08-21T20:49:59.469264Z", + "modified": "2022-09-08T18:26:13.31816Z", + "name": "Process Environment Block NtGlobalFlag", + "description": "The NtGlobalFlag field is tested to determine whether the process is being debugged.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "process-micro-objective" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/open-process.md", - "external_id": "C0065" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.036" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e399ce8e-2c1d-4bc4-9669-308cb99f1e10", + "id": "attack-pattern--0b1371c5-4bec-466a-b643-43b719537894", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.993484Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "Skipjack::Encrypt Data", - "description": "Malware encrypts with the Skipjack block cipher algorithm.", + "created": "2020-08-21T20:49:59.502264Z", + "modified": "2022-09-08T18:26:13.29162Z", + "name": "Modern Specs Check - USB drive", + "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment. Checks whether there is a potential USB drive; if not a virtual environment is suspected.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", - "external_id": "C0027.013" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.016" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e39e7007-c7b1-4a8c-a1c1-5f94ea3ae8fa", + "id": "attack-pattern--dcd263ce-1f73-4f82-a7cf-5571498a8d36", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.562264Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Symbol Obfuscation", - "description": "Remove or rename symbolic information commonly inserted by compilers for debugging purposes.", + "created": "2020-08-21T20:49:59.517264Z", + "modified": "2022-09-08T18:26:13.309653Z", + "name": "Stolen API Code", + "description": "A variation of \"byte stealing\" where the first few instructions or bytes of an API are executed in user code, allowing the IAT to point into the middle of an API function. This confuses IAT rebuilders such as ImpRec and Scylla and may bypass breakpoints.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md", - "external_id": "B0032.018" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.027" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e3f453d4-03f3-4a8a-bfb1-d603016e234f", + "id": "attack-pattern--a962a19b-79e6-4154-a634-b85d9e9d0264", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.602268Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Screen Capture", - "description": "Malware takes screen captures of the desktop.", + "created": "2022-02-04T23:52:35.689293Z", + "modified": "2022-09-08T18:26:13.296639Z", + "name": "Human User Check", + "description": "Detects whether there is any \"user\" activity on the machine, such as the movement of the mouse cursor, non-default wallpaper, or recently opened Office files. Directories or file might be counted. If there is no human activity, the machine is suspected to be a virtualized machine and/or sandbox. Other items used to detect a user: mouse clicks (single/double), DialogBox, scrolling, color of background pixel . This method is similar to ATT&CK's [Virtualization/Sandbox Evasion: User Activity Based Checks](https://attack.mitre.org/techniques/T1497/002/) sub-technique.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/screen-capture.md", - "external_id": "E1113" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", + "external_id": "B0007.003" }, { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1113/", - "external_id": "T1113" + "source_name": "external_source", + "url": "https://github.com/LordNoteworthy/al-khaser" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e4678b94-bfec-402e-9682-17a32ae8c379", + "id": "attack-pattern--5a895abc-11b8-4f33-a05d-47daa38002af", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.503263Z", - "modified": "2022-02-05T00:37:22.523012Z", - "name": "Unique Hardware/Firmware Check - CPU Location", - "description": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment. When an Operating System is virtualized, the CPU is relocated.", + "created": "2020-08-21T20:49:59.550264Z", + "modified": "2022-09-08T18:26:13.206546Z", + "name": "Conditional Misdirection", + "description": "Conditional jumps are sometimes used to confuse disassembly engines, resulting in the wrong instruction boundaries and thus wrong mnemonic and operands; identified by instructions *jmp/jcc to a label+#* (e.g., JNE loc_401345fe+2).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" + "phase_name": "anti-static-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-vm.md", - "external_id": "B0009.027" - }, - { - "source_name": "external_source", - "url": "https://search.unprotect.it/map/sandbox-evasion/" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/disassembler-evasion.md", + "external_id": "B0012.002" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e57c3d95-67fc-4d26-a74e-12953fff494b", + "id": "attack-pattern--23949fea-4e13-41e3-b8c7-b25efd93f346", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.824262Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Interprocess Communication", - "description": "The Interprocess Communication micro-behavior focuses on interprocess communication.", + "created": "2020-08-21T20:49:59.506259Z", + "modified": "2022-09-08T18:26:13.278785Z", + "name": "Memory-only Payload", + "description": "Malware is never written to disk (e.g., RAT plugins received from the controller are never written to disk).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/inter-process.md", - "external_id": "C0003" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/capture-evasion.md", + "external_id": "B0036.001" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e5fd1ce1-e1a7-4f9c-b757-58b6895fef2d", + "id": "attack-pattern--ec7f9541-06af-4db7-a9c2-183b513f144a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.989483Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "HC-256::Decrypt Data", - "description": "Malware decrypts data encrypted with the HC-256 algorithm.", + "created": "2022-02-04T23:52:35.829949Z", + "modified": "2022-02-05T00:37:22.632387Z", + "name": "Direct Kernel Object Manipulation", + "description": "Direct Kernel Object Manipulation (DKOM) can be used instead of loading a new driver. It leverages an undocumented function exported by ntdll.dll (NtSystemDebugControl()) that provides debugging functionalities at the kernel level.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", - "external_id": "C0031.007" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hide-artifacts.md", + "external_id": "E1564.m02" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e60f2ef0-615c-4158-92f6-4db808bc116d", + "id": "attack-pattern--f4ee9b7f-24f9-4c1c-9f4d-54d3e6eb47da", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.537265Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Hide virtual memory", - "description": "Hide arbitrary segments of virtual memory.", + "created": "2021-02-10T06:49:31.993484Z", + "modified": "2022-09-08T18:26:13.389965Z", + "name": "RC4::Encrypt Data", + "description": "Malware encrypts with the RC4 algorithm.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" + "phase_name": "cryptography-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-memory-dump.md", - "external_id": "B0006.003" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", + "external_id": "C0027.009" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e72b1f9b-69a5-44fa-8de6-fa7d4ccc726c", + "id": "attack-pattern--91b7e621-49fe-4f7b-a8c6-0a377ceac3cd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.030527Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Create Registry Key::Registry", - "description": "Malware creates a registry key.", + "created": "2020-08-21T20:49:59.494264Z", + "modified": "2022-09-08T18:26:13.285661Z", + "name": "HTML5 Performance Object Check", + "description": "In three browser families, it is possible to extract the frequency of the Windows performance counter frequency, using standard HTML and Javascript. This value can then be used to detect whether the code is being executed in a virtual machine, by detecting two specific frequencies commonly used in virtual but not physical machines.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "operating-system-micro-objective" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/registry.md", - "external_id": "C0036.004" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.011" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e7d60710-0081-4d47-9fd3-3e2d410828e7", + "id": "attack-pattern--68d12b85-7712-4572-a801-222a375b7033", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.922997Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Encoding-Standard Algorithm", - "description": "A standard algorithm (e.g., base64) is used to encode a malware sample, file, or other information.", + "created": "2020-08-21T20:49:59.75826Z", + "modified": "2022-09-08T18:26:13.271576Z", + "name": "Encoding - Custom Encoding", + "description": "Data is encoded. A custom algorithm is used to encode the exfiltrated data.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" + "phase_name": "exfiltration" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/obfuscate-files.md", - "external_id": "E1027.m02" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/archive-collected-data.md", + "external_id": "E1560.m04" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e82333e9-4719-464b-87d9-164c6b00cb5d", + "id": "attack-pattern--6a958b33-6517-459c-afda-7f4f490ac15d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.705262Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Known File Location", - "description": "Malware may detect an analysis tool by the presence of a file in a known location.", + "created": "2022-02-04T23:52:35.829949Z", + "modified": "2022-02-05T00:37:22.632387Z", + "name": "Hidden Services", + "description": "Hides any system services that the malware instance creates or injects itself into. Services can be hidden by hiding associated registry keys.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/analysis-tool-discover.md", - "external_id": "B0013.008" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hide-artifacts.md", + "external_id": "E1564.m04" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e84f764e-ace1-4149-b73d-664b17954d7b", + "id": "attack-pattern--f0df8409-6168-481b-97a9-eb15c77c1317", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.994484Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "Twofish::Encrypt Data", - "description": "Malware encrypts with the Twofish algorithm.", + "created": "2020-08-21T20:49:59.507263Z", + "modified": "2022-09-08T18:26:13.279095Z", + "name": "Multiple Stages of Loaders", + "description": "Multiple stages of loaders are used with an encoded payload.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", - "external_id": "C0027.005" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/capture-evasion.md", + "external_id": "B0036.003" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e85ffef6-8593-4bff-a6f0-d54b2e64fc70", + "id": "attack-pattern--ff838892-3d1a-46ba-a3f5-5787e0e82830", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.463305Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Memory Breakpoints", - "description": "(PAGE_GUARD); Guard pages trigger an exception the first time they are accessed and can be used to detect a debugger. See for details.", + "created": "2020-08-21T20:49:59.470264Z", + "modified": "2022-09-08T18:26:13.318438Z", + "name": "Process Jobs", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.009" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.020" }, { "source_name": "external_source", @@ -16681,10871 +9684,17173 @@ "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e97aa9eb-a7d6-4c4a-810f-140f1dda08ca", + "id": "attack-pattern--7855768b-8130-4981-8420-6e8a8d2a277a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.463305Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Memory Write Watching", + "created": "2021-02-10T06:49:32.008483Z", + "modified": "2022-09-08T18:26:13.338526Z", + "name": "Non-Cryptographic Hash", + "description": "Malware may use a non-cryptographic hash.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" + "phase_name": "data-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.010" - }, - { - "source_name": "external_source", - "description": "Anti Debugging Tricks, Al-Khaser.", - "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/noncryptographic-hash.md", + "external_id": "C0030" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_is_subtechnique": false }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--eab3d576-e947-486b-857c-ffa680b30050", + "id": "attack-pattern--146be7e5-feeb-4dd2-8283-796b29394ac1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.66526Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Remove SMS Warning Messages", - "description": "Malware captures the message body of incoming SMS messages and aborts displaying messages that meets a certain criteria.", + "created": "2021-02-10T06:49:31.918444Z", + "modified": "2022-09-08T18:26:13.41559Z", + "name": "Location", + "description": "Malware may change or choose the location of itself, another file, or a directory to prevent detection.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/indicator-blocking.md", - "external_id": "F0006.001" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hidden-files-and-directories.md", + "external_id": "F0005.002" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--ebb8ef31-6c69-4dac-9b99-a69e8c76fcd3", + "id": "attack-pattern--8bf7607c-b292-40e6-9372-8624fc971a66", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.814267Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "IWebBrowser::HTTP Communication", - "description": "The IWebBrowser interface exposes methods and properties implemented by the WebBrowser control or implemented by an instance of the InternetExplorer application. Specific methods and properties can be captured: e.g., COMMUNICATION::HTTP Communication::IWebBrowser.get_Document.", + "created": "2020-08-21T20:49:59.501259Z", + "modified": "2022-09-08T18:26:13.290366Z", + "name": "Modern Specs Check - Processor count", + "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment. Checks number of processors; single CPU machines are suspect.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/http-comm.md", - "external_id": "C0002.010" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.018" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--ebdd8ba8-4235-4ee3-8866-a9d33f9dd11e", + "id": "attack-pattern--76206161-2e14-48a0-9191-998ef774b345", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.783046Z", - "modified": "2022-02-05T00:37:22.601096Z", - "name": "Start Interactive Shell", - "description": "Start an interactive shell using a built-in program (e.g. cmd.exe, PowerShell, bash). This is often implemented with polling the network connection from the controller for text commands to redirect to the shell's stdin and polling the shell's stdout and stderr to redirect over the network to the controller. This differs from Execute Shell Command because the shell process runs across multiple iterations of the recv-command(s)-send-result loop.", + "created": "2020-08-21T20:49:59.607265Z", + "modified": "2022-09-08T18:26:13.230394Z", + "name": "Send Heartbeat", + "description": "Heartbeat sent.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", "phase_name": "command-and-control" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md", - "external_id": "B0030.016" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", + "external_id": "B0030.007" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--ec7f9541-06af-4db7-a9c2-183b513f144a", + "id": "attack-pattern--6e892e5f-0d39-4e58-9a69-1ff8cc479291", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Direct Kernel Object Manipulation", - "description": "Direct Kernel Object Manipulation (DKOM) can be used instead of loading a new driver. It leverages an undocumented function exported by ntdll.dll (NtSystemDebugControl()) that provides debugging functionalities at the kernel level.", + "created": "2020-08-21T20:49:59.497264Z", + "modified": "2022-09-08T18:26:13.287106Z", + "name": "Instruction Testing - RDTSC", + "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hide-artifacts.md", - "external_id": "E1564.m02" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.036" + }, + { + "source_name": "external_source", + "url": "https://search.unprotect.it/map/sandbox-evasion/" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--ecf1cd8c-ffef-40bd-a2e3-441e77a84a77", + "id": "attack-pattern--9fb8ebbb-efc5-4f9c-8059-dca2a21412fd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.036443Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Create Suspended Process::Create Process", - "description": "Malware created a suspended process.", + "created": "2020-08-21T20:49:59.523261Z", + "modified": "2022-09-08T18:26:13.327493Z", + "name": "Hook File System", + "description": "Execution happens when a particular file or directory is accessed, often through hooking certain API calls such as CreateFileA and CreateFileW.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "process-micro-objective" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/create-process.md", - "external_id": "C0017.003" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", + "external_id": "B0003.007" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--eee013e1-4cfd-42f9-9f46-71f4b1598ef3", + "id": "attack-pattern--a46f5dce-2530-4823-8253-d702c8b2abeb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.58826Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Bitcoin", - "description": "Access Bitcoin data.", + "created": "2022-02-04T23:52:35.783046Z", + "modified": "2022-09-08T18:26:13.227674Z", + "name": "Directory Listing", + "description": "Controller requests a directory listing from the implant, optionally from a given path, optionally recursive.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" + "phase_name": "command-and-control" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/cryptocurrency.md", - "external_id": "B0028.001" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", + "external_id": "B0030.012" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--ef5fd901-d515-4842-9119-c330c900e2e1", + "id": "attack-pattern--81c902fa-0862-4f21-b951-f82a5d39f204", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.005479Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "Decompress Data", - "description": "Malware may decompress data.", + "created": "2020-08-21T20:49:59.500263Z", + "modified": "2022-09-08T18:26:13.289225Z", + "name": "Modern Specs Check", + "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "data-micro-objective" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/decompress.md", - "external_id": "C0025" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.013" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f05383f9-1d15-4eb9-97a4-13812f310acd", + "id": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.684261Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Polymorphic Code", - "description": "Polymorphic code, a file with the same functionality but different execution, is created, often on the fly, making it difficult to detect. This behavior includes metamorphic code where the code is changed (not just executed differently), but with the behavior the same. Polymorphic Code behavior is typically identified through analysis of related samples.", + "created": "2020-08-21T20:49:59.722263Z", + "modified": "2022-09-08T18:26:13.24581Z", + "name": "Conditional Execution", + "description": "Malware checks system environment conditions or characteristics to determine execution path. For example, malware may not run or be dormant unless system conditions are right, or file that is dropped may vary according to execution environment. Conditional execution in malware happens autonomously, not because of an attacker's command.", "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, { "kill_chain_name": "mitre-mbc", "phase_name": "defense-evasion" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/polymorphic-code.md", - "external_id": "B0029" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md", + "external_id": "B0025" }, { "source_name": "external_source", - "url": "https://www.mccormick.northwestern.edu/eecs/documents/tech-reports/2010-2014/evaluating-android-anti-malware-against-transformation-attacks.pdf" + "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" + }, + { + "source_name": "external_source", + "url": "https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaign-sandbox-evasion-techniques" + }, + { + "source_name": "external_source", + "url": "https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": false }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f06491eb-ea99-46cd-81fe-ee55fc12d504", + "id": "attack-pattern--758df510-b765-4172-94ad-70561cd0ef62", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Hidden Artifacts", - "description": "Malware may hide artifacts to evade detection and/or to persist on the system. See potential methods related to malware below.", + "created": "2020-08-21T20:49:59.534261Z", + "modified": "2022-09-08T18:26:13.275085Z", + "name": "Feed Misinformation", + "description": "API behavior can be altered to prevent memory dumps. For example, inaccurate data can be reported when the contents of the physical memory of the system on which the malware instance is executing is retrieved. See [Hooking](../credential-access/hooking.md).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hide-artifacts.md", - "external_id": "E1564" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1564", - "external_id": "T1564" + "phase_name": "anti-behavioral-analysis" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": false - }, - { - "type": "attack-pattern", - "spec_version": "2.1", - "id": "attack-pattern--f0df8409-6168-481b-97a9-eb15c77c1317", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.507263Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Multiple Stages of Loaders", - "description": "Multiple stages of loaders are used with an encoded payload.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-capture.md", - "external_id": "B0036.003" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", + "external_id": "B0006.008" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f1212d9e-3af6-4ef4-a19e-ff2793564ffd", + "id": "attack-pattern--73482bd3-d3d1-4f57-a5ac-59bf22866f16", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.849262Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "rand::Generate Pseudo-random Sequence", - "description": "Malware generates a pseudo-random sequence using rand.", + "created": "2022-02-04T23:52:35.928367Z", + "modified": "2022-09-08T18:26:13.269346Z", + "name": "Disk Wipe", + "description": "Malware may erase the content of storage devices. This behavior is different than **Data Destruction ([E1485](https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/data-destruction.md))** because sections of the disk are erased rather than individual files.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" + "phase_name": "impact" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/gen-random.md", - "external_id": "C0021.002" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/disk-wipe.md", + "external_id": "F0014" + }, + { + "source_name": "external_source", + "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=281521ea-2d18-4bf9-9e88-8b1dc41cfdb6&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_is_subtechnique": false }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f1b3a223-fa61-4341-9d0c-9f71b399ee00", + "id": "attack-pattern--1afb242c-883b-40c2-8a37-fc5064dd7d2b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.759262Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Encryption", - "description": "Data is encrypted.", + "created": "2020-08-21T20:49:59.819261Z", + "modified": "2022-09-08T18:26:13.3778Z", + "name": "Generate Traffic::ICMP Communication", + "description": "Generate ICMP traffic.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "exfiltration" + "phase_name": "communication-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/data-encrypted.md", - "external_id": "E1560.m02" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/icmp-communication.md", + "external_id": "C0014.001" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f1e778ba-e457-445f-888f-a3ee4e5dbeef", + "id": "attack-pattern--90bb4fe0-057f-40b0-8fba-37005e7f6524", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.711263Z", - "modified": "2022-02-05T00:37:22.663601Z", - "name": "Self Discovery", - "description": "Malware may gather information about itself, such as its filename or size on disk.", + "created": "2020-08-21T20:49:59.490263Z", + "modified": "2022-09-08T18:26:13.283125Z", + "name": "Check Registry Keys", + "description": "Virtual machines register artifacts in the registry, which can be detected by malware. For example, a search for \"VMware\" or \"VBOX\" in the registry might reveal keys that include information about a virtual hard drive, adapters, running services, or virtual mouse. Example registry key value artifacts include \"HARDWARE\\Description\\System (SystemBiosVersion) (VBOX)\" and \"SYSTEM\\ControlSet001\\Control\\SystemInformation (SystemManufacturer) (VMWARE)\"; example registry key artifacts include \"SOFTWARE\\VMware, Inc.\\VMware Tools (VMWARE)\" and \"SOFTWARE\\Oracle\\VirtualBox Guest Additions (VBOX)\".", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/self-discover.md", - "external_id": "B0038" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.005" + }, + { + "source_name": "external_source", + "url": "https://search.unprotect.it/map/sandbox-evasion/" + }, + { + "source_name": "external_source", + "url": "https://github.com/LordNoteworthy/al-khaser" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f1e8e35a-e893-403a-b34c-1b5d54945764", + "id": "attack-pattern--b3030683-9d60-4b63-8498-f7fac91c244d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.716259Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Generate Windows Exception", - "description": "Malware may trigger an exception as a way of gathering system details.", + "created": "2022-02-04T23:52:35.814301Z", + "modified": "2022-09-08T18:26:13.430594Z", + "name": "Disable Code Integrity", + "description": "Malware disables Code Integrity driver.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "discovery" + "phase_name": "defense-evasion" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/system-info-discover.md", - "external_id": "E1082.m01" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", + "external_id": "F0004.009" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f1f9a410-ce13-4c3d-8728-69e517d71fb9", + "id": "attack-pattern--999fdac4-2cd5-471e-960e-993f82214902", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.829949Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Hidden Userspace Libraries", - "description": "Hides userspace libraries used by the malware instance. Technique refers to hiding libraries loaded in memory (not disk). For example, a userspace library may be injected into a system process such that memory scanning tools may be prevented from finding them. This technique is different than DLL injection, in which the DLL will continue to show up in process metadata that tracks what is stored in memory. This technique involves clearing that metadata or making it inaccessible to security and inspection tools.", + "created": "2020-08-21T20:49:59.558264Z", + "modified": "2022-09-08T18:26:13.19278Z", + "name": "Import Compression", + "description": "Store and load imports with a compact import table format. Each DLL needed by the executable is mentioned in the IAT, but only one function from each/most is imported; the rest are imported via GetProcAddress calls.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "persistence" + "phase_name": "anti-static-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hide-artifacts.md", - "external_id": "E1564.m01" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", + "external_id": "B0032.012" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f21fda77-e6ff-4351-87d9-0e2f5780a1c3", + "id": "attack-pattern--664457b6-7f76-4745-a92d-6acbfe3ee384", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.035443Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Create Mutex", - "description": "Malware creates a mutex.", + "created": "2020-08-21T20:49:59.521266Z", + "modified": "2022-09-08T18:26:13.32605Z", + "name": "Data Flood", + "description": "Overloads a sandbox by generating a flood of meaningless behavioral data.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "process-micro-objective" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/create-mutex.md", - "external_id": "C0042" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", + "external_id": "B0003.002" + }, + { + "source_name": "external_source", + "url": "http://joe4security.blogspot.com/2013/06/overloading-sandboxes-new-generic.html" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", + "id": "attack-pattern--dd5c1c28-0fa4-4c34-8008-7a2fba8a4a25", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.916486Z", - "modified": "2022-02-05T00:37:22.632387Z", - "name": "Disable or Evade Security Tools", - "description": "Malware may disable or evade security tools to avoid detection. Security tools include OS security features and updating tools, anti-virus (AV) tools, firewalls, tool components providing security related logging and/or reporting, and Antimalware Scan Interface (AMSI) related capabilities.", + "created": "2020-08-21T20:49:59.666262Z", + "modified": "2022-09-08T18:26:13.413949Z", + "name": "Indicator Blocking", + "description": "Malware blocks indicators or events that would indicate malicious activity. Methods relevant to the malware domain are below.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", "phase_name": "defense-evasion" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/disable-security-tools.md", - "external_id": "F0004" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/indicator-blocking.md", + "external_id": "F0006" }, { "source_name": "external_source", - "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" }, { "source_name": "external_source", - "url": "https://www.huffingtonpost.com/2011/11/09/click-hijack-hackers-online-ad-scam_n_1084497.html" + "url": "https://en.wikipedia.org/wiki/Conficker" }, { "source_name": "external_source", - "description": "Alexander Adamov, Stealthy WastedLocker: eluding behavior blockers, but not only. Online:", - "url": "https://vblocalhost.com/conference/presentations/stealthy-wastedlocker-eluding-behaviour-blockers-but-not-only/" + "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" }, { "source_name": "external_source", - "description": "Carl Petty, Red Canary, 3/3/2020. Online:", - "url": "https://redcanary.com/blog/heavens-gate-technique-on-linux/" + "url": "https://www.trendmicro.com/en_us/research/18/k/trickbot-shows-off-new-trick-password-grabber-module.html" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": false }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f277deb3-f676-4536-b7c0-8cc76354b631", + "id": "attack-pattern--77932220-efa9-44d5-b3a9-c5d9ed4f3573", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.674263Z", - "modified": "2022-02-05T00:37:22.694887Z", - "name": "Encoding", - "description": "Data is encoded.", + "created": "2021-02-10T06:49:32.021478Z", + "modified": "2022-02-05T00:37:22.804261Z", + "name": "Ctrl-Alt-Del::Simulate Hardware", + "description": "Malware simulates Ctrl-Alt-Del.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "exfiltration" + "phase_name": "hardware-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/data-encrypted.md", - "external_id": "E1560.m01" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/hardware/simulate-hardware.md", + "external_id": "C0057.001" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f286389b-6374-4b58-ae99-975a32ad18ce", + "id": "attack-pattern--5706671b-371d-40dd-95ae-d9574ba49291", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.522264Z", - "modified": "2022-02-05T00:37:22.55426Z", - "name": "Demo Mode", - "description": "Inclusion of a demo binary/mode that is executed when token is absent or not privileged enough.", + "created": "2022-02-04T23:52:35.871658Z", + "modified": "2022-09-08T18:26:13.210426Z", + "name": "Parse PE Header", + "description": "Malware parses the PE header.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" + "phase_name": "discovery" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-dynamic-analysis.md", - "external_id": "B0003.004" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/code-discovery.md", + "external_id": "B0046.003" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f30b55fa-0ddf-49d9-884b-8cdb9e567758", + "id": "attack-pattern--4ca9173b-10b3-4a35-8507-f6b34fa4fc23", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.805261Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "Resolve TLD::DNS Communication", - "description": "Resolves top level domain.", + "created": "2020-08-21T20:49:59.474262Z", + "modified": "2022-09-08T18:26:13.320318Z", + "name": "TIB Aware", + "description": "Malware may access information in the Thread Information Block (TIB) for debug detection or process obfuscation detection. The TIB can be accessed as an offset of the segment register (e.g., fs:[20h]).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/dns-comm.md", - "external_id": "C0011.004" + "phase_name": "anti-behavioral-analysis" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.027" + } + ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f4d0e9ac-c868-42fa-9b1f-0d0bee913da1", + "id": "attack-pattern--063274b5-04c4-4987-98d6-850c2598b601", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.980486Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Set Socket Config::Socket Communication", - "description": "Configure socket.", + "created": "2020-08-21T20:49:59.805261Z", + "modified": "2022-09-08T18:26:13.379149Z", + "name": "Resolve Free Hosting Domain::DNS Communication", + "description": "Resolves a free hosting domain (e.g., freeiz.com).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", "phase_name": "communication-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/socket-comm.md", - "external_id": "C0001.001" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/dns-communication.md", + "external_id": "C0011.005" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f4ee9b7f-24f9-4c1c-9f4d-54d3e6eb47da", + "id": "attack-pattern--b62ec15e-4b56-482f-9721-72733c520d1b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.993484Z", - "modified": "2022-02-05T00:37:22.773011Z", - "name": "RC4::Encrypt Data", - "description": "Malware encrypts with the RC4 algorithm.", + "created": "2020-08-21T20:49:59.843259Z", + "modified": "2022-02-05T00:37:22.757347Z", + "name": "InternetOpenURL::WinINet", + "description": "Opens a resource specified by a complete FTP or HTTP URL.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" + "phase_name": "communication-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/encrypt.md", - "external_id": "C0027.009" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/wininet.md", + "external_id": "C0005.003" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f50e1610-ac57-4256-85b8-4f16db37b184", + "id": "attack-pattern--ef5fd901-d515-4842-9119-c330c900e2e1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.73626Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Delete File", - "description": "Malware deletes a file.", + "created": "2021-02-10T06:49:32.005479Z", + "modified": "2022-09-08T18:26:13.331832Z", + "name": "Decompress Data", + "description": "Malware may decompress data.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "file-system-micro-objective" + "phase_name": "data-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/delete-file.md", - "external_id": "C0047" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/decompress-data.md", + "external_id": "C0025" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": false }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f5f2f408-2c67-40aa-9937-8fe582501e0a", + "id": "attack-pattern--c25f5d58-e8e5-49ef-a54d-68e17b4ac824", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.785261Z", - "modified": "2022-02-05T00:37:22.71051Z", - "name": "Generate Fraudulent Advertising Revenue", - "description": "Malware may generate advertising revenue by generating clicks of advertising links. The ATT&CK technique, [Generate Fraudulent Advertising Revenue](https://attack.mitre.org/techniques/T1472/), pertains only to mobile platform, but the behavior is applicable to other platforms as well.", + "created": "2020-08-21T20:49:59.796261Z", + "modified": "2022-09-08T18:26:13.262138Z", + "name": "Remote Access", + "description": "Malware may provide an attacker with potentially full access to a system via a remote network connection, which may also provide persistence.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", "phase_name": "impact" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/generate-fraud-rev.md", - "external_id": "E1472" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/remote-access.md", + "external_id": "B0022" }, { "source_name": "external_source", - "url": "https://www.itworld.com/article/2734253/security/behind-the--massive--malware-ad-revenue-fraud-case.html" + "url": "https://en.wikipedia.org/wiki/Remote_access_trojan" }, { "source_name": "external_source", - "url": "https://www.fipp.com/news/insightnews/what-are-the-nine-types-of-digital-ad-fraud" + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" }, { "source_name": "external_source", - "url": "https://www.huffingtonpost.com/2011/11/09/click-hijack-hackers-online-ad-scam_n_1084497.html" + "url": "https://en.wikipedia.org/wiki/DarkComet" }, { "source_name": "external_source", - "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1472/", - "external_id": "T1472" + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HUPIGON" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": false }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f5f683c9-7cc4-41b9-a607-16e3c09461f4", + "id": "attack-pattern--6dfe201d-34d6-4474-9210-e0364cca9de0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.923443Z", - "modified": "2022-02-05T00:37:22.648018Z", - "name": "Encryption of Data", - "description": "A file's data is encrypted, but not necessarily the file's code.", + "created": "2021-02-10T06:49:31.997443Z", + "modified": "2022-09-08T18:26:13.394983Z", + "name": "Encryption Key", + "description": "Malware may import, generate, or otherwise use an encryption key.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/obfuscate-files.md", - "external_id": "E1027.m07" + "phase_name": "cryptography-micro-objective" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true - }, - { - "type": "attack-pattern", - "spec_version": "2.1", - "id": "attack-pattern--f60a86ef-7e8a-4a7b-91fa-64a4c137068c", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.844259Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "InternetWriteFile::WinINet", - "description": "Writes data to an open Internet file.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/wininet.md", - "external_id": "C0005.005" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encryption-key.md", + "external_id": "C0028" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": true + "x_mitre_is_subtechnique": false }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f62b419a-6b84-4bc4-865c-b58abc012795", + "id": "attack-pattern--87414f49-bf46-4a09-9999-979d71eb16a5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.990485Z", - "modified": "2022-02-05T00:37:22.757347Z", - "name": "RC6::Decrypt Data", - "description": "Malware decrypts data encrypted with the RC6 algorithm.", + "created": "2022-02-04T23:52:35.907374Z", + "modified": "2022-02-05T00:37:22.694887Z", + "name": "MSDTC", + "description": "The Distributed Transaction Coordinator (MSDTC) coordinates transaction across multiple resource managers (databases, message queues and file systems). This legitimate Microsoft service is part of Windows 2000 and later and can be used to import and load DLLs. Malware may abuse MSDTC to import and load DLLs.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "cryptography-micro-objective" + "phase_name": "execution" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/decrypt.md", - "external_id": "C0031.009" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/system-services.md", + "external_id": "E1569.m01" + }, + { + "source_name": "external_source", + "url": "https://support.resolver.com/hc/en-ca/articles/207161116-Configure-Microsoft-Distributed-Transaction-Coordinator-MSDTC-" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f65d15c6-c325-42f5-a824-9ff3089f751f", + "id": "attack-pattern--b7d3d8a7-75a8-4e3b-a1e8-c20844d0a8cf", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.023443Z", - "modified": "2022-02-05T00:37:22.804261Z", - "name": "Free Memory", - "description": "Malware may free memory.", + "created": "2022-02-04T23:52:36.124706Z", + "modified": "2022-02-05T00:37:22.819853Z", + "name": "Open Thread", + "description": "Malware opens a thread.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "memory-micro-objective" + "phase_name": "process-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/memory/free-memory.md", - "external_id": "C0044" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/open-thread.md", + "external_id": "C0066" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": false }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f78bf329-48e4-4f8c-9468-0f8cd2ec08b5", + "id": "attack-pattern--bb61fa8d-d4d6-492b-9885-17b320bddf36", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2022-02-04T23:52:35.751794Z", - "modified": "2022-02-05T00:37:22.569857Z", - "name": "Data Flow Analysis Evasion", - "description": "Malware code evades data flow analysis (also known as information flow analysis and taint-tracking).", + "modified": "2022-09-08T18:26:13.204823Z", + "name": "Control Dependence", + "description": "Data is propagated via an if-then-else clause instead of direct assignment.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", "phase_name": "anti-static-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/evade-data-flow-analysis.md", - "external_id": "B0045" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/data-flow-analysis-evasion.md", + "external_id": "B0045.001" }, { "source_name": "external_source", "url": "http://www.seclab.cs.sunysb.edu/seclab/pubs/antitaint.pdf" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f7d5a289-5ab3-4b74-912a-c7ab2748770c", + "id": "attack-pattern--795aa535-959e-44b7-9f5e-2d5d0ca3cd1c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.479261Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Failed Network Connections", - "description": "Some emulated systems fail to handle some network communications; such failures will indicate the emulated environment.", + "created": "2020-08-21T20:49:59.515309Z", + "modified": "2022-09-08T18:26:13.30787Z", + "name": "Relocate API Code", + "description": "Relocate API code in separate buffer (calls donā€™t lead to imported DLLs).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-emulator.md", - "external_id": "B0004.004" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.020" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f7edbfa2-7ebf-4e66-bad5-a13150f5ce7a", + "id": "attack-pattern--91859e1a-022e-420a-bc00-af0546d891cb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.589265Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Zcash", - "description": "Access Zcash data.", + "created": "2021-02-10T06:49:32.003478Z", + "modified": "2022-09-08T18:26:13.334848Z", + "name": "Base64::Decode Data", + "description": "Malware may decode data using Base64.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "credential-access" + "phase_name": "data-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/cryptocurrency.md", - "external_id": "B0028.003" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/decode-data.md", + "external_id": "C0053.001" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f867931f-8c8a-4b28-bc5b-0482852124b6", + "id": "attack-pattern--dc5231d1-332e-45ab-9995-412a5da4c10d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.891261Z", - "modified": "2022-02-05T00:37:22.835477Z", - "name": "Synchronization", - "description": "Malware enables two or more processes/threads to share a resource.", + "created": "2020-08-21T20:49:59.485265Z", + "modified": "2022-09-08T18:26:13.298557Z", + "name": "Self Check", + "description": "Malware may check its own characteristics to determine whether it's running in a sandbox. For example, a malicious Office document might check its file name or VB project name.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "process-micro-objective" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/synchronization.md", - "external_id": "C0022" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", + "external_id": "B0007.007" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f919567a-9038-415c-a76b-10c702d929b0", + "id": "attack-pattern--0741d3d3-4027-430d-a574-5bc06d62a9c0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.038481Z", - "modified": "2022-02-05T00:37:22.819853Z", - "name": "Resume Thread", - "description": "Malware typically resumes a thread in order to execute previously injected code (e.g., in the course of the [Process Injection::Process Hollowing](https://github.com/MBCProject/mbc-markdown/blob/v2.2/https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/process-inject.md)).", + "created": "2022-02-04T23:52:36.03097Z", + "modified": "2022-09-08T18:26:13.383336Z", + "name": "Hashed Message Authentication Code", + "description": "Malware uses a hashed message authentication code (HMAC) schema.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "process-micro-objective" + "phase_name": "cryptography-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/resume-thread.md", - "external_id": "C0054" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/hashed-message-authentication-code.md", + "external_id": "C0061" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": false }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f93d127d-164b-47c1-81e9-e7011cb478f8", + "id": "attack-pattern--74f89ee2-f4c0-4221-8951-e3a8f1fc449b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.80426Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "DDNS Domain Connect::DNS Communication", - "description": "Connects to dynamic DNS domain.", + "created": "2020-08-21T20:49:59.682261Z", + "modified": "2022-02-05T00:37:22.648018Z", + "name": "Code Reordering", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" - } - ], - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/dns-comm.md", - "external_id": "C0011.003" + "phase_name": "defense-evasion" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_is_subtechnique": true - }, - { - "type": "attack-pattern", - "spec_version": "2.1", - "id": "attack-pattern--fb0ec928-14d1-49f3-9897-14e3613b4ad7", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.462262Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "IsDebuggerPresent", - "description": "The kernel32!IsDebuggerPresent API function call checks the PEB BeingDebugged flag to see if the calling process is being debugged. It returns 1 if the process is being debugged, 0 otherwise. This is one of the most common ways of debugger detection.", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - } - ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.008" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/polymorphic-code.md", + "external_id": "B0029.003" + }, + { + "source_name": "external_source", + "url": "https://www.mccormick.northwestern.edu/eecs/documents/tech-reports/2010-2014/evaluating-android-anti-malware-against-transformation-attacks.pdf" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--fb6ca685-805a-467b-8f10-460f41360731", + "id": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.01448Z", - "modified": "2022-02-05T00:37:22.788643Z", - "name": "Delete Directory", - "description": "Malware deletes a directory.", + "created": "2021-02-10T06:49:31.991483Z", + "modified": "2022-09-08T18:26:13.387563Z", + "name": "Decrypt Data", + "description": "Malware may decrypt data.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "file-system-micro-objective" + "phase_name": "cryptography-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/delete-dir.md", - "external_id": "C0048" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", + "external_id": "C0031" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": false }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--fbaedc87-7d0b-447c-a9e5-0f6c2658770a", + "id": "attack-pattern--7ae3202c-73b7-4153-a577-4d3084e2675f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.721261Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Suicide Exit", - "description": "Malware terminates its execution based on a trigger condition or value (or because it has completed).", + "created": "2021-02-10T06:49:32.031479Z", + "modified": "2022-02-05T00:37:22.819853Z", + "name": "Set Registry Key::Registry", + "description": "Malware sets a registry key.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" + "phase_name": "operating-system-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md", - "external_id": "B0025.001" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/registry.md", + "external_id": "C0036.001" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--fd682f82-1a49-4f4f-8ff8-18ef8c3d0f8b", + "id": "attack-pattern--e39e7007-c7b1-4a8c-a1c1-5f94ea3ae8fa", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.823261Z", - "modified": "2022-02-05T00:37:22.741756Z", - "name": "Create Pipe::Interprocess Communication", + "created": "2020-08-21T20:49:59.562264Z", + "modified": "2022-09-08T18:26:13.194924Z", + "name": "Symbol Obfuscation", + "description": "Remove or rename symbolic information commonly inserted by compilers for debugging purposes.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" + "phase_name": "anti-static-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/inter-process.md", - "external_id": "C0003.001" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", + "external_id": "B0032.018" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--fd9f551a-f0ef-42e2-bf82-acdf1062852b", + "id": "attack-pattern--b1089154-3ee0-4713-893f-af97047f8ab5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.877737Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Secure Triggers", - "description": "Code and/or data is encrypted until the underlying system satisfies a preselected condition unknown to the analyst (this is a form of Deposited Keys).", + "created": "2020-08-21T20:49:59.459263Z", + "modified": "2022-09-08T18:26:13.312531Z", + "name": "CheckRemoteDebuggerPresent", + "description": "The kernel32!CheckRemoteDebuggerPresent function calls NtQueryInformationProcess with ProcessInformationClass parameter set to 7 (ProcessDebugPort constant).", "kill_chain_phases": [ - { - "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - }, { "kill_chain_name": "mitre-mbc", "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md", - "external_id": "B0025.005" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.002" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--fdc4b63d-2ee4-49af-b2d4-2defeff3d87d", + "id": "attack-pattern--d6181cb9-7268-4ff7-99db-94df827e746e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.877737Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Token Check", - "description": "Presence check to allow the program to run (ex: dongle, CD/DVD, key, file, network, etc.). If the token is specific to a hardware element (ex: disk, OS, CPU, NIC MAC, etc.), it is considered fingerprinting.", + "created": "2020-08-21T20:49:59.601273Z", + "modified": "2022-02-05T00:37:22.601096Z", + "name": "WinAPI", + "description": "Screen is captured using WinAPI functions (e.g., user32.GetDesktopWindow).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" + "phase_name": "collection" }, { "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" + "phase_name": "credential-access" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md", - "external_id": "B0025.006" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/screen-capture.md", + "external_id": "E1113.m01" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--fdd6cb04-8d0a-4808-b50a-0e7f8061b42b", + "id": "attack-pattern--07181568-3663-4ade-ac99-3e32bd7d5400", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:32.042481Z", - "modified": "2022-02-05T00:37:22.835477Z", - "name": "Allocate Thread Local Storage", - "description": "Malware allocates thread local storage.", + "created": "2020-08-21T20:49:59.468265Z", + "modified": "2022-09-08T18:26:13.317662Z", + "name": "Process Environment Block BeingDebugged", + "description": "The BeingDebugged field is tested to determine whether the process is being debugged.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "process-micro-objective" + "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/thread-storage-allocate.md", - "external_id": "C0040" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.035" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--fe31be5f-2912-4056-b70b-62988d5c3829", + "id": "attack-pattern--4c1e6e56-1c8d-4bce-b696-68ac83cb33f6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:35.877737Z", - "modified": "2022-02-05T00:37:22.679223Z", - "name": "Runs as Service", - "description": "The malware must be run as a service, which can make behavioral analysis and debugging more difficult. The service may be set up by the malware. Alternatively, the malware may not contain any code to create a new service or modify an existing service, in which case, the service may be set up by another program or manually.", + "created": "2020-08-21T20:49:59.593264Z", + "modified": "2022-02-05T00:37:22.585511Z", + "name": "Mouse Events", + "description": "Mouse events are captured.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "execution" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" + "phase_name": "collection" }, { "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" + "phase_name": "credential-access" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/conditional-execute.md", - "external_id": "B0025.007" - }, - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1480", - "external_id": "T1480" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/input-capture.md", + "external_id": "E1056.m01" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--fe39ee83-4f97-4989-b1f4-11a95d36b9d2", + "id": "attack-pattern--948cdf0e-8ac2-46a4-8bc0-a5ab5eda55a2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.475261Z", - "modified": "2022-02-05T00:37:22.507385Z", - "name": "Timing/Delay Check QueryPerformanceCounter", - "description": "Malware uses QueryPerformanceCounter in a timing/delay check.", + "created": "2021-02-10T06:49:31.981483Z", + "modified": "2022-09-08T18:26:13.373431Z", + "name": "Send Data::Socket Communication", + "description": "Send data on socket.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" + "phase_name": "communication-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.033" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", + "external_id": "C0001.007" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--fe662062-536d-43ca-912b-534a2936ddad", + "id": "attack-pattern--168ed95b-0c10-42c4-9f0a-c1c462b39f6c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:31.971484Z", - "modified": "2022-02-05T00:37:22.726134Z", - "name": "WinINet::FTP Communication", - "description": "Send FTP command via WinINet.", + "created": "2020-08-21T20:49:59.561265Z", + "modified": "2022-09-08T18:26:13.19438Z", + "name": "Stack Strings", + "description": "Build and decrypt strings on the stack at each use, then discard to avoid obvious references.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "communication-micro-objective" + "phase_name": "anti-static-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/ftp-comm.md", - "external_id": "C0004.002" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", + "external_id": "B0032.017" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--fecc2029-1268-4e13-b4b7-2b9f00c84972", + "id": "attack-pattern--95c86aee-57b2-4cc2-9354-772a30b4024f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.578264Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Confuser", - "description": "Uses Confuser packer.", + "created": "2020-08-21T20:49:59.707263Z", + "modified": "2022-09-08T18:26:13.216141Z", + "name": "Process detection - Process Utilities", + "description": "Malware can scan for the process name associated with common analysis tools. ProcessHacker / SysAnalyzer / HookExplorer / SysInspector", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" + "phase_name": "discovery" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", - "external_id": "F0001.009" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", + "external_id": "B0013.005" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--ff66c503-48b3-4f2b-a462-f54258d2cfca", + "id": "attack-pattern--ae167f71-8166-4906-97ba-8b9efb6daca2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.514301Z", - "modified": "2022-02-05T00:37:22.538637Z", - "name": "Pre-Debug", - "description": "Prevents debugger from attaching to process or to break until after the code of interest has been executed.", + "created": "2020-08-21T20:49:59.475261Z", + "modified": "2022-09-08T18:26:13.321636Z", + "name": "UnhandledExceptionFilter", + "description": "The UnhandledExceptionFilter function is called if no registered exception handlers exist, but it will not be reached if a debugger is present. See for details.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", "phase_name": "anti-behavioral-analysis" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md", - "external_id": "B0002.019" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.030" + }, + { + "source_name": "external_source", + "description": "Anti Debugging Tricks, Al-Khaser.", + "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", + "id": "attack-pattern--dd5fd5f1-cc85-409b-a4c0-96cea106cd82", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.584261Z", - "modified": "2022-02-05T00:37:22.585511Z", - "name": "Software Packing", - "description": "This code characteristic - Software Packing - can make static and behavioral analysis difficult and includes packing with software protectors, such as Themida and Armadillo [[1]](#1). Methods related to anti-analysis are below. This behavior covers both characteristics of the malware (i.e., how it is packed) as well as behaviors of the malware (e.g., the malware packs another executable file).", + "created": "2020-08-21T20:49:59.514301Z", + "modified": "2022-09-08T18:26:13.307116Z", + "name": "Parallel Threads", + "description": "Use several parallel threads to make analysis harder.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", "phase_name": "anti-behavioral-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "anti-static-analysis" - }, - { - "kill_chain_name": "mitre-mbc", - "phase_name": "defense-evasion" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/software-packing.md", - "external_id": "F0001" - }, - { - "source_name": "external_source", - "description": "Ange Albertini, Packers, 5 April 2010,", - "url": "https://gironsec.com/code/packers.pdf" - }, - { - "source_name": "external_source", - "description": "Jiang Ming et al, Towards Paving the Way for Large-Scale Windows Malware Analysis: Generic Binary Unpacking with Orders-of-Magnitude Performance Boost, October 2018,", - "url": "https://dl.acm.org/citation.cfm?id=3243771." - }, - { - "source_name": "external_source", - "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.017" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_is_subtechnique": false + "x_mitre_is_subtechnique": true }, { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--ff838892-3d1a-46ba-a3f5-5787e0e82830", + "id": "attack-pattern--8df78326-a8e8-4039-82a7-3dd375910e71", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.470264Z", - "modified": "2022-02-05T00:37:22.491757Z", - "name": "Process Jobs", + "created": "2021-02-10T06:49:32.031479Z", + "modified": "2022-02-05T00:37:22.819853Z", + "name": "Open Registry Key::Registry", + "description": "Malware opens a registry key.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mbc", - "phase_name": "anti-behavioral-analysis" + "phase_name": "operating-system-micro-objective" } ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md", - "external_id": "B0001.020" - }, - { - "source_name": "external_source", - "description": "Anti Debugging Tricks, Al-Khaser.", - "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/registry.md", + "external_id": "C0036.003" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], "x_mitre_is_subtechnique": true }, { - "type": "identity", + "type": "attack-pattern", "spec_version": "2.1", - "id": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-01-01T00:00:00.000Z", - "modified": "2020-01-01T00:00:00.000Z", - "name": "The MITRE Corporation", - "identity_class": "organization", + "id": "attack-pattern--a5490a04-b672-4587-ae13-f0a25eb1cea4", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-08-21T20:49:59.927259Z", + "modified": "2022-02-05T00:37:22.835477Z", + "name": "Shutdown Event", + "description": "Malware can register the shutdown event triggered by WinLogon to allow a malicious DLL to execute every time the machine shuts down: when the machine is shutdown the malware will be loaded into memory; then it will download the primary malware and reinfect the machine. The malware will also lie dormant during incident reporting processes. To check whether malware has registered for login events, check the registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify. If a subkey with any name exists and it has a \"shutdown\" value then the dll in the \"DLLName\" key will be launched during the shutdown process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "malware", - "spec_version": "2.1", - "id": "malware--0c0d59b7-4ff0-4a09-9c64-558334485ece", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.331252Z", - "modified": "2022-02-05T00:37:25.938478Z", - "name": "DNSChanger", - "description": "Used to change DNS settings to generate fraudulent advertising revenue.", - "malware_types": [ - "unknown" ], - "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/dnschanger.md", - "external_id": "X0005" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/persistence/shutdown-event.md", + "external_id": "B0035" }, { "source_name": "external_source", - "url": "https://www.huffingtonpost.com/2011/11/09/click-hijack-hackers-online-ad-scam_n_1084497.html" + "url": "https://isc.sans.edu/diary/Wipe+the+drive!++Stealthy+Malware+Persistence+-+Part+4/15460" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2011" + "x_mitre_is_subtechnique": false }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--19d14868-ff81-4c8c-9a6a-c57baf7e7f52", + "id": "attack-pattern--f867931f-8c8a-4b28-bc5b-0482852124b6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.330254Z", - "modified": "2022-02-05T00:37:25.92289Z", - "name": "Dark Comet", - "description": "A Remote Access Trojan (RAT) that allows a user to control the system via a GUI. It has many features which allows a user to use it as administrative remote help tool; however, DarkComet has many features which can be used maliciously. DarkComet is commonly used to spy on the victims by taking screen captures, key-logging, or password stealing.", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/dark-comet.md", - "external_id": "X0004" - }, + "created": "2020-08-21T20:49:59.891261Z", + "modified": "2022-02-05T00:37:22.835477Z", + "name": "Synchronization", + "description": "Malware enables two or more processes/threads to share a resource.", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "https://en.wikipedia.org/wiki/DarkComet" + "kill_chain_name": "mitre-mbc", + "phase_name": "process-micro-objective" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/synchronization.md", + "external_id": "C0022" + } ], - "x_mitre_year": "2008" + "x_mitre_is_subtechnique": false }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--2640ed9a-24d9-4975-90c2-c8ab94d544e3", + "id": "attack-pattern--461d88f4-10e9-4db1-b91d-e9a8cd0f8654", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.361255Z", - "modified": "2022-02-05T00:37:25.969727Z", - "name": "Stuxnet", - "description": "A malicious worm targeting SCADA systems.", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/stuxnet.md", - "external_id": "X0019" - }, - { - "source_name": "external_source", - "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" - }, - { - "source_name": "external_source", - "url": "https://www.bbc.com/timelines/zc6fbk7" - }, + "created": "2021-02-10T06:49:32.00448Z", + "modified": "2022-09-08T18:26:13.3316Z", + "name": "QuickLZ::Decompress Data", + "description": "Malware decompresses data using QuickLZ.", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "https://en.wikipedia.org/wiki/Stuxnet" + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_aliases": [ - "Rootkit.Tmphider", - "W32.Temphid" - ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/decompress-data.md", + "external_id": "C0025.001" + } ], - "x_mitre_year": "2010" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", + "id": "attack-pattern--608a4855-fe3a-4bff-a7a2-46db2ffd360b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.367256Z", - "modified": "2022-02-05T00:37:25.969727Z", - "name": "TrickBot", - "description": "Trojan spyware program that has mainly been used for targeting banking sites. TrickBot is written in the C++ programming language.", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ + "created": "2021-02-10T06:49:31.997443Z", + "modified": "2022-09-08T18:26:13.394742Z", + "name": "RC4 KSA::Encryption Key", + "description": "Malware uses the RC4 Key Scheduling Algorithm (KSA).", + "kill_chain_phases": [ { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/trickbot.md", - "external_id": "X0025" + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encryption-key.md", + "external_id": "C0028.002" + } ], - "x_mitre_year": "2016" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--2def59e9-a1ba-4c23-9f7d-437935d1e965", + "id": "attack-pattern--f1b3a223-fa61-4341-9d0c-9f71b399ee00", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.336251Z", - "modified": "2022-02-05T00:37:25.938478Z", - "name": "Geneio", - "description": "Geneio is a byproduct of the DYLD_PRINT_TIFILE vulnerability. Geneio can gain access to the MAC Keychain and persist until removed by the user.", - "malware_types": [ - "unknown" + "created": "2020-08-21T20:49:59.759262Z", + "modified": "2022-09-08T18:26:13.272067Z", + "name": "Encryption", + "description": "Data is encrypted.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/geneio.md", - "external_id": "X0007" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/archive-collected-data.md", + "external_id": "E1560.m02" + } + ], + "x_mitre_is_subtechnique": true + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--24ed02f2-afad-49c8-a3c4-8ab1c418443e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-08-21T20:49:59.743261Z", + "modified": "2022-09-08T18:26:13.236841Z", + "name": "Send Email", + "description": "Sends an email message from the system on which the malware is executing to one or more recipients, mostly commonly for the purpose of spamming or for distributing a malicious attachment or URL (malspamming).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/send-email.md", + "external_id": "B0020" }, { "source_name": "external_source", - "url": "https://blog.malwarebytes.org/mac/2015/08/genieo-installer-tricks-keychain/" + "url": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Gamut-Spambot-Analysis/" }, { "source_name": "external_source", - "url": "https://support.norton.com/sp/en/us/home/current/solutions/v103415336_EndUserProfile_en_us" + "url": "https://en.wikipedia.org/wiki/Bagle_(computer_worm)" }, { "source_name": "external_source", - "url": "https://www.symantec.com/security_response/writeup.jsp?docid=2014-071013-3137-99" + "url": "https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_platform": [ - "OS X" - ], - "x_mitre_year": "2015" + "x_mitre_is_subtechnique": false }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--30666a55-e3de-40ff-a680-8bca9c163cb0", + "id": "attack-pattern--b5d3d3c7-f9bd-4d61-8a73-593972018a8b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.355256Z", - "modified": "2022-02-05T00:37:25.954104Z", - "name": "Rombertik", - "description": "This family of malware steals data the user enters into a browser and uses a variety of behaviors to hinder analysis.", - "malware_types": [ - "unknown" + "created": "2020-08-21T20:49:59.643261Z", + "modified": "2022-09-08T18:26:13.40232Z", + "name": "ROP Chains", + "description": "Return-Oriented Programming can be used to bypass DEP. It can also be used to bypass code signing.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/rombertik.md", - "external_id": "X0031" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/bypass-data-execution-prevention.md", + "external_id": "B0037.001" }, { "source_name": "external_source", - "url": "http://labs.lastline.com/exposing-rombertik-turning-the-tables-on-evasive-malware" + "url": "https://medium.com/cybersecurityservices/dep-bypass-using-rop-chains-garima-chopra-e8b3361e50ce" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2015" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--31e78af0-0509-4f7b-b304-77a8e5bf7ead", + "id": "attack-pattern--b9cf6d75-631e-4209-b84d-63a7dcaf9b65", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.370254Z", - "modified": "2022-02-05T00:37:25.969727Z", - "name": "Ursnif", - "description": "A banking trojan that uses malware macros to evade sandbox detection. Variant of Gozi.", - "malware_types": [ - "unknown" + "created": "2021-02-10T06:49:31.999444Z", + "modified": "2022-02-05T00:37:22.773011Z", + "name": "BSD::Checksum", + "description": "Malware computes a BSD checksum.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/ursnif.md", - "external_id": "X0022" - }, + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/checksum.md", + "external_id": "C0032.003" + } + ], + "x_mitre_is_subtechnique": true + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--ebb8ef31-6c69-4dac-9b99-a69e8c76fcd3", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-08-21T20:49:59.814267Z", + "modified": "2022-09-08T18:26:13.366556Z", + "name": "IWebBrowser::HTTP Communication", + "description": "The IWebBrowser interface exposes methods and properties implemented by the WebBrowser control or implemented by an instance of the InternetExplorer application. Specific methods and properties can be captured: e.g., COMMUNICATION::HTTP Communication::IWebBrowser.get_Document.", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_aliases": [ - "Dreambot", - "Gozi" - ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", + "external_id": "C0002.010" + } ], - "x_mitre_year": "2016" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--36e75009-8fd6-467a-aa8c-c6a4d3511dfa", + "id": "attack-pattern--41c176c1-6258-4bd4-9518-c2dc433c254c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.345255Z", - "modified": "2022-02-05T00:37:25.938478Z", - "name": "Kraken", - "description": "A family of bots.", - "malware_types": [ - "unknown" + "created": "2020-08-21T20:49:59.88026Z", + "modified": "2022-09-08T18:26:13.340536Z", + "name": "Overflow Buffer", + "description": "Malware may overflow the buffer for various purposes.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "memory-micro-objective" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/kraken.md", - "external_id": "X0010" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/memory/overflow-buffer.md", + "external_id": "C0010" }, { "source_name": "external_source", - "url": "http://blog.threatexpert.com/2008/04/kraken-changes-tactics.html" + "url": "https://en.wikipedia.org/wiki/Conficker" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_aliases": [ - "Bobax" - ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2008" + "x_mitre_is_subtechnique": false }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--4188f951-4400-406c-8281-509395fc8e11", + "id": "attack-pattern--93ac6386-6f04-44cd-b7a5-78da3ced8b13", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.326252Z", - "modified": "2022-02-05T00:37:25.92289Z", - "name": "CryptoLocker", - "description": "CryptoLocker is a family of ransomware.", - "malware_types": [ - "unknown" + "created": "2020-08-21T20:49:59.467265Z", + "modified": "2022-09-08T18:26:13.317071Z", + "name": "Parent Process", + "description": "(Explorer.exe); Executing an application by a debugger will result in the parent process being the debugger process rather than the shell process (Explorer.exe) or the command line. Malware checks its parent process; if it's not explorer.exe, it's assumed to be a debugger.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/cryptolocker.md", - "external_id": "X0030" - }, - { - "source_name": "external_source", - "url": "https://en.wikipedia.org/wiki/CryptoLocker" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.018" }, { "source_name": "external_source", - "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/" + "description": "Anti Debugging Tricks, Al-Khaser.", + "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2013" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", + "id": "attack-pattern--eee013e1-4cfd-42f9-9f46-71f4b1598ef3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.352256Z", - "modified": "2022-02-05T00:37:25.954104Z", - "name": "Poison-Ivy", - "description": "Remote Access Trojan (RAT).", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ + "created": "2020-08-21T20:49:59.58826Z", + "modified": "2022-02-05T00:37:22.585511Z", + "name": "Bitcoin", + "description": "Access Bitcoin data.", + "kill_chain_phases": [ { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/poison-ivy.md", - "external_id": "X0014" + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" }, { - "source_name": "external_source", - "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/cryptocurrency.md", + "external_id": "B0028.001" + } ], - "x_mitre_year": "2005" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--4fe657cf-373f-4a71-a2b8-8de5c109eef9", + "id": "attack-pattern--93bd89e3-9cfd-47f6-9fed-bb13b58acd82", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.325252Z", - "modified": "2022-02-05T00:37:25.92289Z", - "name": "Conficker", - "description": "A worm targeting Microsoft Windows operations systems.", - "malware_types": [ - "unknown" + "created": "2020-08-21T20:49:59.491263Z", + "modified": "2022-09-08T18:26:13.284044Z", + "name": "Check Virtual Devices", + "description": "The presence of virtual devices can indicate a virtualized environment (e.g., \"\\\\.\\VBoxTrayIPC\").", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/conficker.md", - "external_id": "X0003" - }, - { - "source_name": "external_source", - "url": "https://en.wikipedia.org/wiki/Conficker" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.008" }, { "source_name": "external_source", - "url": "http://www.csl.sri.com/users/vinod/papers/Conficker/" + "url": "https://github.com/LordNoteworthy/al-khaser" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_aliases": [ - "Downup", - "Downadup", - "Kido" - ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2008" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--508cadaa-4fd5-4105-803e-8944e388ee45", + "id": "attack-pattern--dcd29dd1-20d2-4387-90dd-95480c4e0f1c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.349255Z", - "modified": "2022-02-05T00:37:25.954104Z", - "name": "MazarBot", - "description": "Targets Android phones via a poisoned text message.", - "malware_types": [ - "unknown" + "created": "2021-02-10T06:49:32.021478Z", + "modified": "2022-02-05T00:37:22.804261Z", + "name": "Mouse Click::Simulate Hardware", + "description": "Malware simulates mouse click.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "hardware-micro-objective" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/mazarbot.md", - "external_id": "X0012" - }, - { - "source_name": "external_source", - "url": "https://us.norton.com/internetsecurity-emerging-threats-mazar-bot-malware-invades-and-erases-android-devices.html" - }, + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/hardware/simulate-hardware.md", + "external_id": "C0057.002" + } + ], + "x_mitre_is_subtechnique": true + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--46d77a13-9d20-4c9c-9846-cf6f298f6836", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-08-21T20:49:59.606261Z", + "modified": "2022-09-08T18:26:13.229208Z", + "name": "Request Command", + "description": "Implant requests a command.", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "https://www.player.one/new-android-sms-malware-can-completely-own-your-phone-just-one-text-how-avoid-mazar-512363" + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Android" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", + "external_id": "B0030.008" + } ], - "x_mitre_year": "2016" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--542141d9-e98d-4d4a-9b15-dfc3f8933e48", + "id": "attack-pattern--c08285dc-2707-4016-9db1-187e19f504f6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.347255Z", - "modified": "2022-02-05T00:37:25.938478Z", - "name": "Locky Bart", - "description": "Locky Bart is ransomware.", - "malware_types": [ - "unknown" + "created": "2020-08-21T20:49:59.499265Z", + "modified": "2022-09-08T18:26:13.28893Z", + "name": "Instruction Testing - VPCEXT", + "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/locky-bart.md", - "external_id": "X0011" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.038" }, { "source_name": "external_source", - "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/" + "url": "https://search.unprotect.it/map/sandbox-evasion/" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2017" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--549d1c35-f214-4760-ab97-2142c66cf111", + "id": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.328253Z", - "modified": "2022-02-05T00:37:25.92289Z", - "name": "CryptoWall", - "description": "CryptoWall is a family of ransomware.", - "malware_types": [ - "unknown" + "created": "2020-08-21T20:49:59.47626Z", + "modified": "2022-09-08T18:26:13.32216Z", + "name": "Debugger Detection", + "description": "Malware detects whether it's being executed inside a debugger. If so, conditional execution selects a benign execution path.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/cryptowall.md", - "external_id": "X0029" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001" }, { "source_name": "external_source", - "url": "https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/" + "description": "Alexander Antukh, \"Anti-debugging Techniques Cheat Sheet,\" 19 January 2015.", + "url": "http://antukh.com/blog/2015/01/19/malware-techniques-cheat-sheet." }, { "source_name": "external_source", - "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/" + "description": "Joshua Cannell, Malwarebytes Labs, \"Five Anti-Analysis Tricks that sometimes Fool Analysts,\" 31 March 2016.", + "url": "https://blog.malwarebytes.com/threat-analysis/2014/09/five-anti-debugging-tricks-that-sometimes-fool-analysts." + }, + { + "source_name": "external_source", + "description": "Peter Ferrie, \"The 'Ultimate' Anti-Debugging Reference,\" 4 May 2011.", + "url": "https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf." + }, + { + "source_name": "external_source", + "description": "Atif Mushtaq, FireEye, \"The Dead Giveaways of VM-Aware Malware,\" 27 January 2011.", + "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html." + }, + { + "source_name": "external_source", + "description": "Ayoub Faouzi (LordNoteworthy), Al-Khaser v0.79.", + "url": "https://github.com/LordNoteworthy/al-khaser" + }, + { + "source_name": "external_source", + "description": "Nicolas Falliere, Symantec, \"Windows Anti-Debug Reference,\" 11 September 2007.", + "url": "https://www.symantec.com/connect/articles/windows-anti-debug-reference." + }, + { + "source_name": "external_source", + "description": "Anti Debugging Tricks, Al-Khaser.", + "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + }, + { + "source_name": "external_source", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/" + }, + { + "source_name": "external_source", + "url": "https://blogs.cisco.com/security/talos/rombertik" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2014" + "x_mitre_is_subtechnique": false }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--5dcefe05-4ead-4f84-9919-ebefe968df27", + "id": "attack-pattern--8cf4e8d0-21b6-4e35-97c2-97e6c5322509", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.369255Z", - "modified": "2022-02-05T00:37:25.969727Z", - "name": "UP007 Malware Family", - "description": "Description.", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/up007.md", - "external_id": "X0033" - }, + "created": "2021-02-10T06:49:31.985484Z", + "modified": "2022-09-08T18:26:13.380498Z", + "name": "MD5::Cryptographic Hash", + "description": "Malware uses an MD5 hash.", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "https://citizenlab.ca/2016/04/between-hong-kong-and-burma/" + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/cryptographic-hash.md", + "external_id": "C0029.001" + } ], - "x_mitre_year": "2016" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--5fe2035d-58a0-4cd6-9561-cf4442871a10", + "id": "attack-pattern--74d536e7-5fb3-4633-8f42-ca413aa2beea", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.332252Z", - "modified": "2022-02-05T00:37:25.938478Z", - "name": "Emotet", - "description": "Emotet is a banking trojan.", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/emotet.md", - "external_id": "X0028" - }, - { - "source_name": "external_source", - "url": "https://cofense.com/dark-realm-shifting-ways-geodo-malware" - }, + "created": "2022-02-04T23:52:35.912738Z", + "modified": "2022-02-05T00:37:22.71051Z", + "name": "Delete Shadow Copies", + "description": "Deletes shadow drive data, which is related to ransomware.", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "https://cofense.com/recent-geodo-malware-campaigns-feature-heavily-obfuscated-macros/" + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_aliases": [ - "Geodo" - ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/data-destruction.md", + "external_id": "E1485.m04" + } ], - "x_mitre_year": "2018" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--6875c768-4212-474d-85dc-1e89c62e9a65", + "id": "attack-pattern--966c59f0-e5f7-4c3f-80f8-49091c015ad7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.363292Z", - "modified": "2022-02-05T00:37:25.969727Z", - "name": "SYNful Knock", - "description": "A modification of the router's firmware images used to maintain persistence.", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ + "created": "2022-02-04T23:52:35.829949Z", + "modified": "2022-09-08T18:26:13.405881Z", + "name": "Encoding", + "description": "A malware sample, file, or other information is encoded.", + "kill_chain_phases": [ { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/synful-knock.md", - "external_id": "X0020" + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" }, { - "source_name": "external_source", - "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html" + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Cisco" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/obfuscated-files-or-information.md", + "external_id": "E1027.m01" + } ], - "x_mitre_year": "2015" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--6a1bde20-a344-4738-9df5-b568fa4b5f33", + "id": "attack-pattern--04e25839-3207-4600-8972-618aa7cf44af", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.342252Z", - "modified": "2022-02-05T00:37:25.938478Z", - "name": "Hupigon", - "description": "A family of backdoors.", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/hupigon.md", - "external_id": "X0008" - }, + "created": "2020-08-21T20:49:59.606261Z", + "modified": "2022-09-08T18:26:13.229515Z", + "name": "Request Email Address List", + "description": "Request email address list.", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HUPIGON" + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_aliases": [ - "Delf", - "Emerleox", - "Logsnif", - "Graybird", - "Pcclient" - ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", + "external_id": "B0030.010" + } ], - "x_mitre_year": "2013" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", + "id": "attack-pattern--9dd6ef57-b3b3-48e8-a77e-233ffee5d45b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.372256Z", - "modified": "2022-02-05T00:37:25.969727Z", - "name": "WebCobra", - "description": "Cryptojacking malware.", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/webcobra.md", - "external_id": "X0023" - }, - { - "source_name": "external_source", - "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" - }, + "created": "2022-02-04T23:52:35.870658Z", + "modified": "2022-09-08T18:26:13.210153Z", + "name": "Inspect Section Memory Permissions", + "description": "Malware identifies section memory permissions from image section header.", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "https://www.forbes.com/sites/rachelwolfson/2018/11/13/cryptojacking-on-the-rise-webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/#16f5542cc336" + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/code-discovery.md", + "external_id": "B0046.002" + } ], - "x_mitre_year": "2018" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--86cfa430-ca3b-4322-bdfe-989aca5305f0", + "id": "attack-pattern--b535d57f-a2e0-427b-8f4d-69d948e6ebf4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.334253Z", - "modified": "2022-02-05T00:37:25.938478Z", - "name": "Gamut", - "description": "A spamming botnet.", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/gamut.md", - "external_id": "X0006" - }, + "created": "2021-02-10T06:49:31.975482Z", + "modified": "2022-09-08T18:26:13.367085Z", + "name": "WinINet::HTTP Communication", + "description": "A HTTP request is made via the Windows Internet (WinINet) application programming interface (API). A specific function can be specified as a method on the [WinInet](../communication/wininet.md) microbehavior.", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/" + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_aliases": [ - "Bobax" - ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", + "external_id": "C0002.007" + } ], - "x_mitre_year": "2014" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--92f9ba45-2fb3-4d97-9865-eda477e7b779", + "id": "attack-pattern--1bfa0256-c28e-4dcc-82f6-8fa6880328f6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.340252Z", - "modified": "2022-02-05T00:37:25.938478Z", - "name": "Heriplor", - "description": "This Trojan is associated with the Energetic Bear group [[1]](#1).", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/heriplor.md", - "external_id": "X0026" - }, + "created": "2021-02-10T06:49:31.982483Z", + "modified": "2022-09-08T18:26:13.374821Z", + "name": "Receive UDP Data::Socket Communication", + "description": "Receive UDP data.", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html" + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", + "external_id": "C0001.017" + } ], - "x_mitre_year": "2012" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--a456fdcd-68f2-46fb-adb0-97c6817338c9", + "id": "attack-pattern--9a20e319-4340-469f-a31c-5153dbd05bd0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.357255Z", - "modified": "2022-02-05T00:37:25.954104Z", - "name": "SamSam", - "description": "Ransomware.", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/samsam.md", - "external_id": "X0016" - }, - { - "source_name": "external_source", - "url": "https://www.us-cert.gov/ncas/alerts/AA18-337A" - }, + "created": "2022-02-04T23:52:35.845581Z", + "modified": "2022-09-08T18:26:13.403868Z", + "name": "Hardware/Firmware Rootkit", + "description": "A firmware rootkit compromises hardware (e.g. network card, hard drive), system BIOS, UEFI firmware. LoJack is the first in-the-wild UEFI rootkit. See ATT&CK: [System Firmware](https://attack.mitre.org/techniques/T1542/001/).", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "https://blog.malwarebytes.com/cybercrime/2018/05/samsam-ransomware-need-know/" + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_aliases": [ - "MSIL/Samas.A", - "Samas", - "Samsa" - ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/rootkit.md", + "external_id": "E1014.m14" + } ], - "x_mitre_year": "2015" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--a6ad7a2e-f619-4598-914b-16f68b372789", + "id": "attack-pattern--89594c9d-1e28-49a2-8969-694ade43e857", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.374255Z", - "modified": "2022-02-05T00:37:25.969727Z", - "name": "YiSpecter", - "description": "YiSpecter is Apple iOS malware that can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other appsā€™ execution to display advertisements, change Safariā€™s default search engine, bookmarks and opened pages, and upload device information to a C2 server. It uses tricks to hide its icons from iOSā€™s SpringBoard, which prevents the user from finding and deleting it. The components also use the same name and logos of system apps to trick iOS power users.", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/yispecter.md", - "external_id": "X0024" - }, + "created": "2020-08-21T20:49:59.464262Z", + "modified": "2022-09-08T18:26:13.315063Z", + "name": "Monitoring Thread", + "description": "Malware may spawn a monitoring thread to detect tampering, breakpoints, etc.", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "iOS" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.011" + } ], - "x_mitre_year": "2015" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--b0625dd2-cc91-4936-9e12-289960aa0b41", + "id": "attack-pattern--69af89da-bf40-4b9e-93c5-baa8fb937099", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.354255Z", - "modified": "2022-02-05T00:37:25.954104Z", - "name": "Redhip", - "description": "An information stealer.", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/redhip.md", - "external_id": "X0015" - }, + "created": "2020-08-21T20:49:59.605266Z", + "modified": "2022-09-08T18:26:13.228965Z", + "name": "Receive Data", + "description": "Receive data or command from a controller.", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", + "external_id": "B0030.002" + } ], - "x_mitre_year": "2011" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--bb2ac91f-90ad-4ed5-95ef-a899346ba4ce", + "id": "attack-pattern--89a1d613-7163-493b-8aa9-7a528dd1dd3e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.365256Z", - "modified": "2022-02-05T00:37:25.969727Z", - "name": "Terminator", - "description": "A remote access tool (RAT).", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/terminator.md", - "external_id": "X0021" - }, + "created": "2020-08-21T20:49:59.515309Z", + "modified": "2022-09-08T18:26:13.308378Z", + "name": "RtlAdjustPrivilege", + "description": "Calling RtlAdjustPrivilege to either prevent a debugger from attaching or to detect if a debugger is attached.", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf" + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.022" + } ], - "x_mitre_year": "2013" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--cb022b7d-775c-4db8-ab25-3add7e215d54", + "id": "attack-pattern--3bb917e7-25d9-42de-8b23-d040a51c08e5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.350255Z", - "modified": "2022-02-05T00:37:25.954104Z", - "name": "Mebromi", - "description": "A BIOS bootkit.", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/mebromi.md", - "external_id": "X0013" - }, + "created": "2021-02-10T06:49:32.000444Z", + "modified": "2022-02-05T00:37:22.773011Z", + "name": "Verhoeff::Checksum", + "description": "Malware uses the Verhoeff algorithm, often for purposes of error detection.", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/" + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/checksum.md", + "external_id": "C0032.004" + } ], - "x_mitre_year": "2011" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--cdd198e2-3f6f-42c4-adfd-d97dc66c5f19", + "id": "attack-pattern--ebdd8ba8-4235-4ee3-8866-a9d33f9dd11e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.323252Z", - "modified": "2022-02-05T00:37:25.92289Z", - "name": "BlackEnergy", - "description": "An HTTP-based botnet used mostly for DDoS attacks.", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/blackenergy.md", - "external_id": "X0002" - }, + "created": "2022-02-04T23:52:35.783046Z", + "modified": "2022-09-08T18:26:13.231139Z", + "name": "Start Interactive Shell", + "description": "Start an interactive shell using a built-in program (e.g. cmd.exe, PowerShell, bash). This is often implemented with polling the network connection from the controller for text commands to redirect to the shell's stdin and polling the shell's stdout and stderr to redirect over the network to the controller. This differs from Execute Shell Command because the shell process runs across multiple iterations of the recv-command(s)-send-result loop.", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf" + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", + "external_id": "B0030.016" + } ], - "x_mitre_year": "2007" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--d36b0186-1e10-4dd8-a1df-076e9a692c57", + "id": "attack-pattern--5b93eef5-683e-44cb-b737-0e80feb890d2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.360255Z", - "modified": "2022-02-05T00:37:25.969727Z", - "name": "Shamoon", - "description": "Data wiping malware.", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/shamoon.md", - "external_id": "X0018" - }, + "created": "2020-08-21T20:49:59.887261Z", + "modified": "2022-02-05T00:37:22.819853Z", + "name": "Create Process via WMI::Create Process", + "description": "Malware uses WMI to create a process.", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "http://www.darkreading.com/attacks-breaches/disk-wiping-shamoon-malware-resurfaces-with-file-erasing-malware-in-tow/d/d-id/1333509" + "kill_chain_name": "mitre-mbc", + "phase_name": "process-micro-objective" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/create-process.md", + "external_id": "C0017.002" + } ], - "x_mitre_year": "2012" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--dbe9ee23-f01d-4cdb-bf53-066c77352dac", + "id": "attack-pattern--18377be7-e46d-48a0-ac85-b6af8f777b78", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.358255Z", - "modified": "2022-02-05T00:37:25.954104Z", - "name": "SearchAwesome", - "description": "Adware that intercepts encrypted web traffic to inject ads.", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/searchawesome.md", - "external_id": "X0017" - }, + "created": "2021-02-10T06:49:32.031479Z", + "modified": "2022-02-05T00:37:22.819853Z", + "name": "Query Registry Value::Registry", + "description": "Malware queries a registry value.", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection/" + "kill_chain_name": "mitre-mbc", + "phase_name": "operating-system-micro-objective" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Mac OSX" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/registry.md", + "external_id": "C0036.006" + } ], - "x_mitre_year": "2018" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--dd874fc3-691c-4825-95cc-bbe52e5406f5", + "id": "attack-pattern--5cd1a1ce-0012-4e78-9449-24a8e3b0f4e2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.337252Z", - "modified": "2022-02-05T00:37:25.938478Z", - "name": "GotBotKR", - "description": "Modified version of a publicly available backdoor name GoBot2. Modifications are mainly evasion techniques specific to South Korea.", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/gotbotkr.md", - "external_id": "X0027" - }, + "created": "2020-08-21T20:49:59.806261Z", + "modified": "2022-09-08T18:26:13.379736Z", + "name": "Server Connect::DNS Communication", + "description": "Connects to DNS server.", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/dns-communication.md", + "external_id": "C0011.002" + } ], - "x_mitre_year": "2019" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--e616d9d2-36b4-4510-84ad-66f19442fe3e", + "id": "attack-pattern--90206369-0c71-47cd-abf2-65e4e75fee99", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.339252Z", - "modified": "2022-02-05T00:37:25.938478Z", - "name": "GravityRAT", - "description": "Evades detection by checking current CPU temperature.", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/gravity-rat.md", - "external_id": "X0032" - }, + "created": "2021-02-10T06:49:31.980486Z", + "modified": "2022-09-08T18:26:13.371885Z", + "name": "Start TCP Server::Socket Communication", + "description": "A TCP server listens for client requests.", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "https://www.hackread.com/gravityrat-malware-evades-detection-targets-india/" + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", + "external_id": "C0001.005" + } ], - "x_mitre_year": "2018" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--f31598c3-8d55-440f-ac5f-4b8ea34fc09b", + "id": "attack-pattern--641e7321-439b-4888-8624-f3ceace8465e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.322252Z", - "modified": "2022-02-05T00:37:25.92289Z", - "name": "Bagle", - "description": "A mass-mailing computer worm affecting Microsoft Windows.", - "malware_types": [ - "unknown" - ], - "is_family": true, - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/bagle.md", - "external_id": "X0001" - }, - { - "source_name": "external_source", - "url": "https://en.wikipedia.org/wiki/Bagle_(computer_worm)" - }, - { - "source_name": "external_source", - "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/malware/worm_bagle.u" - }, + "created": "2022-02-04T23:52:35.845581Z", + "modified": "2022-09-08T18:26:13.404385Z", + "name": "Kernel Mode Rootkit", + "description": "Rootkit operates by adding or replacing code in OS, device drivers, loadable kernel modules (LKM). Related to ATT&CK: [Kernel Modules and Extensions](https://attack.mitre.org/techniques/T1547/006/)", + "kill_chain_phases": [ { - "source_name": "external_source", - "url": "https://en.wikipedia.org/wiki/Bagle_(computer_worm)" + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_platform": [ - "Windows" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/rootkit.md", + "external_id": "E1014.m16" + } ], - "x_mitre_year": "2004" + "x_mitre_is_subtechnique": true }, { - "type": "malware", + "type": "attack-pattern", "spec_version": "2.1", - "id": "malware--fa095747-0ca8-4965-a222-cf1fe7647e12", + "id": "attack-pattern--0be642a6-a030-4ecf-9c30-83f9cbc9fd56", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.344254Z", - "modified": "2022-02-05T00:37:25.938478Z", - "name": "Kovter", - "description": "A trojan that performs click-fraud.", - "malware_types": [ - "unknown" + "created": "2020-08-21T20:49:59.504264Z", + "modified": "2022-09-08T18:26:13.293225Z", + "name": "Unique Hardware/Firmware Check - MAC Address", + "description": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment. VMware uses specific virtual MAC address that can be detected. The usual MAC address used started with the following numbers: \"00:0C:29\", \"00:1C:14\", \"00:50:56\", \"00:05:69\". Virtualbox uses specific virtual MAC address that can be detected by Malware. The usual MAC address used started with the following numbers: 08:00:27.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "is_family": true, "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/xample-malware/kovter.md", - "external_id": "X0009" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.028" }, { "source_name": "external_source", - "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" + "url": "https://search.unprotect.it/map/sandbox-evasion/" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_platform": [ - "Windows" - ], - "x_mitre_year": "2016" - }, - { - "type": "marking-definition", - "spec_version": "2.1", - "id": "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-01-01T00:00:00.000Z", - "definition_type": "statement", - "definition": { - "statement": "Copyright (c) 2020-2022, The MITRE Corporation. All rights reserved." - } + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--001fb916-7704-4afe-9cc5-02302511ec34", + "id": "attack-pattern--8d901ae3-1492-4090-b730-438071314947", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.451445Z", - "modified": "2021-02-10T06:49:35.451445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--13d8f97e-b0dc-4ced-918d-31297b1f9aff", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2020-08-21T20:49:59.65626Z", + "modified": "2022-09-08T18:26:13.428766Z", + "name": "Disable System File Overwrite Protection", + "description": "Disables system file overwrite protection mechanisms such as Windows file protection, thereby enabling system files to be modified or replaced.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", + "external_id": "F0004.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--003b45ca-148c-4ae8-889c-de9339540f2a", + "id": "attack-pattern--64b0c35c-a5fc-4410-aff8-0c85f9689f60", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.659443Z", - "modified": "2021-02-10T06:49:35.659443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b3369595-ed1a-4660-a239-08f6abd5810c", - "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", + "created": "2021-02-10T06:49:32.000444Z", + "modified": "2022-02-05T00:37:22.773011Z", + "name": "Checksum", + "description": "Malware may derive a checksum from some block of data. The checksum is often used for data validation.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/checksum.md", + "external_id": "C0032" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--00518fe5-bc55-413f-a3d3-54ec08afe2a1", + "id": "attack-pattern--54782583-3e1e-4e43-a038-882e989e0c0f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.603442Z", - "modified": "2021-02-10T06:49:35.603442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--a5bc5daf-255e-4e9b-a4c4-508dc3a434ff", - "target_ref": "attack-pattern--7c1bb00d-f8cb-4ca8-aa11-b59f5b108996", + "created": "2022-09-08T18:26:13.382764Z", + "modified": "2022-09-08T18:26:13.382764Z", + "name": "Crypto Constant", + "description": "The malware contains a known crypto constant.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/crypto-constant.md", + "external_id": "C0069" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--00860bcf-c19d-488c-a064-21d58d08ab34", + "id": "attack-pattern--6e6d534f-57ae-49cd-be41-0b6a77fbb6fb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--1c9f410c-8e61-4d75-80be-e80461c54971", - "target_ref": "attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58", + "created": "2022-02-04T23:52:35.783046Z", + "modified": "2022-09-08T18:26:13.227923Z", + "name": "Execute File", + "description": "Execute/run/open the file using default operating system functionality, optionally with provided command-and-scripting-interpreter arguments. The file may or may not already exist on the victim.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", + "external_id": "B0030.013" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--00bf70ee-e091-4898-897c-ee93b69fdd1a", + "id": "attack-pattern--41746d12-dfb1-4e7d-bd7e-81678b93b977", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.48548Z", - "modified": "2021-02-10T06:49:35.48548Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--2620e845-cb45-43b5-91a4-dd72dcf3339d", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.529264Z", + "modified": "2022-09-08T18:26:13.301305Z", + "name": "Different Opcode Sets", + "description": "Use different opcodes sets (ex: FPU, MMX, SSE) to block emulators.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-evasion.md", + "external_id": "B0005.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--00f63103-9864-4fd0-80fd-4b4952d5bec2", + "id": "attack-pattern--ae865c4b-d90b-46be-aae6-6fbe897b76d9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.679444Z", - "modified": "2021-02-10T06:49:35.679444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--9f4141a2-af76-4a8e-b493-f3c1f5bdc9ac", - "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", + "created": "2020-08-21T20:49:59.769263Z", + "modified": "2022-02-05T00:37:22.71051Z", + "name": "Empty Recycle Bin", + "description": "Empties the recycle bin, which can be related to ransomware.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/data-destruction.md", + "external_id": "E1485.m02" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--01ed5997-0953-4720-bcaa-ee6b6b274a5b", + "id": "attack-pattern--598efe94-7195-42ad-9af8-d1d9c39433ba", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.660443Z", - "modified": "2021-02-10T06:49:35.660443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--cefefa87-2f06-4008-afcf-847a8bd746af", - "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", + "created": "2020-08-21T20:49:59.58826Z", + "modified": "2022-02-05T00:37:22.585511Z", + "name": "Ethereum", + "description": "Access Ethereum data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/cryptocurrency.md", + "external_id": "B0028.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--021cf0f3-d938-45e8-812c-b4f8dbefc0c5", + "id": "attack-pattern--f30b55fa-0ddf-49d9-884b-8cdb9e567758", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.653444Z", - "modified": "2021-02-10T06:49:35.653444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--90206369-0c71-47cd-abf2-65e4e75fee99", - "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", + "created": "2020-08-21T20:49:59.805261Z", + "modified": "2022-09-08T18:26:13.379483Z", + "name": "Resolve TLD::DNS Communication", + "description": "Resolves top level domain.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/dns-communication.md", + "external_id": "C0011.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--02247109-98f4-4143-ab69-73b4999120dc", + "id": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.714442Z", - "modified": "2021-02-10T06:49:35.714442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--d320eec6-6fe3-4fd8-81f8-700742858f19", - "target_ref": "attack-pattern--f867931f-8c8a-4b28-bc5b-0482852124b6", + "created": "2021-02-10T06:49:31.994484Z", + "modified": "2022-09-08T18:26:13.392651Z", + "name": "Encrypt Data", + "description": "Malware may encrypt data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", + "external_id": "C0027" + }, + { + "source_name": "external_source", + "url": "https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" + }, + { + "source_name": "external_source", + "url": "https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" + }, + { + "source_name": "external_source", + "url": "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--0245e5c7-c10b-48bb-af3b-4c7a7dfbadd6", + "id": "attack-pattern--4ec39934-4cf3-4e7a-96fb-425ea2f56d15", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--a46f5dce-2530-4823-8253-d702c8b2abeb", - "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", + "created": "2020-08-21T20:49:59.861259Z", + "modified": "2022-09-08T18:26:13.346847Z", + "name": "Alter File Extension", + "description": "Malware alters a file extension. This could be done for many reasons, including to hide the file or as part of a ransomware's encryption process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "file-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/alter-file-extension.md", + "external_id": "C0015" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--0374cfaa-8758-4105-9f0a-ec078bc08181", + "id": "attack-pattern--35365158-0007-49fa-bc45-da311d3c6246", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.691442Z", - "modified": "2021-02-10T06:49:35.691442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b9cf6d75-631e-4209-b84d-63a7dcaf9b65", - "target_ref": "attack-pattern--64b0c35c-a5fc-4410-aff8-0c85f9689f60", + "created": "2021-02-10T06:49:31.973483Z", + "modified": "2022-09-08T18:26:13.36383Z", + "name": "Extract Body::HTTP Communication", + "description": "HTTP client extracts HTTP body.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", + "external_id": "C0002.011" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--03817b6f-9fe0-4fdd-93a1-fc816b3b592d", + "id": "attack-pattern--9f4141a2-af76-4a8e-b493-f3c1f5bdc9ac", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.513484Z", - "modified": "2021-02-10T06:49:35.513484Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--9fb8ebbb-efc5-4f9c-8059-dca2a21412fd", - "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", + "created": "2021-02-10T06:49:31.990485Z", + "modified": "2022-09-08T18:26:13.387325Z", + "name": "Twofish::Decrypt Data", + "description": "Malware decrypts data encrypted with the Twofish algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", + "external_id": "C0031.014" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--038bff96-2d64-4bd9-abde-f5c5e1260782", + "id": "attack-pattern--e0563aa9-70e1-41b8-ae78-0434ece93e36", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.641721Z", - "modified": "2021-02-10T06:49:35.641721Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--85809708-79ee-4bff-824e-471b7bbd30a9", - "target_ref": "attack-pattern--ded5f278-1acc-4f7b-be58-abc38e6b8436", + "created": "2020-08-21T20:49:59.805261Z", + "modified": "2022-09-08T18:26:13.378861Z", + "name": "Resolve::DNS Communication", + "description": "Resolves a domain.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/dns-communication.md", + "external_id": "C0011.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--03f09bec-9d2d-4219-8b1f-d81b8e136ed5", + "id": "attack-pattern--c8d17860-f4e4-4403-a28b-02c784a3ca70", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.708629Z", - "modified": "2021-02-10T06:49:35.708629Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--e72b1f9b-69a5-44fa-8de6-fa7d4ccc726c", - "target_ref": "attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b", + "created": "2020-08-21T20:49:59.557264Z", + "modified": "2022-09-08T18:26:13.192535Z", + "name": "Import Address Table Obfuscation", + "description": "Obfuscate the import address table.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", + "external_id": "B0032.011" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--040473ba-ea4c-4f70-9afa-61750d1d6d87", + "id": "attack-pattern--4294b63a-0b68-473a-8e57-bd5da8d90bf6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.610253Z", - "modified": "2020-08-21T20:50:04.610253Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", + "created": "2020-08-21T20:49:59.92426Z", + "modified": "2022-09-08T18:26:13.251314Z", + "name": "Registry Run Keys / Startup Folder", + "description": "Malware may add an entry to the Windows Registry run keys or startup folder to enable persistence.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/persistence/registry-run-keys-startup-folder.md", + "external_id": "F0012" + }, + { + "source_name": "external_source", + "url": "https://threatvector.cylance.com/en_us/home/windows-registry-persistence-part-2-the-run-keys-and-search-order.html" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HUPIGON" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.secureworks.com/research/cryptolocker-ransomware" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/" + }, + { + "source_name": "external_source", + "url": "https://blogs.cisco.com/security/talos/rombertik" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279" + }, + { + "source_name": "external_source", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Conficker" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" + }, + { + "source_name": "external_source", + "url": "https://cofense.com/recent-geodo-malware-campaigns-feature-heavily-obfuscated-macros/" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/WORM_BAGLE.U/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--04e8a51b-a35b-4418-95e1-1aaea4b06e69", + "id": "attack-pattern--8fb51611-3f2a-42e3-9af0-fd8eda882cf8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.531443Z", - "modified": "2021-02-10T06:49:35.531443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--1506d910-1208-4064-a633-8291f6d36e74", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2020-08-21T20:49:59.513264Z", + "modified": "2022-09-08T18:26:13.306605Z", + "name": "Nanomites", + "description": "int3 with code replacement table; debugs itself.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.015" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--05ebcbe4-c162-4160-ba6c-0651b1950fb5", + "id": "attack-pattern--b729ab37-a73c-4d87-a72b-4123385a2581", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.89883Z", - "modified": "2022-02-04T23:52:40.89883Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--17e05846-68f4-4f0c-bc23-88e01515bfcf", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2020-08-21T20:49:59.608264Z", + "modified": "2022-09-08T18:26:13.230651Z", + "name": "Send System Information", + "description": "Implant sends system information.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", + "external_id": "B0030.006" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--06550a91-434c-466e-aef6-c41e08d5f9a9", + "id": "attack-pattern--5280b393-729d-43d5-b9e7-81da3d31b450", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.467445Z", - "modified": "2021-02-10T06:49:35.467445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--be9f9f28-01bb-4b94-b973-14f06a71c968", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2020-08-21T20:49:59.682261Z", + "modified": "2022-02-05T00:37:22.648018Z", + "name": "Call Indirections", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/polymorphic-code.md", + "external_id": "B0029.002" + }, + { + "source_name": "external_source", + "url": "https://www.mccormick.northwestern.edu/eecs/documents/tech-reports/2010-2014/evaluating-android-anti-malware-against-transformation-attacks.pdf" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--06bd4ba6-d0ca-4c1d-b879-92d6151dbfb0", + "id": "attack-pattern--c484a07a-2c0e-4141-bfd0-161a38812c64", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.608257Z", - "modified": "2020-08-21T20:50:04.608257Z", - "relationship_type": "uses", - "source_ref": "malware--30666a55-e3de-40ff-a680-8bca9c163cb0", - "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", + "created": "2020-08-21T20:49:59.75826Z", + "modified": "2022-09-08T18:26:13.271823Z", + "name": "Encoding - Standard Encoding", + "description": "Data is encoded. A standard algorithm, such as base64 encoding, is used to encode the exfiltrated data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/archive-collected-data.md", + "external_id": "E1560.m03" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--07235f37-4424-4d68-a0f9-f2ae7df3fbd9", + "id": "attack-pattern--79e12011-d4af-449f-b2da-6b4227564808", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.659443Z", - "modified": "2021-02-10T06:49:35.659443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--cfa8658b-c504-41eb-9886-05de4962319c", - "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", + "created": "2020-08-21T20:49:59.466263Z", + "modified": "2022-09-08T18:26:13.316488Z", + "name": "OutputDebugString", + "description": "(GetLastError); The OutputDebugString function will demonstrate different behavior depending whether or not a debugger is present. See for details.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.016" + }, + { + "source_name": "external_source", + "description": "Anti Debugging Tricks, Al-Khaser.", + "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--072fb602-b48c-4e95-9ed8-e836c6e89336", + "id": "attack-pattern--8b39b092-d827-4e58-9b67-a9b9e8c6f297", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.644023Z", - "modified": "2021-02-10T06:49:35.644023Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--fd682f82-1a49-4f4f-8ff8-18ef8c3d0f8b", - "target_ref": "attack-pattern--e57c3d95-67fc-4d26-a74e-12953fff494b", + "created": "2020-08-21T20:49:59.465264Z", + "modified": "2022-09-08T18:26:13.315584Z", + "name": "NtQueryObject", + "description": "The ObjectTypeInformation and ObjectAllTypesInformation flags are checked for debugger detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.013" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--07642f24-b50f-44ff-8b66-7c1032543d6d", + "id": "attack-pattern--7c9e2694-0dce-4dc3-aa06-199d5d002a05", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.562442Z", - "modified": "2021-02-10T06:49:35.562442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--963d7b96-04f2-4c34-82ae-64bc6d5d37dc", - "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", + "created": "2020-08-21T20:49:59.844259Z", + "modified": "2022-02-05T00:37:22.757347Z", + "name": "WinINet", + "description": "The Windows Internet (WinINet) application programming interface (API) is used by malware to interact with FTP and HTTP protocols to access Internet resources.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/wininet.md", + "external_id": "C0005" + }, + { + "source_name": "external_source", + "url": "https://docs.microsoft.com/en-us/windows/win32/wininet/wininet-functions" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--07c21597-9ec5-4667-8ed3-a31e0de953bb", + "id": "attack-pattern--8b1810b0-5885-47ec-963b-b3fecbe1825a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.50848Z", - "modified": "2021-02-10T06:49:35.50848Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--3c0f36be-c4c0-4769-9be4-50682bc6a467", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2021-02-10T06:49:31.996445Z", + "modified": "2022-09-08T18:26:13.396526Z", + "name": "RC4 PRGA::Generate Pseudo-random Sequence", + "description": "Malware generates a pseudo-random sequence using the RC4 Pseudo Random (Byte) Generation Algorithm (PRGA).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/generate-pseudorandom-sequence.md", + "external_id": "C0021.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--083ec365-6341-4068-8981-9d41d33be578", + "id": "attack-pattern--d5e09700-cfae-43b7-831e-958a4e64251b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.570481Z", - "modified": "2021-02-10T06:49:35.570481Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--245f1add-7e00-4b25-9f57-a88febbd9359", - "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", + "created": "2020-08-21T20:49:59.513264Z", + "modified": "2022-09-08T18:26:13.306358Z", + "name": "Modify PE Header", + "description": "Any part of the header is changed or erased.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.014" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--0846c933-f893-4bb8-a5e0-fc2e7c40d69d", + "id": "attack-pattern--66f0b43c-19fd-40b8-ae4f-de356df77371", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.914452Z", - "modified": "2022-02-04T23:52:40.914452Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--a438adb9-e8d8-40da-8fb3-0500b0c812f5", - "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", + "created": "2021-02-10T06:49:31.994484Z", + "modified": "2022-09-08T18:26:13.391868Z", + "name": "Sosemanuk::Encrypt Data", + "description": "Malware encrypts with the Sosemanuk stream cipher.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", + "external_id": "C0027.008" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--08ddf2f3-b656-4731-8ef1-514e0c2209e3", + "id": "attack-pattern--1057fe1c-c844-4de3-b72d-05313572a36c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.604253Z", - "modified": "2020-08-21T20:50:04.604253Z", - "relationship_type": "uses", - "description": "An MBR bootkit and a BIOS bootkit targeting Award BIOS.", - "source_ref": "malware--cb022b7d-775c-4db8-ab25-3add7e215d54", - "target_ref": "attack-pattern--4c1c0aca-7fca-4aae-9d17-6fc99c8d7d0a", + "created": "2021-02-10T06:49:31.992483Z", + "modified": "2022-09-08T18:26:13.388434Z", + "name": "Block Cipher::Encrypt Data", + "description": "Malware encrypts with a block cipher.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", + "external_id": "C0027.014" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--08f35fa3-0327-4b97-929a-cfa4cce3a4ca", + "id": "attack-pattern--aaa5cf52-8414-4ac3-9bbb-3a45ba1f6d0d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.498442Z", - "modified": "2021-02-10T06:49:35.498442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--f0df8409-6168-481b-97a9-eb15c77c1317", - "target_ref": "attack-pattern--243d3475-704e-4bc1-b8a6-42ca4bda02fc", - "object_marking_refs": [ + "created": "2020-08-21T20:49:59.65626Z", + "modified": "2022-09-08T18:26:13.428514Z", + "name": "Disable Kernel Patch Protection", + "description": "Bypasses or disables kernel patch protection mechanisms such as Windows' PatchGuard, enabling the malware instance to operate at the same level as the operating system kernel and kernel mode drivers (KMD).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", + "external_id": "F0004.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--092ccd5c-5107-4ab0-b58d-108f5dc3f04a", + "id": "attack-pattern--1adddaa3-6164-4adf-b910-6b8a78fb3111", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.463442Z", - "modified": "2021-02-10T06:49:35.463442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--85da3a4e-287a-45b9-91d2-019b59af07e3", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2020-08-21T20:49:59.811259Z", + "modified": "2022-09-08T18:26:13.362735Z", + "name": "Client::HTTP Communication", + "description": "General HTTP client behavior.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", + "external_id": "C0002.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--094b167c-34e7-45cb-8514-a77b0d664dfe", + "id": "attack-pattern--87b6586d-145f-47d9-8183-755ca03e5921", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.501442Z", - "modified": "2021-02-10T06:49:35.501442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--5eef016e-6366-41e1-a33d-d85727dd5d65", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2020-08-21T20:49:59.590269Z", + "modified": "2022-02-05T00:37:22.585511Z", + "name": "Cryptocurrency", + "description": "Malware accesses files that contain sensitive data or credentials related to Bitcoin and other cryptocurrency wallets.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/cryptocurrency.md", + "external_id": "B0028" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--0adcf50a-9193-4bb2-9e53-437050adb7f8", + "id": "attack-pattern--1212c336-4105-477e-9e3a-0789790a3941", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.493443Z", - "modified": "2021-02-10T06:49:35.493443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--8bf7607c-b292-40e6-9372-8624fc971a66", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.559264Z", + "modified": "2022-09-08T18:26:13.193374Z", + "name": "Interleaving Code", + "description": "Split code into sections that may be rearranged and are connected by unconditional jumps.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", + "external_id": "B0032.014" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--0aebf062-cb5d-4c24-9275-16bc1270ad26", + "id": "attack-pattern--a67c8a5d-cce9-4892-9338-9fec55e45419", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.644474Z", - "modified": "2021-02-10T06:49:35.644474Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--d6e1b096-1595-47e7-8230-223aa9cad622", - "target_ref": "attack-pattern--e57c3d95-67fc-4d26-a74e-12953fff494b", + "created": "2020-08-21T20:49:59.491263Z", + "modified": "2022-09-08T18:26:13.283798Z", + "name": "Check Software", + "description": "Malware may check software version; for example, to determine whether the software is relatively current.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.007" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--0bf1731d-6b65-4367-abd3-5739d66816f1", + "id": "attack-pattern--f1e8e35a-e893-403a-b34c-1b5d54945764", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:41.041094Z", - "modified": "2022-02-04T23:52:41.041094Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--42a50e42-61c1-4eb0-a7a2-f7f278feb391", - "target_ref": "attack-pattern--ef5fd901-d515-4842-9119-c330c900e2e1", + "created": "2020-08-21T20:49:59.716259Z", + "modified": "2022-09-08T18:26:13.213065Z", + "name": "Generate Windows Exception", + "description": "Malware may trigger an exception as a way of gathering system details.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/system-information-discovery.md", + "external_id": "E1082.m01" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--0bfa0cee-9802-4e76-baf0-03b903d0e28b", + "id": "attack-pattern--b40aba49-57d9-4a99-a29e-2629e35991c9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.542445Z", - "modified": "2021-02-10T06:49:35.542445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--168ed95b-0c10-42c4-9f0a-c1c462b39f6c", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2020-08-21T20:49:59.510265Z", + "modified": "2022-09-08T18:26:13.303866Z", + "name": "Change SizeOfImage", + "description": "Changing this value during run time can prevent some debuggers from attaching. Also confuses some unpackers and dumpers.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--0c1016cb-bb35-448a-9b36-4ee17488dc8b", + "id": "attack-pattern--b063a520-75fb-41bc-afd7-bf13a8118dc5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.632968Z", - "modified": "2021-02-10T06:49:35.632968Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--1adddaa3-6164-4adf-b910-6b8a78fb3111", - "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", + "created": "2022-09-08T18:26:13.208642Z", + "modified": "2022-09-08T18:26:13.208642Z", + "name": "Filter by Extension", + "description": "Malware may filter by extension (common in ransomware).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/file-and-directory-discovery.md", + "external_id": "E1083.m02" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--0c5b75e3-70a1-4039-86b3-c8144f2ec4eb", + "id": "attack-pattern--112d8251-af9c-404d-b3f6-44bd15c42a5d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.546456Z", - "modified": "2021-02-10T06:49:35.546456Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--373bb770-4890-4e13-a0d6-94459bed37aa", - "target_ref": "attack-pattern--c09b91df-e723-4ad4-b021-04d2773094f9", + "created": "2020-08-21T20:49:59.816261Z", + "modified": "2022-09-08T18:26:13.362409Z", + "name": "Server::HTTP Communication", + "description": "General HTTP server behavior.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", + "external_id": "C0002.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--0cdce228-b8b8-432d-b689-8078cc888a33", + "id": "attack-pattern--c44b1c58-8da1-4ebe-a427-a9f2821e7a85", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.500442Z", - "modified": "2021-02-10T06:49:35.500442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--068a3a77-caf2-4951-9e38-97ad68c792d6", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2022-02-04T23:52:35.845581Z", + "modified": "2022-09-08T18:26:13.403617Z", + "name": "Bootloader", + "description": "A bootloader rootkit modifies the bootloader, enabling activation before the operating system is started. Also known as a Bootkit. See ATT&CK: [Bootkit](https://attack.mitre.org/techniques/T1542/003/).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--0df3ad4f-fdff-4373-971c-5d818a0f83fb", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.589482Z", - "modified": "2021-02-10T06:49:35.589482Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--bb0c753c-31a4-48b9-9548-47a29cce149a", - "target_ref": "attack-pattern--048440e7-8adb-4a71-9ee3-922ca4040b1f", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/rootkit.md", + "external_id": "E1014.m13" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--0e610bb6-bab9-4bf5-a300-cac9b12782e1", + "id": "attack-pattern--e85ffef6-8593-4bff-a6f0-d54b2e64fc70", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.548449Z", - "modified": "2021-02-10T06:49:35.548449Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--fecc2029-1268-4e13-b4b7-2b9f00c84972", - "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", + "created": "2020-08-21T20:49:59.463305Z", + "modified": "2022-09-08T18:26:13.314478Z", + "name": "Memory Breakpoints", + "description": "(PAGE_GUARD); Guard pages trigger an exception the first time they are accessed and can be used to detect a debugger. See for details.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.009" + }, + { + "source_name": "external_source", + "description": "Anti Debugging Tricks, Al-Khaser.", + "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--0edfde5c-625a-485b-875d-c5c3027aa22c", + "id": "attack-pattern--69df421d-b8ea-49d2-9bd2-9df44aa3ced6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.627444Z", - "modified": "2021-02-10T06:49:35.627444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--06c3d5c7-d4bf-4b28-8385-e169ba81e744", - "target_ref": "attack-pattern--3f00f5b3-a3bf-4c9c-8874-f7998c391aa8", + "created": "2021-02-10T06:49:32.030527Z", + "modified": "2022-02-05T00:37:22.819853Z", + "name": "Delete Registry Key::Registry", + "description": "Malware deletes a registry key.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "operating-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/registry.md", + "external_id": "C0036.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--0f5c1e90-c9d6-4503-8180-21380d6aa4f4", + "id": "attack-pattern--cb1c9047-e589-4aed-b5d5-c6062a1ab340", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.483443Z", - "modified": "2021-02-10T06:49:35.483443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--90bb4fe0-057f-40b0-8fba-37005e7f6524", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.801263Z", + "modified": "2022-02-05T00:37:22.726134Z", + "name": "Abuse Enterprise Certificates", + "description": "Abusing enterprise certificates enables malware to exploit private APIs and infect a wide range of users (see *Exploit Private APIs* below).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/lateral-movement/supply-chain-compromise.md", + "external_id": "E1195.m01" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--101b237e-e613-4c1c-a14e-5f6e023962ea", + "id": "attack-pattern--f5f683c9-7cc4-41b9-a607-16e3c09461f4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.609253Z", - "modified": "2020-08-21T20:50:04.609253Z", - "relationship_type": "uses", - "description": "Modification of the router's firmware image that can be used to maintain persistence within a victim's network.", - "source_ref": "malware--6875c768-4212-474d-85dc-1e89c62e9a65", - "target_ref": "attack-pattern--66639ad1-1214-46af-9ce6-31b526ef6d9c", + "created": "2021-02-10T06:49:31.923443Z", + "modified": "2022-09-08T18:26:13.408178Z", + "name": "Encryption of Data", + "description": "A file's data is encrypted, but not necessarily the file's code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/obfuscated-files-or-information.md", + "external_id": "E1027.m07" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--10a17f9c-c8fa-4fa9-a87f-1c80d0f8f5ff", + "id": "attack-pattern--33ac3946-4bd9-4904-b02e-45e2d17dbfdd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.484529Z", - "modified": "2021-02-10T06:49:35.484529Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--1b5c05fd-3785-4710-8ee2-efadad6ef437", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.77826Z", + "modified": "2022-09-08T18:26:13.270562Z", + "name": "Data Encrypted for Impact", + "description": "Malware may encrypt files stored on the system to prevent user access until a ransom is paid and/or to interrupt system availability. The encryption process usually iterates over all letter drives in the system (except for CD drives) and then recursively encrypts all files with specific suffixes.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/data-encrypted-for-impact.md", + "external_id": "E1486" + }, + { + "source_name": "external_source", + "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/" + }, + { + "source_name": "external_source", + "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--10d783c3-6935-4e70-82b4-064bd6c7684b", + "id": "attack-pattern--fb6ca685-805a-467b-8f10-460f41360731", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.695455Z", - "modified": "2021-02-10T06:49:35.695455Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--91859e1a-022e-420a-bc00-af0546d891cb", - "target_ref": "attack-pattern--8cae892e-69de-4f27-a49c-a369c2f8f20a", + "created": "2021-02-10T06:49:32.01448Z", + "modified": "2022-09-08T18:26:13.345199Z", + "name": "Delete Directory", + "description": "Malware deletes a directory.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "file-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/delete-directory.md", + "external_id": "C0048" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--1257776e-5303-4cdb-98c4-f2041eacb3ee", + "id": "attack-pattern--fe39ee83-4f97-4989-b1f4-11a95d36b9d2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.700442Z", - "modified": "2021-02-10T06:49:35.700442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--31c2f227-2583-4f36-a24f-0f2610f1e055", - "target_ref": "attack-pattern--7855768b-8130-4981-8420-6e8a8d2a277a", + "created": "2020-08-21T20:49:59.475261Z", + "modified": "2022-09-08T18:26:13.321386Z", + "name": "Timing/Delay Check QueryPerformanceCounter", + "description": "Malware uses QueryPerformanceCounter in a timing/delay check.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.033" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--12ee152d-79a5-4e77-93c1-56fa9edac2d4", + "id": "attack-pattern--02f5dda2-da92-4e5b-88bb-67e9e542c444", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.612443Z", - "modified": "2021-02-10T06:49:35.612443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--ae865c4b-d90b-46be-aae6-6fbe897b76d9", - "target_ref": "attack-pattern--2ff4ce39-a726-471a-92d9-21a5c51a0bc3", + "created": "2022-02-04T23:52:35.67367Z", + "modified": "2022-09-08T18:26:13.318985Z", + "name": "RtlAdjustPrivilege", + "description": "Malware may call RtlAdjustPrivilege to detect if a debugger is attached (or to prevent a debugger from attaching).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.022" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--13de7558-6a22-43ec-ab37-1c914ff46320", + "id": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.68425Z", - "modified": "2021-02-10T06:49:35.68425Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--a6c50b34-3247-4e39-91d5-75f4fb97a9f9", - "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", + "created": "2020-08-21T20:49:59.504264Z", + "modified": "2022-09-08T18:26:13.29353Z", + "name": "Virtual Machine Detection", + "description": "Detects whether the malware instance is being executed in a virtual machine (VM), such as VMWare. If so, conditional execution selects a benign execution path.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" + }, + { + "source_name": "external_source", + "url": "https://search.unprotect.it/map/sandbox-evasion/" + }, + { + "source_name": "external_source", + "url": "https://www.hackread.com/gravityrat-malware-evades-detection-targets-india/" + }, + { + "source_name": "external_source", + "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" + }, + { + "source_name": "external_source", + "url": "https://github.com/LordNoteworthy/al-khaser" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" + }, + { + "source_name": "external_source", + "url": "https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--14265425-d70b-44a4-bf07-dfaa7d460b3c", + "id": "attack-pattern--2ed5189e-8701-45ab-b222-b4b23f2bbb0e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.50848Z", - "modified": "2021-02-10T06:49:35.50848Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--8fcb44c9-dec3-4358-bf3d-35b4174f7d2b", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2020-08-21T20:49:59.85726Z", + "modified": "2022-02-05T00:37:22.788643Z", + "name": "Use Constant", + "description": "Malware may manipulate or use a constant value, for example as part of a larger string used by some function.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/use-constant.md", + "external_id": "C0020" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--14bb7996-f709-47a8-b56f-284e80a05814", + "id": "attack-pattern--f60a86ef-7e8a-4a7b-91fa-64a4c137068c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.611257Z", - "modified": "2020-08-21T20:50:04.611257Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--ad4ab2e7-0491-4ef3-b69b-f4a73a5a7cd4", + "created": "2020-08-21T20:49:59.844259Z", + "modified": "2022-02-05T00:37:22.757347Z", + "name": "InternetWriteFile::WinINet", + "description": "Writes data to an open Internet file.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/wininet.md", + "external_id": "C0005.005" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--14e22077-05d7-49c6-a6ee-868c7ee5698d", + "id": "attack-pattern--6f73f473-5fb0-4777-a951-6de90d9ea01f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.602253Z", - "modified": "2020-08-21T20:50:04.602253Z", - "relationship_type": "uses", - "description": "Uses API Hashing Method.", - "source_ref": "malware--92f9ba45-2fb3-4d97-9865-eda477e7b779", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2022-09-08T18:26:13.257558Z", + "modified": "2022-09-08T18:26:13.257558Z", + "name": "Advertisement Replacement Fraud", + "description": "Malware injects ad windows onto websites the user views.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/generate-traffic-from-victim.md", + "external_id": "E1643.m02" + }, + { + "source_name": "external_source", + "url": "https://www.fipp.com/news/insightnews/what-are-the-nine-types-of-digital-ad-fraud" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--1549dbad-5b3b-4701-b762-6e83daff0d13", + "id": "attack-pattern--10bee884-590b-45f4-8577-5cbe6d6efa1a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.609253Z", - "modified": "2020-08-21T20:50:04.609253Z", - "relationship_type": "uses", - "description": "Sets \"2019\" as Windows' startup folder by modifying a registry value.", - "source_ref": "malware--bb2ac91f-90ad-4ed5-95ef-a899346ba4ce", - "target_ref": "attack-pattern--4294b63a-0b68-473a-8e57-bd5da8d90bf6", + "created": "2021-02-10T06:49:31.916486Z", + "modified": "2022-09-08T18:26:13.430344Z", + "name": "Bypass Windows File Protection", + "description": "Malware bypasses Windows file protection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", + "external_id": "F0004.007" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--168fef73-7235-4bdb-a038-94b8c4ec1dfb", + "id": "attack-pattern--db58e527-5e81-489f-b05a-537ea9b6bae9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.610253Z", - "modified": "2020-08-21T20:50:04.610253Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263", + "created": "2020-08-21T20:49:59.498264Z", + "modified": "2022-09-08T18:26:13.287721Z", + "name": "Instruction Testing - SIDT (red pill)", + "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM. Red Pill is an anti-VM technique that executes the SIDT instruction to grab the value of the IDTR register. The virtual machine monitor must relocate the guest's IDTR to avoid conflict with the host's IDTR. Since the virtual machine monitor is not notified when the virtual machine runs the SIDT instruction, the IDTR for the virtual machine is returned.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.030" + }, + { + "source_name": "external_source", + "url": "https://search.unprotect.it/map/sandbox-evasion/" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--16ca026b-74af-4633-b139-5e82124b4315", + "id": "attack-pattern--24d2552e-d0ee-4ab5-8e75-743b233379e1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.464445Z", - "modified": "2021-02-10T06:49:35.464445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--4ca9173b-10b3-4a35-8507-f6b34fa4fc23", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2020-08-21T20:49:59.530265Z", + "modified": "2022-09-08T18:26:13.301599Z", + "name": "Extra Loops/Time Locks", + "description": "Add extra loops to make time-constraint emulators give up.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-evasion.md", + "external_id": "B0005.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--17a27085-ee15-47d8-b2c5-5f7ea721b6af", + "id": "attack-pattern--f50e1610-ac57-4256-85b8-4f16db37b184", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.500442Z", - "modified": "2021-02-10T06:49:35.500442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b40aba49-57d9-4a99-a29e-2629e35991c9", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2020-08-21T20:49:59.73626Z", + "modified": "2022-02-05T00:37:22.804261Z", + "name": "Delete File", + "description": "Malware deletes a file.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "file-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/delete-file.md", + "external_id": "C0047" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--17d45a89-9ebf-4a5b-8dc8-1e6e6e3e6089", + "id": "attack-pattern--05f154ce-4547-45cf-a664-ca231fdcff54", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.603292Z", - "modified": "2020-08-21T20:50:04.603292Z", - "relationship_type": "uses", - "description": "Intercepts data coming into and going out of device.", - "source_ref": "malware--508cadaa-4fd5-4105-803e-8944e388ee45", - "target_ref": "attack-pattern--50e612f9-3481-42fc-aa7f-a468ce59a556", + "created": "2022-09-08T18:26:13.423869Z", + "modified": "2022-09-08T18:26:13.423869Z", + "name": "Install Insecure or Malicious Configuration", + "description": "Malware may install malicious configuration settings or may modify existing configuration settings. For example, malware may change configuration settings associated with security mechanisms to make it difficult to detect or change configuration settings to maintain a foothold on the network.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/install-insecure-or-malicious-configuration.md", + "external_id": "B0047" + }, + { + "source_name": "external_source", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--19242b55-3844-41b4-857a-16cc60710375", + "id": "attack-pattern--e97aa9eb-a7d6-4c4a-810f-140f1dda08ca", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.503442Z", - "modified": "2021-02-10T06:49:35.503442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--1d9b88e8-2bab-44ac-b1ae-26faf8f07f48", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", - "object_marking_refs": [ + "created": "2020-08-21T20:49:59.463305Z", + "modified": "2022-09-08T18:26:13.314773Z", + "name": "Memory Write Watching", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.010" + }, + { + "source_name": "external_source", + "description": "Anti Debugging Tricks, Al-Khaser.", + "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--1980f0f7-5535-4b70-891c-ba65bf51c3c9", + "id": "attack-pattern--531f2659-2119-40c0-b3a6-d921feabb3ce", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.48848Z", - "modified": "2021-02-10T06:49:35.48848Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--2c90706d-0b4a-45e1-b9f0-0292ebb69edf", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.878261Z", + "modified": "2022-09-08T18:26:13.339979Z", + "name": "Change Memory Protection", + "description": "Malware may change memory protection. For example, read-write memory may be changed to read-execute. Changing memory protection may exploits (e.g., bypass Data Execution Prevention).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "memory-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/memory/change-memory-protection.md", + "external_id": "C0008" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/resources/synful-knock-acis" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--19b5c040-4305-428a-93fa-c7fa7aa03582", + "id": "attack-pattern--f1e778ba-e457-445f-888f-a3ee4e5dbeef", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.633444Z", - "modified": "2021-02-10T06:49:35.633444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--5f35c276-1599-47f2-b4df-468ccfa1e08b", - "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", + "created": "2020-08-21T20:49:59.711263Z", + "modified": "2022-09-08T18:26:13.212069Z", + "name": "Self Discovery", + "description": "Malware may gather information about itself, such as its filename or size on disk.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/self-discovery.md", + "external_id": "B0038" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--19bca99f-27c8-44ea-b49f-496a72ab87d1", + "id": "attack-pattern--d4b96b74-7cf9-46c2-8c09-ea8fd124b15a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.561442Z", - "modified": "2021-02-10T06:49:35.561442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--46d77a13-9d20-4c9c-9846-cf6f298f6836", - "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", + "created": "2020-08-21T20:49:59.849262Z", + "modified": "2022-09-08T18:26:13.395976Z", + "name": "Use API::Generate Pseudo-random Sequence", + "description": "Malware generates a pseudo-random sequence using a Windows API.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/generate-pseudorandom-sequence.md", + "external_id": "C0021.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--19fbd4ce-7993-4163-996d-2d0678e6fc30", + "id": "attack-pattern--31c2f227-2583-4f36-a24f-0f2610f1e055", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.465445Z", - "modified": "2021-02-10T06:49:35.465445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--574e1bad-081e-43d5-a6e5-665cdc815b8d", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2021-02-10T06:49:32.007478Z", + "modified": "2022-09-08T18:26:13.337492Z", + "name": "Fast-Hash::Non-Cryptographic Hash", + "description": "Malware uses the Fast-Hash hash function.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/noncryptographic-hash.md", + "external_id": "C0030.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--1a2f02aa-1fd6-45a7-b189-40ce1956f93c", + "id": "attack-pattern--71d88456-13b6-48de-b779-e6ff71aa3b5e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.615528Z", - "modified": "2021-02-10T06:49:35.615528Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--be6d8982-3619-4f2f-b5c7-64d9e934ac43", - "target_ref": "attack-pattern--f5f2f408-2c67-40aa-9937-8fe582501e0a", + "created": "2020-08-21T20:49:59.538265Z", + "modified": "2022-09-08T18:26:13.276528Z", + "name": "SizeOfImage", + "description": "Set the SizeOfImage field of PEB.LoaderData to be huge.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", + "external_id": "B0006.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--1b5e37fc-70fa-4307-b151-92bc978ef97c", + "id": "attack-pattern--489d6e43-968b-432d-b89b-e9e4f974423b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.516445Z", - "modified": "2021-02-10T06:49:35.516445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--35d551ab-014b-4fab-8ba8-b91fb42a3985", - "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", + "created": "2020-08-21T20:49:59.727262Z", + "modified": "2022-09-08T18:26:13.241251Z", + "name": "Remote Desktop Protocols (RDP)", + "description": "RDP is used by malware.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/exploitation-for-client-execution.md", + "external_id": "E1203.m01" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--1b8740ef-e989-4499-96e1-9a859e049e36", + "id": "attack-pattern--80ee5a98-6e25-4cb6-a6d2-3321855e14e2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.574482Z", - "modified": "2021-02-10T06:49:35.574482Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--eab3d576-e947-486b-857c-ffa680b30050", - "target_ref": "attack-pattern--dd5c1c28-0fa4-4c34-8008-7a2fba8a4a25", + "created": "2022-02-04T23:52:35.829949Z", + "modified": "2022-02-05T00:37:22.632387Z", + "name": "Hidden Processes", + "description": "Hides processes used by the adversary or malware instance. This can involve techniques such as process list unlinking.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hide-artifacts.md", + "external_id": "E1564.m03" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--1c79627d-1601-45b1-9ff4-6667bc888fae", + "id": "attack-pattern--acddeb41-5339-4148-8a12-04b9ca687086", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.462442Z", - "modified": "2021-02-10T06:49:35.462442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--0aeb39aa-febf-463e-97e0-546f558daed6", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2020-08-21T20:49:59.608264Z", + "modified": "2022-09-08T18:26:13.230896Z", + "name": "Server to Client File Transfer", + "description": "File is transferred from controller to implant.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", + "external_id": "B0030.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--1cc24541-f26d-49e9-82fc-5d662a764e54", + "id": "attack-pattern--8b3b15fa-f369-47b2-9e6d-b30094a799b8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.511492Z", - "modified": "2021-02-10T06:49:35.511492Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--d61dcb50-dcf8-408d-96e2-f3cd75f93be0", - "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", + "created": "2022-09-08T18:26:13.232941Z", + "modified": "2022-09-08T18:26:13.232941Z", + "name": "Ingress Tool Transfer", + "description": "Malware may copy files from an external system to a system on a compromised network.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/ingress-tool-transfer.md", + "external_id": "E1105" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "external_source", + "url": "https://www.secureworks.com/research/cryptolocker-ransomware" + }, + { + "source_name": "external_source", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" + }, + { + "source_name": "external_source", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--1dc1a459-f855-473c-b647-c891d5ab7136", + "id": "attack-pattern--013fce9b-0645-41a4-b6ec-03a70b319715", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.642443Z", - "modified": "2021-02-10T06:49:35.642443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--1afb242c-883b-40c2-8a37-fc5064dd7d2b", - "target_ref": "attack-pattern--ded5f278-1acc-4f7b-be58-abc38e6b8436", + "created": "2020-08-21T20:49:59.864259Z", + "modified": "2022-02-05T00:37:22.788643Z", + "name": "Create Office Document::Create File", + "description": "An Office document is created.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "file-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/create-file.md", + "external_id": "C0016.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--1e2386a3-d4f2-45e8-ace5-98a4e8f8d89a", + "id": "attack-pattern--bf339932-e456-44db-a711-b2d3482d9065", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.604442Z", - "modified": "2021-02-10T06:49:35.604442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--c484a07a-2c0e-4141-bfd0-161a38812c64", - "target_ref": "attack-pattern--6168e69c-f827-4f92-8404-cd24fff9802c", + "created": "2021-02-10T06:49:31.996445Z", + "modified": "2022-09-08T18:26:13.396775Z", + "name": "Mersenne Twister::Generate Pseudo-random Sequence", + "description": "Malware generates a pseudo-random sequence using the Mersenne Twister PRNG.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/generate-pseudorandom-sequence.md", + "external_id": "C0021.005" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--1e5372be-ad5f-408d-89b7-d8ed2aede14d", + "id": "attack-pattern--56e26c80-e09f-4a51-8947-3c5a07dd3bf9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.701491Z", - "modified": "2021-02-10T06:49:35.701491Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--bf25a194-496a-4db2-801b-f2c5d3f951b5", - "target_ref": "attack-pattern--7855768b-8130-4981-8420-6e8a8d2a277a", + "created": "2020-08-21T20:49:59.72626Z", + "modified": "2022-09-08T18:26:13.240648Z", + "name": "Java-based Web Servers", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/exploitation-for-client-execution.md", + "external_id": "E1203.m02" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--1e9bb45f-e46b-452e-9c18-61c3c80ec1e0", + "id": "attack-pattern--84157800-81cd-4b3a-abb0-5f7ada18a28f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.509442Z", - "modified": "2021-02-10T06:49:35.509442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--af706b89-56dd-4b02-81e6-eb64fe57c2e6", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2020-08-21T20:49:59.474262Z", + "modified": "2022-09-08T18:26:13.320572Z", + "name": "TLS Callbacks", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.029" + }, + { + "source_name": "external_source", + "description": "Anti Debugging Tricks, Al-Khaser.", + "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--1f4f28ea-bced-46d1-bc3f-2b98afe71576", + "id": "attack-pattern--80d3bfbb-e88b-4396-9233-9fc88096a938", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.510443Z", - "modified": "2021-02-10T06:49:35.510443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--3f907716-eb0f-4fd6-8db6-46f6932ab585", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2021-02-10T06:49:31.974485Z", + "modified": "2022-09-08T18:26:13.366303Z", + "name": "Read Header::HTTP Communication", + "description": "HTTP read header.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", + "external_id": "C0002.014" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--1fe09442-6d77-4094-86f7-e23f9d898791", + "id": "attack-pattern--75109dae-5db7-4582-be8b-edcea907659d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.666446Z", - "modified": "2021-02-10T06:49:35.666446Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--010c8801-3ad4-479b-8c56-c29e108121c9", - "target_ref": "attack-pattern--7c9e2694-0dce-4dc3-aa06-199d5d002a05", + "created": "2020-08-21T20:49:59.522264Z", + "modified": "2022-09-08T18:26:13.326984Z", + "name": "Drop Code", + "description": "Original file is written to disk then executed. May confuse some sandboxes, especially if the dropped executable must be provided specific arguments and the original dropper is not associated with the drop file(s).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", + "external_id": "B0003.005" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--20b13fc8-e827-4438-8271-71a5f1e965c3", + "id": "attack-pattern--c2c8a6d7-c5be-40c2-98ae-96640b2048af", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.476444Z", - "modified": "2021-02-10T06:49:35.476444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--69d4e839-b6ce-4299-b242-83192d6b62c2", - "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", + "created": "2021-02-10T06:49:31.964486Z", + "modified": "2022-02-05T00:37:22.71051Z", + "name": "CDROM", + "description": "The CD-ROM is modified.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/modify-hardware.md", + "external_id": "B0042.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--20cb96ec-81d9-4f79-bc94-5cf1074a5144", + "id": "attack-pattern--6f4c9cb2-1417-4f3e-a907-bce53e3a68a3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.914452Z", - "modified": "2022-02-04T23:52:40.914452Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--bb61fa8d-d4d6-492b-9885-17b320bddf36", - "target_ref": "attack-pattern--f78bf329-48e4-4f8c-9468-0f8cd2ec08b5", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--20fda836-e720-4ac1-9864-0192cd8fad3d", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.573481Z", - "modified": "2021-02-10T06:49:35.573481Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--146be7e5-feeb-4dd2-8283-796b29394ac1", - "target_ref": "attack-pattern--27a1c173-3d93-430b-9544-8dd2db602b87", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--217e7f76-04aa-4f8e-8fc2-273c2631dee3", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.667444Z", - "modified": "2021-02-10T06:49:35.667444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b62ec15e-4b56-482f-9721-72733c520d1b", - "target_ref": "attack-pattern--7c9e2694-0dce-4dc3-aa06-199d5d002a05", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--21e79dff-bedc-4d95-902e-49a933b1b2da", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.507477Z", - "modified": "2021-02-10T06:49:35.507477Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--e35d4dd6-591c-4f6d-b182-16adc70ce74f", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2245504c-9398-4e7e-86c9-ed407c029308", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.562442Z", - "modified": "2021-02-10T06:49:35.562442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--04e25839-3207-4600-8972-618aa7cf44af", - "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--228bc713-19f0-4546-b0b3-b684c42254c3", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.571485Z", - "modified": "2021-02-10T06:49:35.571485Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--c863faee-3dcc-4fc0-9d16-9d0b7e75051c", - "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--22ac23f2-a367-41e2-a1c2-29828cdcb864", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.468521Z", - "modified": "2021-02-10T06:49:35.468521Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--dcfb5c52-a6e0-4c64-a937-91d730cd7a5b", - "target_ref": "attack-pattern--187b4cd8-132e-4514-9ad2-e0b20abc2b70", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--234e3d9c-b4f3-494c-987a-c70e725522c4", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.605287Z", - "modified": "2020-08-21T20:50:04.605287Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--ce6015e7-3065-420f-aea8-c9e0e5d5ed74", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--241f08dc-6295-4679-91de-c94cff8fa0a3", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.630062Z", - "modified": "2021-02-10T06:49:35.630062Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--f30b55fa-0ddf-49d9-884b-8cdb9e567758", - "target_ref": "attack-pattern--2f16f65d-4fba-4574-882d-97d54392f5bb", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--243dea78-6022-4436-a953-b07912907883", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.48648Z", - "modified": "2021-02-10T06:49:35.48648Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--a9364e83-2893-4989-b01a-e74ea9ced03a", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2498808a-e193-4149-a3ea-1298d76fb2af", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.453445Z", - "modified": "2021-02-10T06:49:35.453445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--bc6ed4f1-4e73-477a-b05c-a49a3dd52642", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--24be0b76-7963-49e6-857a-ac06ad5bc4e4", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.47449Z", - "modified": "2021-02-10T06:49:35.47449Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--7c01a0a6-5081-4609-9546-120f0652f1d4", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--24dbed05-124f-49f5-998b-fb2bda1c4a15", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.592482Z", - "modified": "2021-02-10T06:49:35.592482Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--489d6e43-968b-432d-b89b-e9e4f974423b", - "target_ref": "attack-pattern--767a1acf-9e83-4181-82cd-2bcb9d8871d9", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--24e7319f-bb69-47a7-b333-4f0859b76521", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.500442Z", - "modified": "2021-02-10T06:49:35.500442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--d7c408e8-d813-46aa-8267-a76f8d53ec35", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--24f8940b-c901-4629-8c66-228b95f7f57a", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.549487Z", - "modified": "2021-02-10T06:49:35.549487Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--e22860a9-1026-46ee-a75e-feedc26196d5", - "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--25804a0b-df29-4056-aff8-f04d3eb71745", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.97859Z", - "modified": "2022-02-04T23:52:40.97859Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--21399f14-f429-48f6-be04-d971783ba531", - "target_ref": "attack-pattern--1a89f398-f3ef-484a-8735-024823241a11", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2593056e-06be-46de-b8c3-6c05773ecc2c", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.680442Z", - "modified": "2021-02-10T06:49:35.680442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--1057fe1c-c844-4de3-b72d-05313572a36c", - "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--25b6629b-5e98-4f16-ac49-69fd757b62dc", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.568481Z", - "modified": "2021-02-10T06:49:35.568481Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--4e6169c5-7791-4c39-b6c9-d79628a85448", - "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--272e945b-6d94-4755-83dd-df035dd5a7ef", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.608257Z", - "modified": "2020-08-21T20:50:04.608257Z", - "relationship_type": "uses", - "description": "A 2018 variant includes a component that erases files and then wipes the master boot record, preventing file recovery.", - "source_ref": "malware--d36b0186-1e10-4dd8-a1df-076e9a692c57", - "target_ref": "attack-pattern--2ff4ce39-a726-471a-92d9-21a5c51a0bc3", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2759c5db-58e0-4756-ad34-e44d9c3a4140", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--d71d433d-6815-4cca-940c-b21b05ab9a47", - "target_ref": "attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--27f65cb2-f647-4914-af5f-949ddd8ed52a", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.600252Z", - "modified": "2020-08-21T20:50:04.600252Z", - "relationship_type": "uses", - "description": "Allows an attacker to control the system via a GUI.", - "source_ref": "malware--19d14868-ff81-4c8c-9a6a-c57baf7e7f52", - "target_ref": "attack-pattern--c25f5d58-e8e5-49ef-a54d-68e17b4ac824", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--28278415-71d3-4be9-a5fe-28d54a976475", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.556484Z", - "modified": "2021-02-10T06:49:35.556484Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--28c6f55a-126f-436b-ab2e-af77f91d0cec", - "target_ref": "attack-pattern--75f19e70-8d96-4a7b-a3cf-e629c8d5e779", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--292a4fcc-2932-48f2-a1e6-62584547c6e7", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.601289Z", - "modified": "2020-08-21T20:50:04.601289Z", - "relationship_type": "uses", - "description": "Checks system temperature by recording thermal readings for detecting VMs. Heat levels indicate whether the system is a VM.", - "source_ref": "malware--e616d9d2-36b4-4510-84ad-66f19442fe3e", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--298fa055-8bd0-4067-8951-58fe0f23312c", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.689736Z", - "modified": "2021-02-10T06:49:35.689736Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--4f786f90-7679-427a-932b-2d212faffa37", - "target_ref": "attack-pattern--6dfe201d-34d6-4474-9210-e0364cca9de0", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2a1b69f7-bdb3-4523-b9f7-f0de2497501e", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--ca32295b-c968-4099-a010-e8758c066be6", - "target_ref": "attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2b019698-7439-411a-a014-6d213ab076ce", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.464445Z", - "modified": "2021-02-10T06:49:35.464445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--84157800-81cd-4b3a-abb0-5f7ada18a28f", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2b282061-d14c-4e3e-9b4e-f1d37841c9dd", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.692798Z", - "modified": "2021-02-10T06:49:35.692798Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--c3a03554-f52e-49bd-ad0d-f01d4ded7f39", - "target_ref": "attack-pattern--64b0c35c-a5fc-4410-aff8-0c85f9689f60", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2bd9e452-fe56-463b-8079-eeaebcfc800b", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.563442Z", - "modified": "2021-02-10T06:49:35.563442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--001ca78e-188e-4725-9f43-706d0f487837", - "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2c43bdc5-b893-4004-abdf-0a47ed19d2f1", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.687537Z", - "modified": "2021-02-10T06:49:35.687537Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--48018d04-fcd1-4e5d-b29f-6ccf841ae65f", - "target_ref": "attack-pattern--2f605aaf-790b-4ba1-9603-3b14cf2f1c52", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2cacef1b-b542-4244-9b4f-306fff39aae2", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.703804Z", - "modified": "2021-02-10T06:49:35.703804Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--c31eb81c-b21c-4ae2-aed3-bcc77821d3ca", - "target_ref": "attack-pattern--4ec39934-4cf3-4e7a-96fb-425ea2f56d15", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2cec369a-ebbb-4bf4-ae8a-81311b7ad6ee", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--8c5ccf4d-b443-4803-8e69-eb83b1564c48", - "target_ref": "attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2d1c8c16-3b50-4d04-b79d-54168c19af90", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.608257Z", - "modified": "2020-08-21T20:50:04.608257Z", - "relationship_type": "uses", - "description": "Intercepts encrypted web traffic to inject adds.", - "source_ref": "malware--dbe9ee23-f01d-4cdb-bf53-066c77352dac", - "target_ref": "attack-pattern--50e612f9-3481-42fc-aa7f-a468ce59a556", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2d702b38-41ca-4d36-ab6d-0770611e081e", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.670445Z", - "modified": "2021-02-10T06:49:35.670445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--603e1968-92e1-41ec-86f1-c2ea0d28b7bf", - "target_ref": "attack-pattern--1cca12fe-f5c4-4c35-979b-5c6962dd9484", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2df976a9-445b-4615-837c-87feedf4c4f6", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.492443Z", - "modified": "2021-02-10T06:49:35.492443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--cc89a8c1-00d2-4ae2-bda2-a35398a63214", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2e0c9bbc-6206-4b83-be2c-70c2db88e443", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--9a20e319-4340-469f-a31c-5153dbd05bd0", - "target_ref": "attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2e49dee1-bad0-4604-bf16-7064059d864c", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--83576712-779f-4c76-9459-939092f6cd70", - "target_ref": "attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2e6d72ae-2e84-48ed-999e-4fd317709893", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.553443Z", - "modified": "2021-02-10T06:49:35.553443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--eee013e1-4cfd-42f9-9f46-71f4b1598ef3", - "target_ref": "attack-pattern--87b6586d-145f-47d9-8183-755ca03e5921", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2e7a50d1-fe73-4543-8001-157ab23a0b0a", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.627444Z", - "modified": "2021-02-10T06:49:35.627444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--f93d127d-164b-47c1-81e9-e7011cb478f8", - "target_ref": "attack-pattern--2f16f65d-4fba-4574-882d-97d54392f5bb", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2e8603db-3b75-4248-b9f0-70716c08b727", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.487484Z", - "modified": "2021-02-10T06:49:35.487484Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--91b7e621-49fe-4f7b-a8c6-0a377ceac3cd", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2fe88d4c-7381-435c-94c4-c2fcfb042f0d", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.67747Z", - "modified": "2021-02-10T06:49:35.67747Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--856d6d11-4b8a-47d6-afb0-b79aa462fa26", - "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--305ddd65-9572-4b7e-96e1-f7d3bdb38df8", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.513484Z", - "modified": "2021-02-10T06:49:35.513484Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--8736d370-3b61-4b4d-a371-0a01e988cbde", - "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--30c38873-69d5-48e3-9c21-c94acff756e9", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.674443Z", - "modified": "2021-02-10T06:49:35.674443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--a453cf88-1389-4ffd-8f3c-e95475f10a9f", - "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--326934b2-c3b7-4854-b52e-c8c521351d37", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.63795Z", - "modified": "2021-02-10T06:49:35.63795Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--741edcac-607c-4ebf-a8d0-928e02fe1461", - "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--3292f259-14f0-49d0-953d-958438b155eb", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.459442Z", - "modified": "2021-02-10T06:49:35.459442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--93ac6386-6f04-44cd-b7a5-78da3ced8b13", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--32a3bc4f-4a7f-4ccb-a91f-0871823eba23", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.48648Z", - "modified": "2021-02-10T06:49:35.48648Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b7727763-8ffd-4588-b8a1-15168d18f0dd", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--3328d84c-da60-47a0-840a-3c3cc1c91001", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.477444Z", - "modified": "2021-02-10T06:49:35.477444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--dc5231d1-332e-45ab-9995-412a5da4c10d", - "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--33f47112-8545-49fe-94cf-eb546eedcc4f", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.664444Z", - "modified": "2021-02-10T06:49:35.664444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--9b4638cb-2e9b-480e-a502-4ac8acfa4dd8", - "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--343529d8-feaf-4a4b-8f87-124c1a812480", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.531443Z", - "modified": "2021-02-10T06:49:35.531443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--36074f02-7b9b-4052-998f-cb6c56447031", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--343d0c6c-f9a4-4c0a-9421-1b810982e3fb", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.613258Z", - "modified": "2020-08-21T20:50:04.613258Z", - "relationship_type": "uses", - "description": "Learns about the system so it can drop compatible miner software.", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--bd879126-0126-4f7a-a1b7-d9944efb251f", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--3618a207-89d9-4cd5-8933-74604e47d7b0", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.994215Z", - "modified": "2022-02-04T23:52:40.994215Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--2cab79e4-750b-43e3-9486-0d7801d8fdd8", - "target_ref": "attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--36f2a08b-55c5-46f5-9fbc-71ee8ac382cc", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.604253Z", - "modified": "2020-08-21T20:50:04.604253Z", - "relationship_type": "uses", - "description": "After the Poison-Ivy server is running on the target machine, the attacker uses a Windows GUI client to control the target computer.", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--c25f5d58-e8e5-49ef-a54d-68e17b4ac824", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--372550b4-1de4-47e9-9f7b-b623c0424c52", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.577443Z", - "modified": "2021-02-10T06:49:35.577443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--f5f683c9-7cc4-41b9-a607-16e3c09461f4", - "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--385dea15-c11e-44c3-a3bc-c39939c17f1e", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.712898Z", - "modified": "2021-02-10T06:49:35.712898Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--7adc736f-d3ca-438a-8bce-46967e062ea3", - "target_ref": "attack-pattern--3955de8e-1ab7-4ab0-b7ca-226822885913", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--38f040a5-f925-40ea-aa8b-0699c2abe7d7", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.679444Z", - "modified": "2021-02-10T06:49:35.679444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--2e82d33e-a804-42a2-9931-57f7b7af78f9", - "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--39af8459-c0a2-40c0-b35c-5646b651d05e", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.657447Z", - "modified": "2021-02-10T06:49:35.657447Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--6ffd281c-acc5-4543-9fb5-aa0002339ea8", - "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--3a455abe-520c-4836-ad23-43ec054d18c2", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.635945Z", - "modified": "2021-02-10T06:49:35.635945Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--665d234f-6c97-4ae2-b43f-18ea89336220", - "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--3a47d7e2-9bd4-4462-8653-026774d34df5", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.550479Z", - "modified": "2021-02-10T06:49:35.550479Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--4e688c01-10a1-41e9-a909-5442531069ac", - "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--3b9dccfb-5d9e-430c-b919-06de5797dbc5", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.646032Z", - "modified": "2021-02-10T06:49:35.646032Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--023243fb-9971-4e64-9bca-5976fa84f08f", - "target_ref": "attack-pattern--541b3b19-6e67-4c06-9f03-1b3f5a4395c4", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--3bb155c0-3689-4ce9-b53a-36f6c48b6421", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.455445Z", - "modified": "2021-02-10T06:49:35.455445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--e85ffef6-8593-4bff-a6f0-d54b2e64fc70", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--3c99c563-b702-4611-98da-18d07b825dd0", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b3030683-9d60-4b63-8498-f7fac91c244d", - "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--3ce0217e-a3e8-4735-9eda-f19656c3d7b2", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.612264Z", - "modified": "2020-08-21T20:50:04.612264Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--bd879126-0126-4f7a-a1b7-d9944efb251f", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--3d50075c-9ef1-4f64-8069-75e1cdffd66a", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.675442Z", - "modified": "2021-02-10T06:49:35.675442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--12c16b13-65d4-49ea-9dcb-3a88553ac5d3", - "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--3ddcef21-22e6-4fee-bd78-e7d6c2c83048", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.706443Z", - "modified": "2021-02-10T06:49:35.706443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--dcd29dd1-20d2-4387-90dd-95480c4e0f1c", - "target_ref": "attack-pattern--62e27cc8-6e08-4d62-af86-2eb0e42fc530", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--3de5f447-d5fe-417a-a775-afbc85f6e093", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.503442Z", - "modified": "2021-02-10T06:49:35.503442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--7aa33db8-4800-430a-8068-8b57b85a9b8a", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--3dfc2f43-ed0b-4637-abdf-a6e258e7df0a", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.558442Z", - "modified": "2021-02-10T06:49:35.558442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--d6181cb9-7268-4ff7-99db-94df827e746e", - "target_ref": "attack-pattern--e3f453d4-03f3-4a8a-bfb1-d603016e234f", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--3e147b5c-70ec-44b0-82f8-e0e50d205e05", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--3018beac-a047-4b14-9c72-3340866b4c67", - "target_ref": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--3e59abd5-eb6f-4c78-a3f4-e26be1373992", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.605446Z", - "modified": "2021-02-10T06:49:35.605446Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--9a5f43f7-dd94-4035-b335-9d0d388c93ae", - "target_ref": "attack-pattern--6168e69c-f827-4f92-8404-cd24fff9802c", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--3f24aa3d-155d-4425-8a05-a2af71aac43b", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.629502Z", - "modified": "2021-02-10T06:49:35.629502Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--063274b5-04c4-4987-98d6-850c2598b601", - "target_ref": "attack-pattern--2f16f65d-4fba-4574-882d-97d54392f5bb", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--3f296064-170e-4b72-8cac-620d2f95652f", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.616473Z", - "modified": "2021-02-10T06:49:35.616473Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--8abe31b2-7123-41f1-9ca3-5653bc1c0fdc", - "target_ref": "attack-pattern--e25edc0c-3631-4df8-a37f-4695d3cec86e", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--3fa431f8-8f27-4543-9f7b-1fbf52464fb4", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.563442Z", - "modified": "2021-02-10T06:49:35.563442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--76206161-2e14-48a0-9191-998ef774b345", - "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--40af3048-e15a-48e0-89f3-bd10073bd777", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.603292Z", - "modified": "2020-08-21T20:50:04.603292Z", - "relationship_type": "uses", - "description": "Code virtualization is added to the Locky Bart binary using WPProtect.", - "source_ref": "malware--542141d9-e98d-4d4a-9b15-dfc3f8933e48", - "target_ref": "attack-pattern--4c89f923-0e3e-41ff-b128-2e47acbd80b7", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--4182f75a-8270-47e2-96fe-156dc6f70dd8", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.699498Z", - "modified": "2021-02-10T06:49:35.699498Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--9c6a7353-74f8-468b-94d8-faee128fa78d", - "target_ref": "attack-pattern--7855768b-8130-4981-8420-6e8a8d2a277a", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--41cd43e4-bc45-4ed3-ace0-2efdbf47eafe", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--f1f9a410-ce13-4c3d-8728-69e517d71fb9", - "target_ref": "attack-pattern--f06491eb-ea99-46cd-81fe-ee55fc12d504", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--420f543c-dd0c-47ae-96c9-d293bc8403cd", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.463442Z", - "modified": "2021-02-10T06:49:35.463442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--a7d53e43-1336-49be-bf6b-9cc3fb832ab2", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--422f6662-a452-4dec-9112-cb172620cb35", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.705443Z", - "modified": "2021-02-10T06:49:35.705443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--77932220-efa9-44d5-b3a9-c5d9ed4f3573", - "target_ref": "attack-pattern--62e27cc8-6e08-4d62-af86-2eb0e42fc530", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--42b86dee-4ac0-41ac-9a0b-1ceb62a65683", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.685993Z", - "modified": "2021-02-10T06:49:35.685993Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b74af853-9674-4bc7-9d30-be251db05e3d", - "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--42f9aa4c-a48e-412d-bec0-5ad8ecd6dd00", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.586443Z", - "modified": "2021-02-10T06:49:35.586443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--a5589cd0-a6ee-4d1a-9963-3c44e9734242", - "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", + "created": "2020-08-21T20:49:59.809259Z", + "modified": "2022-09-08T18:26:13.376956Z", + "name": "FTP Communication", + "description": "The FTP Communication micro-behavior focuses on FTP communication.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/ftp-communication.md", + "external_id": "C0004" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--43824188-5804-4e65-9ed8-0cd21ba1947a", + "id": "attack-pattern--d7183ad6-af24-4400-9539-f3a70be04a76", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.515492Z", - "modified": "2021-02-10T06:49:35.515492Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--24d2552e-d0ee-4ab5-8e75-743b233379e1", - "target_ref": "attack-pattern--64ec233c-8762-4e4a-af40-475ebd3aa127", + "created": "2021-02-10T06:49:31.953485Z", + "modified": "2022-09-08T18:26:13.26805Z", + "name": "Clipboard Modification", + "description": "ATT&CK defines Clipboard Modification as a Mobile technique (Android platform). MBC extends it to the Windows platform.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/clipboard-modification.md", + "external_id": "E1510" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--43b39c15-6e60-420f-b0a5-3c2afaa08148", + "id": "attack-pattern--85809708-79ee-4bff-824e-471b7bbd30a9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.605287Z", - "modified": "2020-08-21T20:50:04.605287Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--ad4ab2e7-0491-4ef3-b69b-f4a73a5a7cd4", + "created": "2021-02-10T06:49:31.976483Z", + "modified": "2022-09-08T18:26:13.377415Z", + "name": "Echo Request::ICMP Communication", + "description": "Send ICMP echo request.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/icmp-communication.md", + "external_id": "C0014.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--43eba576-5486-4061-8370-94de8fc35ad4", + "id": "attack-pattern--3f907716-eb0f-4fd6-8db6-46f6932ab585", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.661442Z", - "modified": "2021-02-10T06:49:35.661442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--1bfa0256-c28e-4dcc-82f6-8fa6880328f6", - "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", + "created": "2020-08-21T20:49:59.518266Z", + "modified": "2022-09-08T18:26:13.310399Z", + "name": "Use Interrupts", + "description": "The unpacking code relies on use of int 1 or int 3, or it uses the interrupt vector table as part of the decryption \"key\".", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.030" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--4430014b-9fc5-4b48-a8a9-7a9b657dbef3", + "id": "attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.506476Z", - "modified": "2021-02-10T06:49:35.506476Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--ff66c503-48b3-4f2b-a462-f54258d2cfca", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2022-02-04T23:52:35.829949Z", + "modified": "2022-09-08T18:26:13.421077Z", + "name": "Hijack Execution Flow", + "description": "Malware may execute by hijacking the way operating systems run programs. Malware (e.g. rootkit) alters API behavior or redirects execution (i.e., hooking) to a malicious API version for a variety of purposes. Malware may use hooking to load and execute code within the context of another process, hiding execution and gaining elevated privileges and access to the process's memory. Different types of hooking are defined as methods below.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hijack-execution-flow.md", + "external_id": "F0015" + }, + { + "source_name": "external_source", + "url": "https://www.sans.org/media/score/checklists/rootkits-investigation-procedures.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.oreilly.com/library/view/learning-malware-analysis/9781788392501/a0a506d6-d062-48c1-a0a8-57d6acb77785.xhtml" + }, + { + "source_name": "external_source", + "url": "https://www.mdpi.com/1999-5903/4/4/971/html" + }, + { + "source_name": "external_source", + "url": "http://ropgadget.com/posts/abusing_win_functions.html" + }, + { + "source_name": "external_source", + "url": "https://docs.microsoft.com/en-us/windows/win32/winmsg/about-hooks?redirectedfrom=MSDN#hook-procedures" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279" + }, + { + "source_name": "external_source", + "url": "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/resources/synful-knock-acis" + }, + { + "source_name": "external_source", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--4483dfbc-eda0-4a56-aa56-c6c122b46f2d", + "id": "attack-pattern--75f19e70-8d96-4a7b-a3cf-e629c8d5e779", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.510443Z", - "modified": "2021-02-10T06:49:35.510443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--225f1311-c972-428d-be5e-f99a9edb705c", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2020-08-21T20:49:59.598261Z", + "modified": "2022-09-08T18:26:13.224843Z", + "name": "Keylogging", + "description": "Malware captures user keyboard input.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/keylogging.md", + "external_id": "F0002" + }, + { + "source_name": "external_source", + "url": "https://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml" + }, + { + "source_name": "external_source", + "url": "https://citizenlab.ca/2016/04/between-hong-kong-and-burma/" + }, + { + "source_name": "external_source", + "url": "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--459d2b7d-7d81-4468-bc6a-901ba11fb154", + "id": "attack-pattern--648530a1-e16b-45c6-ae10-d3d47fc8bcb7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.615251Z", - "modified": "2020-08-21T20:50:04.615251Z", - "relationship_type": "uses", - "description": "Injects miner code into a running process.", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", + "created": "2021-02-10T06:49:31.992483Z", + "modified": "2022-09-08T18:26:13.389471Z", + "name": "HC-128::Encrypt Data", + "description": "Malware encrypts with the HC-128 algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", + "external_id": "C0027.006" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--46602894-3b25-4e09-b8ef-14a2e0c49208", + "id": "attack-pattern--2b4653a5-2865-4768-ae75-e1f7cb84b39a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.598251Z", - "modified": "2020-08-21T20:50:04.598251Z", - "relationship_type": "uses", - "description": "Some variants look for an unnamed mutex to ensure only one copy of itself is running on a system.", - "source_ref": "malware--f31598c3-8d55-440f-ac5f-4b8ea34fc09b", - "target_ref": "attack-pattern--6069021d-57ec-403e-b6fc-013b995aa2f0", + "created": "2020-08-21T20:49:59.535262Z", + "modified": "2022-09-08T18:26:13.275394Z", + "name": "Flow Opcode Obstruction", + "description": "Flow opcodes (e.g., jumps, loops) are removed and emulated (or decrypted) by the packer during execution, resulting in incorrect dumps. .", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", + "external_id": "B0006.009" + }, + { + "source_name": "external_source", + "url": "https://www.gironsec.com/code/packers.pdf" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--46785d2f-2931-4800-86d2-101cdfdaaec2", + "id": "attack-pattern--a8761808-d474-430a-9bd9-c770bc1163be", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.494443Z", - "modified": "2021-02-10T06:49:35.494443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--0b1371c5-4bec-466a-b643-43b719537894", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2021-02-10T06:49:31.989483Z", + "modified": "2022-09-08T18:26:13.384972Z", + "name": "3DES::Decrypt Data", + "description": "Malware decrypts data encrypted with the 3DES algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", + "external_id": "C0031.005" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--4696f9bf-84c4-4d96-9843-b7d105dfab7c", + "id": "attack-pattern--e1c3c48b-0b4d-418f-b7af-44715b214972", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.610253Z", - "modified": "2020-08-21T20:50:04.610253Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--ce6015e7-3065-420f-aea8-c9e0e5d5ed74", + "created": "2020-08-21T20:49:59.530265Z", + "modified": "2022-09-08T18:26:13.30185Z", + "name": "Undocumented Opcodes", + "description": "Use rare or undocumented opcodes to block non-exhaustive emulators.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-evasion.md", + "external_id": "B0005.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--4697ee9b-c70e-4086-8b9e-93b4a142077f", + "id": "attack-pattern--42a50e42-61c1-4eb0-a7a2-f7f278feb391", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.491483Z", - "modified": "2021-02-10T06:49:35.491483Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--c08285dc-2707-4016-9db1-187e19f504f6", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2022-02-04T23:52:36.062232Z", + "modified": "2022-09-08T18:26:13.330913Z", + "name": "aPLib::Decompress Data", + "description": "Malware decompresses data using aPLib.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/decompress-data.md", + "external_id": "C0025.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--478019f4-7fba-49e1-8d9c-890f16a54123", + "id": "attack-pattern--4b908d8d-dc10-4114-99e6-8a82fe6a5e7f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b2320873-c5bb-4691-80f6-ffbd143b8b9a", - "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", + "created": "2020-08-21T20:49:59.510265Z", + "modified": "2022-09-08T18:26:13.303372Z", + "name": "Break Point Clearing", + "description": "Intentionally clearing software or hardware breakpoints.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--48b8f0a2-952c-4ff7-a239-272755858d3b", + "id": "attack-pattern--c9223618-2865-499f-890e-2848db80a6d9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.633444Z", - "modified": "2021-02-10T06:49:35.633444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--46c39f69-1900-4558-9c0d-2d9fe322dd41", - "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", + "created": "2022-02-04T23:52:35.877737Z", + "modified": "2022-09-08T18:26:13.243824Z", + "name": "GetVolumeInformation", + "description": "This Windows API call is used to get the GUID on a system drive. Malware compares it to a previous (targeted) GUID value and only executes maliciously if they match. This behavior can be mitigated in non-automated analysis environments.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md", + "external_id": "B0025.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--49c51e2e-4240-4e7f-90bd-2110ca45790d", + "id": "attack-pattern--83892ea2-fded-49dd-bca7-d415f8fea8f9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.576443Z", - "modified": "2021-02-10T06:49:35.576443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--7c5cb62b-9374-47b1-8a2f-82204b8640b6", - "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", + "created": "2020-08-21T20:49:59.583262Z", + "modified": "2022-02-05T00:37:22.585511Z", + "name": "UPX", + "description": "Uses UPX packer.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", + "external_id": "F0001.008" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--4b164a76-c735-48bd-867f-475b5ffbaa72", + "id": "attack-pattern--155facb0-bb4a-4df0-b276-70c16f4c12f9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.553443Z", - "modified": "2021-02-10T06:49:35.553443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--13631209-26c3-481c-bd8c-fa6c57c3dbe5", - "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", + "created": "2020-08-21T20:49:59.503263Z", + "modified": "2022-09-08T18:26:13.292955Z", + "name": "Unique Hardware/Firmware Check - I/O Communication Port", + "description": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment. VMware uses virtual I/O ports for communication between the virtual machine and the host operating system to support functionality like copy and paste between the two systems. The port can be queried and compared with a magic number VMXh to identify the use of VMware.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.025" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--4be86d9d-3a96-49a8-a610-53eb6d508ad6", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.48848Z", - "modified": "2021-02-10T06:49:35.48848Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--dd40dbb6-6220-4b7b-93e1-20fe081eb219", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "id": "attack-pattern--5146900f-415f-4817-9153-a9a3f857b3cd", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-08-21T20:49:59.552264Z", + "modified": "2022-09-08T18:26:13.207636Z", + "name": "Disassembler Evasion", + "description": "Malware code evades disassembly in a recursive or linear disassembler. Some methods apply to both types of disassemblers; others apply to one type and not the other.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/disassembler-evasion.md", + "external_id": "B0012" + }, + { + "source_name": "external_source", + "url": "http://staff.ustc.edu.cn/~bjhua/courses/security/2014/readings/anti-disas.pdf" + }, + { + "source_name": "external_source", + "url": "http://www.kernelhacking.com/rodrigo/docs/blackhat2012-paper.pdf" + }, + { + "source_name": "external_source", + "url": "https://isc.sans.edu/diary/Malicious+VBA+Office+Document+Without+Source+Code/24870" + }, + { + "source_name": "external_source", + "url": "https://boingboing.net/2019/05/05/p-code-r-us.html" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--4bff68b3-9d4e-4ba5-b2fe-95b583cbc03f", + "id": "attack-pattern--7f779291-853e-4e30-a57c-0b3276b70905", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:34.329445Z", - "modified": "2021-02-10T06:49:34.329445Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63", + "created": "2022-02-04T23:52:36.093464Z", + "modified": "2022-02-05T00:37:22.804261Z", + "name": "Minifilter::Install Driver", + "description": "Malware registers a minifilter.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "hardware-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/hardware/install-driver.md", + "external_id": "C0037.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--4c9acfd0-38e0-4895-936a-1c1a4b25e057", + "id": "attack-pattern--d7c408e8-d813-46aa-8267-a76f8d53ec35", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.519481Z", - "modified": "2021-02-10T06:49:35.519481Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--e60f2ef0-615c-4158-92f6-4db808bc116d", - "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", + "created": "2020-08-21T20:49:59.510265Z", + "modified": "2022-09-08T18:26:13.303621Z", + "name": "Byte Stealing", + "description": "Move or copy the first bytes / instructions of the original code elsewhere. AKA stolen bytes or code splicing. For example, a packer may incorporate the first few instructions of the original EntryPoint (EP) into its unpacking stub before the tail transition in order to confuse automated unpackers and novice analysts. This can make it harder for rebuilding and may bypass breakpoints if set prematurely.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--4cf50640-bc53-4eaa-a715-32db8ed6ffd0", + "id": "attack-pattern--333a4ca2-d8a5-4829-abcb-c42736a41f0d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.97859Z", - "modified": "2022-02-04T23:52:40.97859Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--fe31be5f-2912-4056-b70b-62988d5c3829", - "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", + "created": "2021-02-10T06:49:32.002478Z", + "modified": "2022-09-08T18:26:13.329942Z", + "name": "IEncodingFilterFactory::Compress Data", + "description": "Malware compresses data using IEncodingFilterFactory.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/compress-data.md", + "external_id": "C0024.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--4e60ed0e-a71a-4e33-90e4-17d90076aa45", + "id": "attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.97859Z", - "modified": "2022-02-04T23:52:40.97859Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--d5762c67-a576-4aa8-aacd-3fba3a7f4599", - "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", + "created": "2020-08-21T20:49:59.69826Z", + "modified": "2022-09-08T18:26:13.404863Z", + "name": "Rootkit", + "description": "Behaviors of a rootkit: \"A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that is not otherwise allowed and often masks its existence or the existence of other software.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/rootkit.md", + "external_id": "E1014" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Rootkit" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "external_source", + "url": "https://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--4ec4c126-c142-44b6-843a-3269d3dab081", + "id": "attack-pattern--e72b1f9b-69a5-44fa-8de6-fa7d4ccc726c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.683632Z", - "modified": "2021-02-10T06:49:35.683632Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--1ef444d5-6292-4701-be04-7d8bbd677b95", - "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", + "created": "2021-02-10T06:49:32.030527Z", + "modified": "2022-02-05T00:37:22.819853Z", + "name": "Create Registry Key::Registry", + "description": "Malware creates a registry key.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "operating-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/registry.md", + "external_id": "C0036.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--4edb0c4a-cd3c-48cf-93bc-e616a9f14dea", + "id": "attack-pattern--03d1844f-241a-4ed9-858f-47e5e6543746", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--966c59f0-e5f7-4c3f-80f8-49091c015ad7", - "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", + "created": "2020-08-21T20:49:59.458263Z", + "modified": "2022-09-08T18:26:13.311826Z", + "name": "API Hook Detection", + "description": "Module bounds based .", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.001" + }, + { + "source_name": "external_source", + "description": "Anti Debugging Tricks, Al-Khaser.", + "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--4f8381a1-5302-477f-b4b2-8c0f9daf40b3", + "id": "attack-pattern--904b465b-d733-4619-b0d5-5c394cd2b7f3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.528504Z", - "modified": "2021-02-10T06:49:35.528504Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--772c8a08-0dbb-4059-8459-7ac1193840bc", - "target_ref": "attack-pattern--5146900f-415f-4817-9153-a9a3f857b3cd", + "created": "2020-08-21T20:49:59.466263Z", + "modified": "2022-09-08T18:26:13.316169Z", + "name": "NtYieldExecution/SwitchToThread", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.015" + }, + { + "source_name": "external_source", + "description": "Anti Debugging Tricks, Al-Khaser.", + "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--4fab69d4-4418-4097-9fba-8aa22661f8d5", + "id": "attack-pattern--13d8f97e-b0dc-4ced-918d-31297b1f9aff", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.602253Z", - "modified": "2020-08-21T20:50:04.602253Z", - "relationship_type": "uses", - "description": "Performs click-fraud.", - "source_ref": "malware--fa095747-0ca8-4965-a222-cf1fe7647e12", - "target_ref": "attack-pattern--f5f2f408-2c67-40aa-9937-8fe582501e0a", + "created": "2020-08-21T20:49:59.459263Z", + "modified": "2022-09-08T18:26:13.313098Z", + "name": "CloseHandle", + "description": "(NtClose); If an invalid handle is passed to the CloseHandle function and a debugger is present, then an EXCEPTION_INVALID_HANDLE (0xC0000008) exception will be raised.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.003" + }, + { + "source_name": "external_source", + "description": "Anti Debugging Tricks, Al-Khaser.", + "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--50235d87-37e8-4405-a5c7-b491b5c20012", + "id": "attack-pattern--af70b2f4-e552-4ec0-b6ce-1c8c38e6748c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.552443Z", - "modified": "2021-02-10T06:49:35.552443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--38dad326-aeb6-4341-9a2b-233fcd5698cd", - "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", + "created": "2022-02-04T23:52:35.783046Z", + "modified": "2022-09-08T18:26:13.228703Z", + "name": "Implant to Controller File Transfer", + "description": "File is transferred from implant to controller.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", + "external_id": "B0030.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--50717643-0b9f-4a5b-abf1-b5c376cdec6c", + "id": "attack-pattern--c863faee-3dcc-4fc0-9d16-9d0b7e75051c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.681443Z", - "modified": "2021-02-10T06:49:35.681443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--5a28507d-35d5-4a9c-83e0-4ecb9774c23c", - "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", + "created": "2020-08-21T20:49:59.65626Z", + "modified": "2022-09-08T18:26:13.429818Z", + "name": "Modify Policy", + "description": "Malware may modify policies to make software less effective. This is similar to ATT&CK's Subvert Trust Controls: Code Signing Policy Modification ([T1553.006](https://attack.mitre.org/techniques/T1553/006/), [T1632.001](https://attack.mitre.org/techniques/T1632/001/))", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", + "external_id": "F0004.005" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--516562a4-11aa-4bdc-87a6-a65c127e16a0", + "id": "attack-pattern--d447c221-2ab5-4378-bb19-78b97869fa58", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.651444Z", - "modified": "2021-02-10T06:49:35.651444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--37eb387f-ecb3-4098-926b-2e1d2c3da16e", - "target_ref": "attack-pattern--541b3b19-6e67-4c06-9f03-1b3f5a4395c4", + "created": "2021-02-10T06:49:31.990485Z", + "modified": "2022-09-08T18:26:13.386793Z", + "name": "Sosemanuk::Decrypt Data", + "description": "Malware decrypts data encrypted with the Sosemanuk stream cipher.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", + "external_id": "C0031.012" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--51a03352-ebd5-4877-a2ef-f4fcfa378ae8", + "id": "attack-pattern--2847e96e-8080-4f95-96df-b2194e42ac25", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.489479Z", - "modified": "2021-02-10T06:49:35.489479Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--6e892e5f-0d39-4e58-9a69-1ff8cc479291", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2021-02-10T06:49:31.973483Z", + "modified": "2022-09-08T18:26:13.365016Z", + "name": "Receive Request::HTTP Communication", + "description": "HTTP server receives request.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", + "external_id": "C0002.015" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--51ca1656-ea81-4547-9319-e9cf419a33fc", + "id": "attack-pattern--f21fda77-e6ff-4351-87d9-0e2f5780a1c3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.699097Z", - "modified": "2021-02-10T06:49:35.699097Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--69401771-6ed2-45b5-bc81-68444a3dc4c9", - "target_ref": "attack-pattern--a9530e23-d959-40a7-870a-bd6b29bee078", + "created": "2021-02-10T06:49:32.035443Z", + "modified": "2022-09-08T18:26:13.360512Z", + "name": "Create Mutex", + "description": "Malware creates a mutex.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "process-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/create-mutex.md", + "external_id": "C0042" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--521e80bd-0b4b-4b45-abeb-0a5b7bfee750", + "id": "attack-pattern--9fb37268-5250-495b-b80c-96315169c1a8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.673442Z", - "modified": "2021-02-10T06:49:35.673442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--4ce382af-356c-4906-b6f1-e44b4d71ed02", - "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", + "created": "2022-09-08T18:26:13.299902Z", + "modified": "2022-09-08T18:26:13.299902Z", + "name": "Test API Routines", + "description": "Calls Windows API routines with invalid arguments to identify error supression.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", + "external_id": "B0007.010" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--52577eb5-283f-4d59-afa3-e2aff4979371", + "id": "attack-pattern--26d8815b-c8d1-4fc9-a6f6-218c0436b7a1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--6a958b33-6517-459c-afda-7f4f490ac15d", - "target_ref": "attack-pattern--f06491eb-ea99-46cd-81fe-ee55fc12d504", + "created": "2020-08-21T20:49:59.562264Z", + "modified": "2022-09-08T18:26:13.195174Z", + "name": "Thunk Code Insertion", + "description": "Variation on Jump Insertion. Used by some compilers for user-generated functions.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", + "external_id": "B0032.006" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--528345e9-514a-4620-afd8-ba7295737682", + "id": "attack-pattern--e84f764e-ace1-4149-b73d-664b17954d7b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.623442Z", - "modified": "2021-02-10T06:49:35.623442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--cbfcfc30-2fa3-4160-a9ba-4cc6c0f48345", - "target_ref": "attack-pattern--83145b10-974b-4bcd-8547-1f441be18d36", + "created": "2021-02-10T06:49:31.994484Z", + "modified": "2022-09-08T18:26:13.392412Z", + "name": "Twofish::Encrypt Data", + "description": "Malware encrypts with the Twofish algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", + "external_id": "C0027.005" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--533de0a3-baba-41e1-9291-18f5f6b58dd4", + "id": "attack-pattern--225f1311-c972-428d-be5e-f99a9edb705c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.512444Z", - "modified": "2021-02-10T06:49:35.512444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--f286389b-6374-4b58-ae99-975a32ad18ce", - "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", + "created": "2020-08-21T20:49:59.517264Z", + "modified": "2022-09-08T18:26:13.310135Z", + "name": "Thread Timeout", + "description": "Setting dwMilliseconds in WaitForSingleObject to a small number will timeout the thread before the analyst can step through and analyze the code executing in the thread. Modifying this via patch, register, or stack to the value `0xFFFFFFFF`, the **INFINITE** constant circumvents this anti-debugging technique.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.029" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--53471123-9043-4b7a-8a21-abd7330fefb6", + "id": "attack-pattern--e60f2ef0-615c-4158-92f6-4db808bc116d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.641721Z", - "modified": "2021-02-10T06:49:35.641721Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b535d57f-a2e0-427b-8f4d-69d948e6ebf4", - "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", + "created": "2020-08-21T20:49:59.537265Z", + "modified": "2022-09-08T18:26:13.275982Z", + "name": "Hide virtual memory", + "description": "Hide arbitrary segments of virtual memory.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", + "external_id": "B0006.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--54b2b002-a735-49e5-adcf-2fdd110ff811", + "id": "attack-pattern--5d116564-0ef7-4791-9a34-e86d81840b49", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.507477Z", - "modified": "2021-02-10T06:49:35.507477Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--3fe270a3-09a5-4ca9-937f-d2bee9afed96", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2020-08-21T20:49:59.920259Z", + "modified": "2022-09-08T18:26:13.252689Z", + "name": "Modify Existing Service", + "description": "Malware may modify an existing service to gain persistence. Modification may include disabling a service.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/persistence/modify-existing-service.md", + "external_id": "F0011" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "external_source", + "url": "http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + }, + { + "source_name": "external_source", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Conficker" + }, + { + "source_name": "external_source", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--553ce917-a792-47cf-8c30-6620e5609840", + "id": "attack-pattern--8736d370-3b61-4b4d-a371-0a01e988cbde", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.658443Z", - "modified": "2021-02-10T06:49:35.658443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--948cdf0e-8ac2-46a4-8bc0-a5ab5eda55a2", - "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", + "created": "2020-08-21T20:49:59.52426Z", + "modified": "2022-09-08T18:26:13.32804Z", + "name": "Illusion", + "description": "Creates an illusion; makes the analyst think something happened when it didn't.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", + "external_id": "B0003.009" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--55696eb3-164e-4de9-901f-375ce8b3d23d", + "id": "attack-pattern--a438adb9-e8d8-40da-8fb3-0500b0c812f5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.568481Z", - "modified": "2021-02-10T06:49:35.568481Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--276108d0-bfef-45d8-9e20-0e6f5c107f6f", - "target_ref": "attack-pattern--e365ec9c-2c0b-41fe-9a6a-f2b4042f37f3", + "created": "2022-02-04T23:52:35.736174Z", + "modified": "2022-09-08T18:26:13.277014Z", + "name": "Hook memory mapping APIs", + "description": "Hooking prevents memory dumps by preventing mapping of memory into the kernel's virtual address space.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", + "external_id": "B0006.010" + }, + { + "source_name": "external_source", + "description": "J. Stuttgen, M. Cohen, Anti-forensic resilient memory acquisition,", + "url": "https://www.dfrws.org/sites/default/files/session-files/paper-anti-forensic_resilient_memory_acquisition.pdf" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--557af9e7-def2-4117-9b51-a75469fc90d2", + "id": "attack-pattern--50e612f9-3481-42fc-aa7f-a468ce59a556", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.482442Z", - "modified": "2021-02-10T06:49:35.482442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--4283aa07-89f3-40d8-b45f-87ef48c8a86d", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.791261Z", + "modified": "2022-02-05T00:37:22.71051Z", + "name": "Manipulate Network Traffic", + "description": "Malware intercepts and manipulates network traffic, typically accessing or modifying data, going to or originating from the system on which the malware instance is executing. Also known as a Man-in-the-Middle attack.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/manipulate-network-traffic.md", + "external_id": "B0019" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--56445635-e12d-483f-9f37-8f54e2002bf2", + "id": "attack-pattern--cb5e801d-a60f-497e-93b6-23d5e29c09fd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.528504Z", - "modified": "2021-02-10T06:49:35.528504Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--bab113ca-bbe4-4b39-bcac-d7fa7325b1e9", - "target_ref": "attack-pattern--c6c8f32e-7d92-401e-930f-d193a59e4c95", + "created": "2020-08-21T20:49:59.538265Z", + "modified": "2022-09-08T18:26:13.276225Z", + "name": "On-the-Fly APIs", + "description": "Resolve API addresses before each use to prevent complete dumping.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", + "external_id": "B0006.007" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--567dba20-4c5a-4091-a9a0-742c742a94af", + "id": "attack-pattern--3d502650-c707-4d28-b520-f440faa33ade", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.532854Z", - "modified": "2021-02-10T06:49:35.532854Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--415ff076-0f63-4040-940e-439321695a67", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2021-02-10T06:49:31.999444Z", + "modified": "2022-02-05T00:37:22.773011Z", + "name": "Adler::Checksum", + "description": "Malware computes an Adler checksum.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/checksum.md", + "external_id": "C0032.005" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--56821799-dd4f-4317-abb6-79d3a7d71dc0", + "id": "attack-pattern--ac446754-73f8-4642-ac66-26b41c5f24ce", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.577443Z", - "modified": "2021-02-10T06:49:35.577443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--dad3c536-a9a6-492b-baae-4353f2c6f601", - "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", + "created": "2020-08-21T20:49:59.517264Z", + "modified": "2022-09-08T18:26:13.276769Z", + "name": "Tampering", + "description": "Erase or corrupt specific file parts to prevent rebuilding (header, packer stub, etc.).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", + "external_id": "B0006.005" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--57543e32-d9cc-4f12-b7f6-9a15aa1f1a73", + "id": "attack-pattern--cefefa87-2f06-4008-afcf-847a8bd746af", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.603292Z", - "modified": "2020-08-21T20:50:04.603292Z", - "relationship_type": "uses", - "description": "Encrypts files for ransom without any connection to the Internet.", - "source_ref": "malware--542141d9-e98d-4d4a-9b15-dfc3f8933e48", - "target_ref": "attack-pattern--33ac3946-4bd9-4904-b02e-45e2d17dbfdd", + "created": "2021-02-10T06:49:31.982483Z", + "modified": "2022-09-08T18:26:13.374529Z", + "name": "Receive TCP Data::Socket Communication", + "description": "Receive TCP data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", + "external_id": "C0001.016" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--576dd954-f983-47d9-a0f8-edd3abfd1660", + "id": "attack-pattern--b74af853-9674-4bc7-9d30-be251db05e3d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.600252Z", - "modified": "2020-08-21T20:50:04.600252Z", - "relationship_type": "uses", - "description": "Emotet macros are heavily obfuscated with junk functions and string substitutions.", - "source_ref": "malware--5fe2035d-58a0-4cd6-9561-cf4442871a10", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2021-02-10T06:49:31.994484Z", + "modified": "2022-09-08T18:26:13.392125Z", + "name": "Stream Cipher::Encrypt Data", + "description": "Malware encrypts with a stream cipher.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", + "external_id": "C0027.012" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--5785e586-1acd-466f-91b1-b0453295a9db", + "id": "attack-pattern--d1a3a19c-bcd0-40fc-8b5f-9e755260abc2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.466445Z", - "modified": "2021-02-10T06:49:35.466445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--fe39ee83-4f97-4989-b1f4-11a95d36b9d2", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2021-02-10T06:49:32.002478Z", + "modified": "2022-09-08T18:26:13.330475Z", + "name": "Compress Data", + "description": "Malware may compress data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/compress-data.md", + "external_id": "C0024" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--58580a37-3977-4efb-b5fb-beda9bbfd345", + "id": "attack-pattern--3955de8e-1ab7-4ab0-b7ca-226822885913", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.696835Z", - "modified": "2021-02-10T06:49:35.696835Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--3b11e590-980e-4850-a9a1-6189b62f62b1", - "target_ref": "attack-pattern--ef5fd901-d515-4842-9119-c330c900e2e1", + "created": "2020-08-21T20:49:59.887261Z", + "modified": "2022-09-08T18:26:13.353448Z", + "name": "Create Process", + "description": "Malware creates a process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "process-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/create-process.md", + "external_id": "C0017" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--5871f99e-1801-46fd-a35b-45c9f2c35762", + "id": "attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.671443Z", - "modified": "2021-02-10T06:49:35.671443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--92ac0cef-de80-4baa-869c-dc993492c0da", - "target_ref": "attack-pattern--1cca12fe-f5c4-4c35-979b-5c6962dd9484", + "created": "2021-02-10T06:49:32.032478Z", + "modified": "2022-02-05T00:37:22.819853Z", + "name": "Registry", + "description": "Malware modifies the registry.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "operating-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/registry.md", + "external_id": "C0036" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--58c445bd-ac54-4861-b172-e7263a7a942f", + "id": "attack-pattern--bd879126-0126-4f7a-a1b7-d9944efb251f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.914452Z", - "modified": "2022-02-04T23:52:40.914452Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--a894c73b-8a05-4d53-86e8-39434b189fb6", - "target_ref": "attack-pattern--f78bf329-48e4-4f8c-9468-0f8cd2ec08b5", + "created": "2020-08-21T20:49:59.716259Z", + "modified": "2022-09-08T18:26:13.213401Z", + "name": "System Information Discovery", + "description": "Malware may attempt to get detailed information about the system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/system-information-discovery.md", + "external_id": "E1082" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279" + }, + { + "source_name": "external_source", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" + }, + { + "source_name": "external_source", + "url": "https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--58da90a9-db0b-43cc-99f9-3e562dcf4a90", + "id": "attack-pattern--b16029de-92c1-4b77-b334-733f0d099ecd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.614292Z", - "modified": "2020-08-21T20:50:04.614292Z", - "relationship_type": "uses", - "description": "Drops software that mines for cryptocurrency: Cryptonight or Claymore's Zcash miner, depending on system architecture.", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--e25edc0c-3631-4df8-a37f-4695d3cec86e", + "created": "2020-08-21T20:49:59.561265Z", + "modified": "2022-09-08T18:26:13.19463Z", + "name": "Structured Exception Handling (SEH)", + "description": "A portion of the code always generates an exception so that malicious code is executed with the exception handling. See .", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", + "external_id": "B0032.016" + }, + { + "source_name": "external_source", + "description": "Rob Simmons, \"Comparing Malicious Files,\" BSides, 2019.", + "url": "http://www.irongeek.com/i.php?page=videos/bsidescharm2019/2-04-comparing-malicious-files-robert-simmons" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--58fbdd0e-119e-447c-a027-2439b9f012b8", + "id": "attack-pattern--e25edc0c-3631-4df8-a37f-4695d3cec86e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.709443Z", - "modified": "2021-02-10T06:49:35.709443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--69df421d-b8ea-49d2-9bd2-9df44aa3ced6", - "target_ref": "attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b", + "created": "2020-08-21T20:49:59.788262Z", + "modified": "2022-09-08T18:26:13.261108Z", + "name": "Resource Hijacking", + "description": "Uses system resources for other purposes; as a result, the system may not be available for intended uses.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/resource-hijacking.md", + "external_id": "B0018" + }, + { + "source_name": "external_source", + "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" + }, + { + "source_name": "external_source", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/wannacry-uiwix-ransomware-monero-mining-malware-follow-suit/" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--594b99e5-6125-4e18-8003-0a6b229d6a8a", + "id": "attack-pattern--6479f655-1a26-4a37-96b4-170c5a57a31d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.550479Z", - "modified": "2021-02-10T06:49:35.550479Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--bad6ec3f-e218-4190-8033-3e4e8dae8d00", - "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", + "created": "2020-08-21T20:49:59.73826Z", + "modified": "2022-02-05T00:37:22.694887Z", + "name": "Uninstall", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/remote-commands.md", + "external_id": "B0011.006" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--5a12747a-b03e-4230-a499-db165272c5ac", + "id": "attack-pattern--fe31be5f-2912-4056-b70b-62988d5c3829", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.569485Z", - "modified": "2021-02-10T06:49:35.569485Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--aaa5cf52-8414-4ac3-9bbb-3a45ba1f6d0d", - "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", + "created": "2022-02-04T23:52:35.877737Z", + "modified": "2022-09-08T18:26:13.2445Z", + "name": "Runs as Service", + "description": "The malware must be run as a service, which can make behavioral analysis and debugging more difficult. The service may be set up by the malware. Alternatively, the malware may not contain any code to create a new service or modify an existing service, in which case, the service may be set up by another program or manually.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md", + "external_id": "B0025.007" + }, + { + "source_name": "external_source", + "url": "https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaign-sandbox-evasion-techniques" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--5b7e6ad0-a129-4d6f-bd52-266371a85030", + "id": "attack-pattern--454163a6-b453-449c-88c1-96919f92705a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.491483Z", - "modified": "2021-02-10T06:49:35.491483Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--2b01bf8e-63cf-495c-8e2f-d18a8c286ad5", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.91426Z", + "modified": "2022-09-08T18:26:13.255012Z", + "name": "Malicious Network Driver", + "description": "Malicious network drivers can be installed on several machines on a network via an exploited server with high uptime. Once the drivers are installed on the host machines, they can re-infect the server if it is restarted (persistence), can infect other machines on the network (lateral movement), and can redirect traffic on the network.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/persistence/malicious-network-driver.md", + "external_id": "B0026" + }, + { + "source_name": "external_source", + "url": "https://www.zdnet.com/article/luckymouse-targets-govt-entities-through-malicious-ndisproxy-driver/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--5b844d1a-0ade-4a6f-a5f8-99feb4aef74f", + "id": "attack-pattern--a7d53e43-1336-49be-bf6b-9cc3fb832ab2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.712898Z", - "modified": "2021-02-10T06:49:35.712898Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--7ae3202c-73b7-4153-a577-4d3084e2675f", - "target_ref": "attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b", + "created": "2020-08-21T20:49:59.473261Z", + "modified": "2022-09-08T18:26:13.320052Z", + "name": "Stack Canary", + "description": "Similar to the anti-exploitation method of the same name, malware may try to detect mucking with values on the stack.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.026" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--5b9305b5-84da-48d9-a66f-5d6b0f0a0083", + "id": "attack-pattern--5b65a982-2a1d-4b32-ad40-b9e05b4d0284", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.498442Z", - "modified": "2021-02-10T06:49:35.498442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--23949fea-4e13-41e3-b8c7-b25efd93f346", - "target_ref": "attack-pattern--243d3475-704e-4bc1-b8a6-42ca4bda02fc", + "created": "2020-08-21T20:49:59.460262Z", + "modified": "2022-09-08T18:26:13.313669Z", + "name": "Hardware Breakpoints", + "description": "(SEH/GetThreadContext); Debug registers will indicate the presence of a debugger. See for details.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.005" + }, + { + "source_name": "external_source", + "description": "Anti Debugging Tricks, Al-Khaser.", + "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--5be82a40-6219-481d-bc8c-3c07a1ed98e4", + "id": "attack-pattern--fdc4b63d-2ee4-49af-b2d4-2defeff3d87d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.707444Z", - "modified": "2021-02-10T06:49:35.707444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--97dff623-9e06-4810-b316-8eedabe893f0", - "target_ref": "attack-pattern--531f2659-2119-40c0-b3a6-d921feabb3ce", + "created": "2022-02-04T23:52:35.877737Z", + "modified": "2022-09-08T18:26:13.245476Z", + "name": "Token Check", + "description": "Presence check to allow the program to run (ex: dongle, CD/DVD, key, file, network, etc.). If the token is specific to a hardware element (ex: disk, OS, CPU, NIC MAC, etc.), it is considered fingerprinting.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md", + "external_id": "B0025.006" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--5d0f5931-bb24-4dff-8119-36c01f33373e", + "id": "attack-pattern--dc49a540-64a4-47e7-8931-0ad5ce595cb7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:34.767441Z", - "modified": "2021-02-10T06:49:34.767441Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", + "created": "2020-08-21T20:49:59.471262Z", + "modified": "2022-09-08T18:26:13.318737Z", + "name": "ProcessHeap", + "description": "Process heaps are affected by debuggers. Malware can detect a debugger by checking heap header fields such as Flags (debugger present if value greater than 2) or ForceFlags (debugger present if value greater than 0).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.021" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--5d1c50b2-4901-4d80-b15f-26548a0cfc4a", + "id": "attack-pattern--b67d0824-50d3-4066-906b-93dd26a9f05f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.711465Z", - "modified": "2021-02-10T06:49:35.711465Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--9aa6cbcb-2654-4533-a47c-3b44b62cb6a2", - "target_ref": "attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b", + "created": "2021-02-10T06:49:31.923443Z", + "modified": "2022-09-08T18:26:13.407533Z", + "name": "Encryption-Standard Algorithm", + "description": "A standard algorithm (e.g., Rijndael/AES, DES, RC4) is used to encrypt a malware sample, file, or other information.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/obfuscated-files-or-information.md", + "external_id": "E1027.m05" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--5d8c1fbc-c4ea-4d60-8879-3305c474c651", + "id": "attack-pattern--2fdbb4b2-a02a-42de-a6de-2263b48392f1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.509442Z", - "modified": "2021-02-10T06:49:35.509442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--ac446754-73f8-4642-ac66-26b41c5f24ce", - "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", + "created": "2021-02-10T06:49:31.975482Z", + "modified": "2022-09-08T18:26:13.366806Z", + "name": "WinHTTP::HTTP Communication", + "description": "An HTTP request is made via the Windows HTTP Services (WinHTTP) application programming interface (API).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", + "external_id": "C0002.008" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--5e02aacb-3140-4ae6-81c3-3512b2862b53", + "id": "attack-pattern--838d57ce-1e63-4898-9054-14851119e5fc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.599252Z", - "modified": "2020-08-21T20:50:04.599252Z", - "relationship_type": "uses", - "description": "Uses a domain name generator.", - "source_ref": "malware--4fe657cf-373f-4a71-a2b8-8de5c109eef9", - "target_ref": "attack-pattern--5a3611aa-4253-4302-b09e-02fe53a1af9d", + "created": "2021-02-10T06:49:32.000444Z", + "modified": "2022-02-05T00:37:22.773011Z", + "name": "CRC32::Checksum", + "description": "Malware computes a CRC32 checksum.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/checksum.md", + "external_id": "C0032.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--5e03783a-f410-4b24-a1ae-1f11e0012d70", + "id": "attack-pattern--4ce382af-356c-4906-b6f1-e44b4d71ed02", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.469483Z", - "modified": "2021-02-10T06:49:35.469483Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--97024953-18b1-43d8-adf2-207ac2dca44e", - "target_ref": "attack-pattern--187b4cd8-132e-4514-9ad2-e0b20abc2b70", + "created": "2021-02-10T06:49:31.988483Z", + "modified": "2022-09-08T18:26:13.383868Z", + "name": "AES::Decrypt Data", + "description": "Malware decrypts data encrypted with the AES algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", + "external_id": "C0031.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--5e47a989-fee8-427e-a93f-503db3d69253", + "id": "attack-pattern--963d7b96-04f2-4c34-82ae-64bc6d5d37dc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.590482Z", - "modified": "2021-02-10T06:49:35.590482Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--fbaedc87-7d0b-447c-a9e5-0f6c2658770a", - "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", + "created": "2020-08-21T20:49:59.606261Z", + "modified": "2022-09-08T18:26:13.229783Z", + "name": "Request Email Template", + "description": "Request email template.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", + "external_id": "B0030.009" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--5e97acfb-5d93-4324-abda-2a162e187794", + "id": "attack-pattern--03996e71-dfa7-4585-8a42-da7f95c50436", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.493443Z", - "modified": "2021-02-10T06:49:35.493443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b6679c6a-6312-44ec-a6fe-628a66d0cefe", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2022-02-04T23:52:35.829949Z", + "modified": "2022-09-08T18:26:13.420199Z", + "name": "Shadow System Service Dispatch Table Hooking", + "description": "The Shadow System Service Dispatch Table (SSDT) can be hooked similarly to how the SSDT and IAT are hooked. The target of the hooking with the Shadow SSDT is the Windows subsystem (win32k.sys).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hijack-execution-flow.md", + "external_id": "F0015.004" + }, + { + "source_name": "external_source", + "url": "https://www.mdpi.com/1999-5903/4/4/971/html" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--5eb31591-a592-41ab-86e3-cb93ed9e1c80", + "id": "attack-pattern--39d98cff-ebf0-4824-8a7a-55ba1058664b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.611257Z", - "modified": "2020-08-21T20:50:04.611257Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--8911f215-156e-489a-a1fb-f2cdb69772f8", + "created": "2020-08-21T20:49:59.468265Z", + "modified": "2022-09-08T18:26:13.317387Z", + "name": "Process Environment Block", + "description": "The Process Environment Block (PEB) is a Windows data structure associated with each process that contains several fields, such as \"BeingDebugged,\" \"NtGlobalFlag,\" and \"IsDebugged\". Testing the value of this PEB field of a particular process can indicate whether the process is being debugged. Testing \"BeingDebugged\" is equivalent to using the kernel32!IsDebuggerPresent API call (see separate method).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.019" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--60ed723b-ddd5-4ca0-9417-aee98ae94c3a", + "id": "attack-pattern--245f1add-7e00-4b25-9f57-a88febbd9359", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.587443Z", - "modified": "2021-02-10T06:49:35.587443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b1937ce5-4376-4b5d-944e-5406d8501413", - "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", + "created": "2021-02-10T06:49:31.915483Z", + "modified": "2022-09-08T18:26:13.429518Z", + "name": "Heavens Gate", + "description": "Malware evades endpoint security products by invoking 64-bit code in 32-bit processes, effectively bypassing user-mode hooks.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", + "external_id": "F0004.008" + }, + { + "source_name": "external_source", + "description": "Carl Petty, Red Canary, 3/3/2020. Online:", + "url": "https://redcanary.com/blog/heavens-gate-technique-on-linux/" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--6163d58e-187c-496c-b47e-ec9f9e75f54f", + "id": "attack-pattern--cada9d62-2163-42e3-88ec-d37e2ade1030", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--66995783-bfea-4c72-8fcb-4bdb015dc98f", - "target_ref": "attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58", + "created": "2020-08-21T20:49:59.502264Z", + "modified": "2022-09-08T18:26:13.292135Z", + "name": "Unique Hardware/Firmware Check - BIOS", + "description": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment. Characteristics of the BIOS, such as version, can indicate virtualization.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.024" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--61872a4e-7152-4be1-8297-6fb76b3e7017", + "id": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.551476Z", - "modified": "2021-02-10T06:49:35.551476Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--5aed60b2-8feb-4d3a-a585-b399a41bbc6f", - "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", + "created": "2020-08-21T20:49:59.518266Z", + "modified": "2022-09-08T18:26:13.310636Z", + "name": "Debugger Evasion", + "description": "Behaviors that make debugging difficult.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002" + }, + { + "source_name": "external_source", + "url": "https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.synack.com/2016/02/17/analyzing-the-anti-analysis-logic-of-an-adware-installer/" + }, + { + "source_name": "external_source", + "url": "http://phishme.com/dridex-code-breaking-modify-the-malware-to-bypass-the-vm-bypass/" + }, + { + "source_name": "external_source", + "url": "http://antukh.com/blog/2015/01/19/malware-techniques-cheat-sheet/" + }, + { + "source_name": "external_source", + "url": "https://search.unprotect.it/map/" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--61ca9cbc-792f-46c6-8dc5-1349697867e2", + "id": "attack-pattern--adf43bd9-7112-42fe-8024-7f7fe5a2225f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.578443Z", - "modified": "2021-02-10T06:49:35.578443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--3110ab37-847b-4f50-be91-9748cee0f4a0", - "target_ref": "attack-pattern--f05383f9-1d15-4eb9-97a4-13812f310acd", + "created": "2020-08-21T20:49:59.485265Z", + "modified": "2022-09-08T18:26:13.298994Z", + "name": "Timing/Date Check", + "description": "Calling GetSystemTime or equiv and only executing code if the current date/hour/minute/second passes some check. Often this is for running only after or only until a specific date. This behavior can be mitigated in non-automated analysis environments.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", + "external_id": "B0007.008" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--627fca8c-c3a2-49cc-a31b-c7e138829e81", + "id": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--28715d14-8b3f-4be9-95f6-e306de73f53f", - "target_ref": "attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263", + "created": "2020-08-21T20:49:59.708261Z", + "modified": "2022-09-08T18:26:13.217492Z", + "name": "Analysis Tool Discovery", + "description": "Malware can employ various means to detect whether analysis tools are present or running on the system on which it is executing. Note that analysis tools are used to *analyze* malware whereas security software (see **Software Discovery: Security Software Discovery ([T1518](https://attack.mitre.org/techniques/T1518/001/))** aims to *detect/mitigate* malware on a system or network.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", + "external_id": "B0013" + }, + { + "source_name": "external_source", + "url": "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--6322e651-3782-44fc-a873-70beb05f7d23", + "id": "attack-pattern--3fe270a3-09a5-4ca9-937f-d2bee9afed96", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.914452Z", - "modified": "2022-02-04T23:52:40.914452Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--24464dee-85e0-4fbf-b604-130f783c3689", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2020-08-21T20:49:59.516301Z", + "modified": "2022-09-08T18:26:13.308619Z", + "name": "Section Misalignment", + "description": "Some analysis tools cannot handle binaries with misaligned sections.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.023" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--634d0ea4-0676-4efc-a74f-b483c5bcd3f0", + "id": "attack-pattern--8c803835-6fd8-4af8-a178-be3e2dc43687", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.605446Z", - "modified": "2021-02-10T06:49:35.605446Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--89cee1bf-b7ab-4c13-8011-22364628422d", - "target_ref": "attack-pattern--6168e69c-f827-4f92-8404-cd24fff9802c", + "created": "2021-02-10T06:49:31.965484Z", + "modified": "2022-02-05T00:37:22.726134Z", + "name": "Printer", + "description": "The printer is modified.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/modify-hardware.md", + "external_id": "B0042.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--63b781c3-a8f4-4c5a-b432-5ea29beb76e5", + "id": "attack-pattern--1c9f410c-8e61-4d75-80be-e80461c54971", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.606264Z", - "modified": "2020-08-21T20:50:04.606264Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--8911f215-156e-489a-a1fb-f2cdb69772f8", + "created": "2022-02-04T23:52:35.829949Z", + "modified": "2022-09-08T18:26:13.418864Z", + "name": "Import Address Table (IAT) Hooking", + "description": "Malware (e.g. rootkit) modifies a process's import address table (IAT), which stores pointers to imported API functions.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hijack-execution-flow.md", + "external_id": "F0015.003" + }, + { + "source_name": "external_source", + "url": "https://www.sans.org/media/score/checklists/rootkits-investigation-procedures.pdf" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--63f506d2-31c2-40cb-b648-38f60125b8a1", + "id": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.502442Z", - "modified": "2021-02-10T06:49:35.502442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--baae0d7a-88a9-479c-879e-9bbd0dea3bf0", - "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", + "created": "2021-02-10T06:49:31.916486Z", + "modified": "2022-09-08T18:26:13.430885Z", + "name": "Disable or Evade Security Tools", + "description": "Malware may disable or evade security tools to avoid detection. Security tools include OS security features and updating tools, anti-virus (AV) tools, firewalls, tool components providing security related logging and/or reporting, and Antimalware Scan Interface (AMSI) related capabilities.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", + "external_id": "F0004" + }, + { + "source_name": "external_source", + "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" + }, + { + "source_name": "external_source", + "url": "https://www.huffingtonpost.com/2011/11/09/click-hijack-hackers-online-ad-scam_n_1084497.html" + }, + { + "source_name": "external_source", + "description": "Alexander Adamov, Stealthy WastedLocker: eluding behavior blockers, but not only. Online:", + "url": "https://vblocalhost.com/conference/presentations/stealthy-wastedlocker-eluding-behaviour-blockers-but-not-only/" + }, + { + "source_name": "external_source", + "description": "Carl Petty, Red Canary, 3/3/2020. Online:", + "url": "https://redcanary.com/blog/heavens-gate-technique-on-linux/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--646c7b99-374e-4ba8-aff7-1f3992652300", + "id": "attack-pattern--b3369595-ed1a-4660-a239-08f6abd5810c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.532444Z", - "modified": "2021-02-10T06:49:35.532444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--69154c09-d2ee-4328-9543-1d0c1233df31", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2021-02-10T06:49:31.982483Z", + "modified": "2022-09-08T18:26:13.373922Z", + "name": "Send UDP Data::Socket Communication", + "description": "Send UDP data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", + "external_id": "C0001.015" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--649e3ca9-4bae-4e3c-8977-89545e16bcbd", + "id": "attack-pattern--0f77be56-a5ef-4c06-8557-46782bb2cd67", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.465445Z", - "modified": "2021-02-10T06:49:35.465445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--bdeba524-0f2d-4d2f-a107-2b7516a0b496", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2021-02-10T06:49:31.992483Z", + "modified": "2022-09-08T18:26:13.388689Z", + "name": "Blowfish::Encrypt Data", + "description": "Malware encrypts with the Blowfish algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", + "external_id": "C0027.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--65089091-ff7b-4b1a-b96f-24c10d611194", + "id": "attack-pattern--a9364e83-2893-4989-b01a-e74ea9ced03a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.605287Z", - "modified": "2020-08-21T20:50:04.605287Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", + "created": "2020-08-21T20:49:59.493266Z", + "modified": "2022-09-08T18:26:13.285146Z", + "name": "Check Windows - Window size", + "description": "Malware may check windows for VM-related characteristics. Tiny window size may indicate a VM.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.020" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--6512566b-ff2b-4f16-9cbf-17e2fb4d06de", + "id": "attack-pattern--dd600655-8b9a-4a67-be72-3088d96e0e5a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.53757Z", - "modified": "2021-02-10T06:49:35.53757Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--1212c336-4105-477e-9e3a-0789790a3941", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2020-08-21T20:49:59.727262Z", + "modified": "2022-09-08T18:26:13.240923Z", + "name": "Red Hat JBoss Enterprise Products", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/exploitation-for-client-execution.md", + "external_id": "E1203.m04" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--65457d14-1221-4a06-a652-f28ffc31c866", + "id": "attack-pattern--9b4638cb-2e9b-480e-a502-4ac8acfa4dd8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.538467Z", - "modified": "2021-02-10T06:49:35.538467Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b4931f82-5f27-4329-a0c4-4f953195e6f1", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2021-02-10T06:49:31.983492Z", + "modified": "2022-09-08T18:26:13.375633Z", + "name": "UDP Client::Socket Communication", + "description": "UDP client behavior.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", + "external_id": "C0001.013" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--65608b0d-cf7a-4c51-8d4e-e52d81eca2ec", + "id": "attack-pattern--1d9b88e8-2bab-44ac-b1ae-26faf8f07f48", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.567485Z", - "modified": "2021-02-10T06:49:35.567485Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--6bb4c9f7-d08e-42c0-bb01-5df9d5ea632d", - "target_ref": "attack-pattern--7d349643-5ab8-4dc6-934f-bf16d0b0ea29", + "created": "2020-08-21T20:49:59.512264Z", + "modified": "2022-09-08T18:26:13.306093Z", + "name": "Malloc Use", + "description": "Instead of unpacking into a pre-defined section/segment (ex: .text) of the binary, use malloc() / VirtualAlloc() to create a new segment. This makes keeping track of memory locations across different runs more difficult, as there is no guarantee that malloc/VirtualAlloc will assign the same address range each time.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.013" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--65eb30ae-9fc5-4945-a2c5-1983a7771682", + "id": "attack-pattern--c31eb81c-b21c-4ae2-aed3-bcc77821d3ca", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.576443Z", - "modified": "2021-02-10T06:49:35.576443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b67d0824-50d3-4066-906b-93dd26a9f05f", - "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", + "created": "2020-08-21T20:49:59.861259Z", + "modified": "2022-09-08T18:26:13.34657Z", + "name": "Append Extension::Alter File Extension", + "description": "A new extension is appended.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "file-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/alter-file-extension.md", + "external_id": "C0015.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--67732fa8-3cfc-421f-8ada-29e22ed938ea", + "id": "attack-pattern--0469984a-07e7-4160-ba64-f1abf02346bb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.636849Z", - "modified": "2021-02-10T06:49:35.636849Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--2847e96e-8080-4f95-96df-b2194e42ac25", - "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", + "created": "2020-08-21T20:49:59.484262Z", + "modified": "2022-09-08T18:26:13.297643Z", + "name": "Product Key/ID Testing", + "description": "Checking for a particular product key/ID associated with a sandbox environment (commonly associated with the Windows host OS used in the environment) can be used to detect whether a malware instance is being executed in a particular sandbox. This can be achieved through several means, including testing for the Key/ID in the Windows registry.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", + "external_id": "B0007.005" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--68231d54-c9c8-4f0d-a39c-675a36464c1c", + "id": "attack-pattern--e22860a9-1026-46ee-a75e-feedc26196d5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.517138Z", - "modified": "2021-02-10T06:49:35.517138Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--2bef87a4-e803-4bb7-8f8f-fac4f63a02e1", - "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", + "created": "2020-08-21T20:49:59.578264Z", + "modified": "2022-02-05T00:37:22.585511Z", + "name": "Custom Compression", + "description": "Uses a custom algorithm to compress an executable file.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", + "external_id": "F0001.005" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--6876ea16-d686-4e54-9eee-f4f22efb8e51", + "id": "attack-pattern--bf25a194-496a-4db2-801b-f2c5d3f951b5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.658443Z", - "modified": "2021-02-10T06:49:35.658443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--5ef50fb5-9da5-4926-85a6-8049dc0be9b3", - "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", + "created": "2021-02-10T06:49:32.008483Z", + "modified": "2022-09-08T18:26:13.337978Z", + "name": "MurmurHash::Non-Cryptographic Hash", + "description": "Malware uses the MurmurHash hash function.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/noncryptographic-hash.md", + "external_id": "C0030.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--69192ee9-36d6-464b-a53d-c70b6433e7de", + "id": "attack-pattern--becb5385-146e-42a3-a343-5beffc43a15c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.453445Z", - "modified": "2021-02-10T06:49:35.453445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--9108b308-b962-4468-86bf-8921f77c963c", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2021-02-10T06:49:31.992483Z", + "modified": "2022-09-08T18:26:13.389187Z", + "name": "3DES::Encrypt Data", + "description": "Malware encrypts with the 3DES algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", + "external_id": "C0027.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--6afb1755-ab8c-41d5-a9bc-2f6e86e2fad5", + "id": "attack-pattern--69154c09-d2ee-4328-9543-1d0c1233df31", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.671443Z", - "modified": "2021-02-10T06:49:35.671443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--70de257e-38ed-4422-864b-3b6d74aa5fab", - "target_ref": "attack-pattern--1cca12fe-f5c4-4c35-979b-5c6962dd9484", + "created": "2020-08-21T20:49:59.555263Z", + "modified": "2022-09-08T18:26:13.191282Z", + "name": "Data Value Obfuscation", + "description": "Obfuscate data values through indirection of local or global variables. For example, the instruction *if (a == 0) do x* can be obfuscated by setting a global variable, *Z*, to zero and using it in the instruction: *if (a==Z) do x*. [NEEDS REVIEW]", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", + "external_id": "B0032.008" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--6c274032-6011-4066-b65b-da1edc3c1041", + "id": "attack-pattern--5a28507d-35d5-4a9c-83e0-4ecb9774c23c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--81bed55c-e336-4637-bae0-07d7d4d82ebe", - "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", + "created": "2021-02-10T06:49:31.992483Z", + "modified": "2022-09-08T18:26:13.38894Z", + "name": "Camellia::Encrypt Data", + "description": "Malware encrypts with the Camellia algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", + "external_id": "C0027.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--6c4bf2aa-075f-4da3-92ad-a8ce670b02d6", + "id": "attack-pattern--65ac0031-387e-41f5-8c05-4a7484fa460d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.458443Z", - "modified": "2021-02-10T06:49:35.458443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--1e5a85a2-73fc-467c-a94b-ec867885b4c3", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2020-08-21T20:49:59.737262Z", + "modified": "2022-02-05T00:37:22.694887Z", + "name": "Execute", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/remote-commands.md", + "external_id": "B0011.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--6c6c6933-a843-4fcc-8534-4192e0c18c33", + "id": "attack-pattern--5c5601b2-b0ce-4732-a2b2-d45c30efef8c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.450445Z", - "modified": "2021-02-10T06:49:35.450445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--add320e6-3798-40f7-91be-5062eb3a9e00", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2020-08-21T20:49:59.581263Z", + "modified": "2022-02-05T00:37:22.585511Z", + "name": "Standard Compression of Code", + "description": "Uses a standard algorithm to compress the opcode mnemonics.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", + "external_id": "F0001.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--6c6e7b24-3e47-4e1b-8291-9ea1db133089", + "id": "attack-pattern--e3f453d4-03f3-4a8a-bfb1-d603016e234f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.596443Z", - "modified": "2021-02-10T06:49:35.596443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--65ac0031-387e-41f5-8c05-4a7484fa460d", - "target_ref": "attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200", + "created": "2020-08-21T20:49:59.602268Z", + "modified": "2022-09-08T18:26:13.221582Z", + "name": "Screen Capture", + "description": "Malware takes screen captures of the desktop.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/screen-capture.md", + "external_id": "E1113" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--6d364d40-56c6-4f5c-931d-51a7dfa6aed1", + "id": "attack-pattern--dcfb5c52-a6e0-4c64-a937-91d730cd7a5b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.505442Z", - "modified": "2021-02-10T06:49:35.505442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--3d34b429-1686-44be-8b63-bded4942cee7", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2020-08-21T20:49:59.47826Z", + "modified": "2022-09-08T18:26:13.323294Z", + "name": "Check Emulator-related Registry Keys", + "description": "Emulators register artifacts in the registry, which can be detected by malware. For example, installation of QEMU results in the registry key: *HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0* with value=*Identifier* and data=*QEMU*, or registry key: *HARDWARE\\Description\\System* with value=*SystemBiosVersion* and data=*QEMU*.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-detection.md", + "external_id": "B0004.003" + }, + { + "source_name": "external_source", + "url": "https://search.unprotect.it/map/sandbox-evasion/" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--6da04862-dd32-45b6-b7d4-c18f6594bba9", + "id": "attack-pattern--66639ad1-1214-46af-9ce6-31b526ef6d9c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:34.070442Z", - "modified": "2021-02-10T06:49:34.070442Z", - "relationship_type": "uses", - "description": "Prevents the infected system from installing anti-virus software updates.", - "source_ref": "malware--0c0d59b7-4ff0-4a09-9c64-558334485ece", - "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", + "created": "2020-08-21T20:49:59.90326Z", + "modified": "2022-09-08T18:26:13.254202Z", + "name": "Component Firmware", + "description": "Malware may overwrite the flash memory of firmware outside of the main system firmware or BIOS. [[1]](#1). Methods related to malware (extending ATT&CK's definitions) are below.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/persistence/component-firmware.md", + "external_id": "F0009" + }, + { + "source_name": "external_source", + "url": "https://www.scmagazine.com/home/opinions/are-synful-knock-style-router-attacks-set-to-become-the-new-normal/" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html" + }, + { + "source_name": "external_source", + "url": "http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/resources/synful-knock-acis" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--6dada824-1e59-4ceb-aa22-b995e42a8347", + "id": "attack-pattern--bdf66c87-1488-4eed-ae9c-2482bc93e93d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.560441Z", - "modified": "2021-02-10T06:49:35.560441Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--69af89da-bf40-4b9e-93c5-baa8fb937099", - "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", + "created": "2021-02-10T06:49:31.970483Z", + "modified": "2022-09-08T18:26:13.376431Z", + "name": "Send File::FTP Communication", + "description": "Send FTP file.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/ftp-communication.md", + "external_id": "C0004.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--6e718457-ce04-42b7-8e37-d8e4c6d62f5c", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.569485Z", - "modified": "2021-02-10T06:49:35.569485Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--8d901ae3-1492-4090-b730-438071314947", - "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-08-21T20:49:59.739261Z", + "modified": "2022-09-08T18:26:13.239557Z", + "name": "Remote Commands", + "description": "Malware may provide an attacker with explicit commands. This behavior differs from the **Remote Access ([B0022](https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/remote-access.md))** behavior under the [Impact](https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact) objective in that *Impact: Remote Access* is potentially much broader and may include full remote access.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/remote-commands.md", + "external_id": "B0011" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" + }, + { + "source_name": "external_source", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.cybereason.com/blog/research/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--6e80f69c-e08f-4d12-9e61-affb609bfe7b", + "id": "attack-pattern--c5c986d0-cf3f-44bb-9f0e-023783e6066d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.574482Z", - "modified": "2021-02-10T06:49:35.574482Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--89bb05dd-fd11-40c4-918e-db0c3cde0955", - "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", + "created": "2022-09-08T18:26:13.214811Z", + "modified": "2022-09-08T18:26:13.214811Z", + "name": "Known Windows Class Name", + "description": "Running program windows are checked to see if any windows class name contains a string indicating that an analysis tool is running. For example, 'WinDbgFrameClass' is Windbg main windowā€™s class name. [2]", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", + "external_id": "B0013.010" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--706003e5-02d2-4e24-b6fc-731d4b36509c", + "id": "attack-pattern--cc396380-d266-4e87-8fc7-412e89a2b4b0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--23cc9528-7b14-4f75-9daf-0afb8d9c24fa", - "target_ref": "attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263", + "created": "2022-02-04T23:52:35.908377Z", + "modified": "2022-09-08T18:26:13.246998Z", + "name": "System Services", + "description": "Malware may abuse system services or daemons to execute.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/system-services.md", + "external_id": "E1569" + }, + { + "source_name": "external_source", + "url": "https://support.resolver.com/hc/en-ca/articles/207161116-Configure-Microsoft-Distributed-Transaction-Coordinator-MSDTC-" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--70efaea9-7c21-4e6a-8771-3ef2ec3834ab", + "id": "attack-pattern--e35d4dd6-591c-4f6d-b182-16adc70ce74f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.593443Z", - "modified": "2021-02-10T06:49:35.593443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--0eb664b8-73e1-4799-9e22-277ab898579d", - "target_ref": "attack-pattern--767a1acf-9e83-4181-82cd-2bcb9d8871d9", + "created": "2020-08-21T20:49:59.515309Z", + "modified": "2022-09-08T18:26:13.308112Z", + "name": "Return Obfuscation", + "description": "Overwrite the RET address on the stack or the code at the RET address. Variation seen that writes to the start-up code or main module that called the malware's WinMain or DllMain.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.021" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--72044d7c-39a9-451c-820c-14bc25c45c84", + "id": "attack-pattern--ecf1cd8c-ffef-40bd-a2e3-441e77a84a77", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.574482Z", - "modified": "2021-02-10T06:49:35.574482Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--f277deb3-f676-4536-b7c0-8cc76354b631", - "target_ref": "attack-pattern--6168e69c-f827-4f92-8404-cd24fff9802c", + "created": "2021-02-10T06:49:32.036443Z", + "modified": "2022-02-05T00:37:22.819853Z", + "name": "Create Suspended Process::Create Process", + "description": "Malware created a suspended process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "process-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/create-process.md", + "external_id": "C0017.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--7219324e-57db-4a0a-b08b-62b12c0dc34b", + "id": "attack-pattern--d37365f4-63c4-4c3e-a81e-be518e7561f1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.600252Z", - "modified": "2020-08-21T20:50:04.600252Z", - "relationship_type": "uses", - "description": "Alters DNS server settings to route to a rogue DNS server for the purpose of click hijacking.", - "source_ref": "malware--0c0d59b7-4ff0-4a09-9c64-558334485ece", - "target_ref": "attack-pattern--f5f2f408-2c67-40aa-9937-8fe582501e0a", + "created": "2021-02-10T06:49:31.990485Z", + "modified": "2022-09-08T18:26:13.386298Z", + "name": "RSA::Decrypt Data", + "description": "Malware decrypts data encrypted with the RSA algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", + "external_id": "C0031.010" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--73c3780f-ca3d-4e58-88af-fce45e47d165", + "id": "attack-pattern--3f00f5b3-a3bf-4c9c-8874-f7998c391aa8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.607256Z", - "modified": "2020-08-21T20:50:04.607256Z", - "relationship_type": "uses", - "description": "Redhip detects VMWare, Virtual PC and Virtual Box. It also detects VM environments in general by considering timing lapses.", - "source_ref": "malware--b0625dd2-cc91-4936-9e12-289960aa0b41", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.80226Z", + "modified": "2022-09-08T18:26:13.226424Z", + "name": "Supply Chain Compromise", + "description": "The supply chain may be compromised to enable initial malware infection. MBC objectives don't encompass initial infection, but the malware-related methods are listed below supplement the information available defined in ATT&CK and allow for lateral movement: **Supply Chain Compromise ([T1195](https://attack.mitre.org/techniques/T1195/), [T1474](https://attack.mitre.org/techniques/T1474/))**.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/lateral-movement/supply-chain-compromise.md", + "external_id": "E1195" + }, + { + "source_name": "external_source", + "url": "http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--73d8c064-876d-4735-aca1-371a05bd0d54", + "id": "attack-pattern--81090849-4ac4-4838-9e06-6a027036d936", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--2c55e74c-c066-43e0-bdaa-8d74959b7694", - "target_ref": "attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58", + "created": "2021-02-10T06:49:32.031479Z", + "modified": "2022-02-05T00:37:22.819853Z", + "name": "Delete Registry Value::Registry", + "description": "Malware deletes a registry value.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "operating-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/registry.md", + "external_id": "C0036.007" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--743c0cb2-bba4-4dfa-bbd6-ac5ed8875761", + "id": "attack-pattern--793f4091-8c74-4062-95e0-0b32bccb5777", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.615251Z", - "modified": "2020-08-21T20:50:04.615251Z", - "relationship_type": "uses", - "description": "WebCobra injects malicious code to svchost.exe and uses an infinite loop to check all open windows and to compare each windowā€™s title bar text with a set of strings to determine whether it is running in an isolated, malware analysis environment.", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2021-02-10T06:49:32.018479Z", + "modified": "2022-09-08T18:26:13.349481Z", + "name": "Set File Attributes", + "description": "Malware sets or modifies the attributes of a file.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "file-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/set-file-attributes.md", + "external_id": "C0050" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--7474dc42-a5b4-4eec-a8e4-813e358ad306", + "id": "attack-pattern--1a424274-077f-4c21-bc63-ef2d8e574ed0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.471485Z", - "modified": "2021-02-10T06:49:35.471485Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--f7d5a289-5ab3-4b74-912a-c7ab2748770c", - "target_ref": "attack-pattern--187b4cd8-132e-4514-9ad2-e0b20abc2b70", + "created": "2021-02-10T06:49:32.019478Z", + "modified": "2022-09-08T18:26:13.34592Z", + "name": "Writes File", + "description": "Malware writes to a file. Writing to a file enables file modification.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "file-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/write-file.md", + "external_id": "C0052" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--74774a28-cd8c-4ceb-ab30-53dab39e8578", + "id": "attack-pattern--09c1ddac-3b9f-487d-acba-78be3b686519", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.533442Z", - "modified": "2021-02-10T06:49:35.533442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--04da331b-6112-420c-9358-58cb21e5a4af", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2020-08-21T20:49:59.530265Z", + "modified": "2022-09-08T18:26:13.302142Z", + "name": "Unusual/Undocumented API Calls", + "description": "Call unusual APIs to block non-exhaustive emulators (particularly anti-virus).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-evasion.md", + "external_id": "B0005.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--7574627e-17f8-4f6e-a98e-f77e756e9f4b", + "id": "attack-pattern--ca97cf63-678d-45e3-8ac8-bca2334e520e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.676443Z", - "modified": "2021-02-10T06:49:35.676443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--37487e77-eda2-495c-bf1c-48f05062b2ca", - "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", + "created": "2022-09-08T18:26:13.268708Z", + "modified": "2022-09-08T18:26:13.268708Z", + "name": "Exploit Kit", + "description": "An Exploit Kit is a toolkit that exploits vulnerabilities in software to deliver malicious payloads (malware).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/exploit-kit.md", + "external_id": "E1190" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--7584f133-0c09-41d6-b3b5-1610bf14ca6a", + "id": "attack-pattern--a385dfe3-ba5e-4cc7-9a6d-a38349b44739", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.97859Z", - "modified": "2022-02-04T23:52:40.97859Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--c9223618-2865-499f-890e-2848db80a6d9", - "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", + "created": "2022-09-08T18:26:13.393348Z", + "modified": "2022-09-08T18:26:13.393348Z", + "name": "API Call::Crypto Library", + "description": "Malware uses crypto API calls.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/crypto-lib.md", + "external_id": "C0059.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--75f5c30a-ad85-4f2e-87b0-ac7f45cd1f8c", + "id": "attack-pattern--68791849-d1ec-436a-983a-b6ca41bea52c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.590482Z", - "modified": "2021-02-10T06:49:35.590482Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--f1e8e35a-e893-403a-b34c-1b5d54945764", - "target_ref": "attack-pattern--bd879126-0126-4f7a-a1b7-d9944efb251f", + "created": "2020-08-21T20:49:59.514301Z", + "modified": "2022-09-08T18:26:13.306849Z", + "name": "Obfuscate Library Use", + "description": "LoadLibrary API calls or direct access of kernel32 via PEB (fs[0]) pointers, used to rebuild IAT or just obfuscate library use.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.016" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--765f09f5-bc92-4cd1-a350-605b90422e43", + "id": "attack-pattern--53354aca-b791-4d12-875c-730f75d9be91", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.590482Z", - "modified": "2021-02-10T06:49:35.590482Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--69f9ba6a-eb9e-4486-ae5e-fb7de1012c90", - "target_ref": "attack-pattern--767a1acf-9e83-4181-82cd-2bcb9d8871d9", + "created": "2022-02-04T23:52:36.077859Z", + "modified": "2022-02-05T00:37:22.804261Z", + "name": "Move File", + "description": "Malware moves a file.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "file-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/move-file.md", + "external_id": "C0063" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--7704d7a4-91da-4a53-a4f9-ae8f8912da6a", + "id": "attack-pattern--8845345d-4d1d-4527-9b6a-93f23f247992", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.579443Z", - "modified": "2021-02-10T06:49:35.579443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--e23ee3ae-6960-4b56-b962-33184f999657", - "target_ref": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", + "created": "2020-08-21T20:49:59.871262Z", + "modified": "2022-02-05T00:37:22.804261Z", + "name": "Allocate Memory", + "description": "Malware allocates memory, often to unpack itself.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "memory-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/memory/allocate-memory.md", + "external_id": "C0007" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--78235ffd-fb8c-4167-b996-0e7b3853e0db", + "id": "attack-pattern--3018beac-a047-4b14-9c72-3340866b4c67", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--ebdd8ba8-4235-4ee3-8866-a9d33f9dd11e", - "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", + "created": "2022-02-04T23:52:35.845581Z", + "modified": "2022-09-08T18:26:13.410914Z", + "name": "Patch Process Command Line", + "description": "Malware patches the PEB of a process to spoof the arguments.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/process-injection.md", + "external_id": "E1055.m04" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--78aec280-eead-46dc-993e-7d5ad2b57541", + "id": "attack-pattern--5aed60b2-8feb-4d3a-a585-b399a41bbc6f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.678443Z", - "modified": "2021-02-10T06:49:35.678443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--77b42d45-8bcf-4d7d-b6d1-4756b6edf272", - "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", + "created": "2020-08-21T20:49:59.581263Z", + "modified": "2022-02-05T00:37:22.585511Z", + "name": "Standard Compression of Data", + "description": "Uses a standard algorithm to compress strings and variables (executable file data).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", + "external_id": "F0001.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--78cfc708-d577-4899-b286-61c0a82599d8", + "id": "attack-pattern--9398839c-520f-4aab-9c81-92d6518800e7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.529445Z", - "modified": "2021-02-10T06:49:35.529445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--5a895abc-11b8-4f33-a05d-47daa38002af", - "target_ref": "attack-pattern--5146900f-415f-4817-9153-a9a3f857b3cd", + "created": "2020-08-21T20:49:59.853263Z", + "modified": "2022-02-05T00:37:22.773011Z", + "name": "Check String", + "description": "Malware may check a string for some characteristics, such as being ascii content; credit card number; or length.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/check-string.md", + "external_id": "C0019" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--79898173-fa8c-4eff-86bd-d49caca32833", + "id": "attack-pattern--a453cf88-1389-4ffd-8f3c-e95475f10a9f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.63947Z", - "modified": "2021-02-10T06:49:35.63947Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--1004c879-79b0-44db-996c-910a7f9e3857", - "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", + "created": "2021-02-10T06:49:31.989483Z", + "modified": "2022-09-08T18:26:13.384472Z", + "name": "Blowfish::Decrypt Data", + "description": "Malware decrypts data encrypted with the Blowfish algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", + "external_id": "C0031.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--79dd668f-7c39-4f76-acb6-828bf36df88d", + "id": "attack-pattern--e2558f71-7409-4203-bd5b-8a331f29327a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.670445Z", - "modified": "2021-02-10T06:49:35.670445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--8cf4e8d0-21b6-4e35-97c2-97e6c5322509", - "target_ref": "attack-pattern--1cca12fe-f5c4-4c35-979b-5c6962dd9484", + "created": "2021-02-10T06:49:31.937479Z", + "modified": "2022-09-08T18:26:13.208877Z", + "name": "File and Directory Discovery", + "description": "Malware may enumerate files and directories or may search for specific files or in specific locations.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/file-and-directory-discovery.md", + "external_id": "E1083" + }, + { + "source_name": "external_source", + "url": "https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/" + }, + { + "source_name": "external_source", + "url": "https://www.secureworks.com/research/cryptolocker-ransomware" + }, + { + "source_name": "external_source", + "url": "https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--79fbdd05-ec26-4596-b45c-f6396038c57c", + "id": "attack-pattern--048440e7-8adb-4a71-9ee3-922ca4040b1f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.673442Z", - "modified": "2021-02-10T06:49:35.673442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--6495c1d8-c694-4fc0-8063-05f0a42cad27", - "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", + "created": "2021-02-10T06:49:31.936476Z", + "modified": "2022-09-08T18:26:13.211623Z", + "name": "Application Window Discovery", + "description": "Malware may attempt to get a listing of open application windows.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/application-window-discovery.md", + "external_id": "E1010" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--7a4e0f35-e30b-4447-a0cc-125626d39656", + "id": "attack-pattern--81bed55c-e336-4637-bae0-07d7d4d82ebe", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.606264Z", - "modified": "2020-08-21T20:50:04.606264Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", + "created": "2022-02-04T23:52:35.829949Z", + "modified": "2022-09-08T18:26:13.406956Z", + "name": "Encryption", + "description": "A malware sample, file, or other information is encrypted.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/obfuscated-files-or-information.md", + "external_id": "E1027.m04" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--7aa24094-a0c9-40c9-b18a-66e5ce8158e4", + "id": "attack-pattern--5625baf5-d4bd-4920-b541-abc2e8466405", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.652445Z", - "modified": "2021-02-10T06:49:35.652445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--97a53670-fbd8-40bb-a950-acec7a6e7958", - "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", + "created": "2022-02-04T23:52:35.845581Z", + "modified": "2022-09-08T18:26:13.40463Z", + "name": "Memory Rootkit", + "description": "A memory rootkit hids in RAM. Behaviors may include methods to prevent memory access. The lifespan of a memory rootkit is short because it disappears after a system reboot.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/rootkit.md", + "external_id": "E1014.m17" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--7ae9beee-acbe-4274-bb88-de255765168e", + "id": "attack-pattern--6a54a038-71b7-4b4c-87c2-2e5b433404af", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.682848Z", - "modified": "2021-02-10T06:49:35.682848Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b7a3c18a-0a7c-407a-8857-3e2e8d941775", - "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", + "created": "2020-08-21T20:49:59.551264Z", + "modified": "2022-09-08T18:26:13.207132Z", + "name": "Value Dependent Jumps", + "description": "Explicit use of computed values for control flow, often many times in the same basic block or function.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/disassembler-evasion.md", + "external_id": "B0012.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--7b608625-85f3-4a55-a8c0-6fb72a61b604", + "id": "attack-pattern--62792aba-aba0-4623-b7b7-479bae7d314b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.686444Z", - "modified": "2021-02-10T06:49:35.686444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--e84f764e-ace1-4149-b73d-664b17954d7b", - "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", + "created": "2020-08-21T20:49:59.705262Z", + "modified": "2022-09-08T18:26:13.214539Z", + "name": "Known Window", + "description": "Malware may detect an analysis tool via the presence of a known window.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", + "external_id": "B0013.009" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--7c1c47b5-d0b2-49f5-a7f7-1a74dfff6373", + "id": "attack-pattern--0fe6e31d-fd22-4140-8e31-6ff5ad8cd47f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--5625baf5-d4bd-4920-b541-abc2e8466405", - "target_ref": "attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63", + "created": "2020-08-21T20:49:59.556264Z", + "modified": "2022-09-08T18:26:13.191784Z", + "name": "Entry Point Obfuscation", + "description": "Obfuscate the entry point of the malware executable.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", + "external_id": "B0032.009" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--7c97afe2-429f-4a23-9654-ae96a117ed8f", + "id": "attack-pattern--0e87261d-5234-4ccb-87c1-2f9bb32b5c11", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.628442Z", - "modified": "2021-02-10T06:49:35.628442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--e0563aa9-70e1-41b8-ae78-0434ece93e36", - "target_ref": "attack-pattern--2f16f65d-4fba-4574-882d-97d54392f5bb", + "created": "2020-08-21T20:49:59.512264Z", + "modified": "2022-09-08T18:26:13.305366Z", + "name": "Import Obfuscation", + "description": "Add obfuscation between imports calls and APIs.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.010" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--7cc7dc4b-552c-4bb6-8201-be33f91eaae2", + "id": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.662504Z", - "modified": "2021-02-10T06:49:35.662504Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--39df68e5-9065-4b60-8ad1-ff626707b95a", - "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", + "created": "2020-08-21T20:49:59.609265Z", + "modified": "2022-09-08T18:26:13.231605Z", + "name": "C2 Communication", + "description": "All command and control malware use implant/controller communication. The methods listed below can be used to capture explicit communication details. Remote file copy behavior is captured separately, as is done in ATT&CK - see **Ingress Tool Transfer ([E1105](https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/ingress-tool-transfer.md))**.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", + "external_id": "B0030" + }, + { + "source_name": "external_source", + "url": "https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/resources/hot-knives-through-butter-evading-file-based-sandboxes" + }, + { + "source_name": "external_source", + "url": "https://citizenlab.ca/2016/04/between-hong-kong-and-burma/" + }, + { + "source_name": "external_source", + "url": "http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + }, + { + "source_name": "external_source", + "url": "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" + }, + { + "source_name": "external_source", + "url": "https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--7cd10bf9-ba46-4317-a85b-231e5c832076", + "id": "attack-pattern--d71d433d-6815-4cca-940c-b21b05ab9a47", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.492443Z", - "modified": "2021-02-10T06:49:35.492443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--81c902fa-0862-4f21-b951-f82a5d39f204", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2022-02-04T23:52:35.829949Z", + "modified": "2022-09-08T18:26:13.417979Z", + "name": "Abuse Windows Function Calls", + "description": "Malware abuses native Windows function calls to transfer execution to shellcode that it loads into memory. A pointer to the callback function is used to supply the memory address of the shellcode. Functions that can be abused include EnumResourceTypesA and EnumUILanguagesW.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hijack-execution-flow.md", + "external_id": "F0015.006" + }, + { + "source_name": "external_source", + "url": "http://ropgadget.com/posts/abusing_win_functions.html" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--7ce27e33-57a1-4f7c-be2a-bc1c02895dc1", + "id": "attack-pattern--098a700a-4cc0-4d0a-8bc5-42e7181eff1e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.604442Z", - "modified": "2021-02-10T06:49:35.604442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--68d12b85-7712-4572-a801-222a375b7033", - "target_ref": "attack-pattern--6168e69c-f827-4f92-8404-cd24fff9802c", + "created": "2022-09-08T18:26:13.427132Z", + "modified": "2022-09-08T18:26:13.427132Z", + "name": "Hide Artifacts", + "description": "Malware may hide artifacts to evade detection and/or to persist on the system. See potential methods related to malware below.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hide-artifacts.md", + "external_id": "E1564" + }, + { + "source_name": "external_source", + "url": "http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--7d24fa52-34a0-4296-95ab-5951fadfd081", + "id": "attack-pattern--fecc2029-1268-4e13-b4b7-2b9f00c84972", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.598503Z", - "modified": "2021-02-10T06:49:35.598503Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--4d618788-4089-4149-8948-3d3524c766c5", - "target_ref": "attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200", + "created": "2020-08-21T20:49:59.578264Z", + "modified": "2022-02-05T00:37:22.585511Z", + "name": "Confuser", + "description": "Uses Confuser packer.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", + "external_id": "F0001.009" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--7e1a826f-411b-4735-bed7-7f72aecfaae7", + "id": "attack-pattern--a6389b1f-c2f4-4bb7-8b52-6725b00f6052", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.489479Z", - "modified": "2021-02-10T06:49:35.489479Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--db58e527-5e81-489f-b05a-537ea9b6bae9", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.688263Z", + "modified": "2022-09-08T18:26:13.409864Z", + "name": "Injection and Persistence via Registry Modification", + "description": "Malware may insert the location of its malicious library under a registry key (e.g., Appinit_DLL, AppCertDlls, IFEO) to have another process load its library.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/process-injection.md", + "external_id": "E1055.m02" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--802d1fb6-9260-4e51-b06a-99d573112106", + "id": "attack-pattern--673cfd52-f67e-4fad-80b2-64465de4f7b0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.458443Z", - "modified": "2021-02-10T06:49:35.458443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--904b465b-d733-4619-b0d5-5c394cd2b7f3", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2021-02-10T06:49:31.973483Z", + "modified": "2022-09-08T18:26:13.364749Z", + "name": "Send Data::HTTP Communication", + "description": "HTTP clients sends data to a server (POST/PUT).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", + "external_id": "C0002.005" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--80ae5c69-ce3c-4fdb-a023-5c120334f321", + "id": "attack-pattern--82b547ba-e0b0-457f-95fc-c661d1aa0942", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.551476Z", - "modified": "2021-02-10T06:49:35.551476Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--5c5601b2-b0ce-4732-a2b2-d45c30efef8c", - "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", + "created": "2021-02-10T06:49:31.980486Z", + "modified": "2022-09-08T18:26:13.372133Z", + "name": "Create Socket::Socket Communication", + "description": "A server or client creates a UDP or TCP socket.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", + "external_id": "C0001.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--80e2a5e2-1e17-463b-bc9d-d58b4884c7f7", + "id": "attack-pattern--8226e7fa-8e78-497b-9967-32e5d1395e12", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.499441Z", - "modified": "2021-02-10T06:49:35.499441Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--4b908d8d-dc10-4114-99e6-8a82fe6a5e7f", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2022-02-04T23:52:35.829949Z", + "modified": "2022-02-05T00:37:22.632387Z", + "name": "Hidden Kernel Modules", + "description": "Hides the use of kernel modules by the malware instance (e.g. rootkit). Techniques include kernel module list unlinking.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hide-artifacts.md", + "external_id": "E1564.m05" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8176d422-a51b-488d-ae21-0a67afb64b3d", + "id": "attack-pattern--77b42d45-8bcf-4d7d-b6d1-4756b6edf272", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.689442Z", - "modified": "2021-02-10T06:49:35.689442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--bf339932-e456-44db-a711-b2d3482d9065", - "target_ref": "attack-pattern--2f605aaf-790b-4ba1-9603-3b14cf2f1c52", + "created": "2021-02-10T06:49:31.990485Z", + "modified": "2022-09-08T18:26:13.387063Z", + "name": "Stream Cipher::Decrypt Data", + "description": "Malware decrypts data encrypted with a stream cipher.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", + "external_id": "C0031.013" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--81859fbe-e752-42f3-b717-2a6a7e13c0c8", + "id": "attack-pattern--6dfa5d14-e016-4572-a2c9-ca4f697c7a14", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.994215Z", - "modified": "2022-02-04T23:52:40.994215Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--87414f49-bf46-4a09-9999-979d71eb16a5", - "target_ref": "attack-pattern--cc396380-d266-4e87-8fc7-412e89a2b4b0", + "created": "2020-08-21T20:49:59.737262Z", + "modified": "2022-02-05T00:37:22.694887Z", + "name": "Shutdown", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/remote-commands.md", + "external_id": "B0011.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--81f4bfa5-9f8d-4aa1-a84e-b47f33aab606", + "id": "attack-pattern--f7d5a289-5ab3-4b74-912a-c7ab2748770c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.598251Z", - "modified": "2020-08-21T20:50:04.598251Z", - "relationship_type": "uses", - "description": "Launches distributed denial of service attacks that can target more than one IP address per hostname.", - "source_ref": "malware--cdd198e2-3f6f-42c4-adfd-d97dc66c5f19", - "target_ref": "attack-pattern--b8311cd4-85f0-4e4c-83c5-0af831e6d7f1", + "created": "2020-08-21T20:49:59.479261Z", + "modified": "2022-09-08T18:26:13.324112Z", + "name": "Failed Network Connections", + "description": "Some emulated systems fail to handle some network communications; such failures will indicate the emulated environment.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-detection.md", + "external_id": "B0004.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--826a0d8f-b98b-4025-8148-bc20c9cbdfc6", + "id": "attack-pattern--fb0ec928-14d1-49f3-9897-14e3613b4ad7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.89883Z", - "modified": "2022-02-04T23:52:40.89883Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--195e17be-fac3-4ffe-a961-631e2af205bb", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2020-08-21T20:49:59.462262Z", + "modified": "2022-09-08T18:26:13.314204Z", + "name": "IsDebuggerPresent", + "description": "The kernel32!IsDebuggerPresent API function call checks the PEB BeingDebugged flag to see if the calling process is being debugged. It returns 1 if the process is being debugged, 0 otherwise. This is one of the most common ways of debugger detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.008" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--826fbc55-db75-4781-948b-adde0c819fed", + "id": "attack-pattern--4a062538-03cd-44da-a19f-6ed4401a4c36", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.615251Z", - "modified": "2020-08-21T20:50:04.615251Z", - "relationship_type": "uses", - "description": "Can download and install arbitrary iOS apps.", - "source_ref": "malware--a6ad7a2e-f619-4598-914b-16f68b372789", - "target_ref": "attack-pattern--cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae", + "created": "2021-02-10T06:49:31.972483Z", + "modified": "2022-09-08T18:26:13.363582Z", + "name": "Download URL::HTTP Communication", + "description": "HTTP client downloads URL to file.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", + "external_id": "C0002.006" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8299bd93-7c36-4c35-a732-5abda6ba8dab", + "id": "attack-pattern--767a1acf-9e83-4181-82cd-2bcb9d8871d9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--1540ed37-87c4-485f-b729-1e418a63762c", - "target_ref": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", + "created": "2020-08-21T20:49:59.729261Z", + "modified": "2022-09-08T18:26:13.242142Z", + "name": "Exploitation for Client Execution", + "description": "Software is exploited - either because of a vulnerability or through its designed features - to gain access for malware. In general, exploitation may be done by a human attacker, but MBC focuses on software exploits implemented in code. Malware-specific details are below.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/exploitation-for-client-execution.md", + "external_id": "E1203" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/cybercrime/2018/05/samsam-ransomware-need-know/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--82d74673-595f-4bac-9f5d-074122c8f59f", + "id": "attack-pattern--763fa6dd-331c-4c07-bc09-00f40cc958cc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:41.041094Z", - "modified": "2022-02-04T23:52:41.041094Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b3bc7ff9-4ea7-4b1a-9301-ea0e07e4a85f", - "target_ref": "attack-pattern--916d6dca-adbc-4af9-b810-eb7cd72779c8", + "created": "2021-02-10T06:49:31.981483Z", + "modified": "2022-09-08T18:26:13.372652Z", + "name": "Create TCP Socket::Socket Communication", + "description": "A TCP socket is created.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", + "external_id": "C0001.011" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--82fe7e83-1dcb-4c39-a6c7-0613d0ee6412", + "id": "attack-pattern--21399f14-f429-48f6-be04-d971783ba531", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.527917Z", - "modified": "2021-02-10T06:49:35.527917Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--55040e64-313d-4656-8e1c-1146ff2f47d7", - "target_ref": "attack-pattern--c6c8f32e-7d92-401e-930f-d193a59e4c95", + "created": "2022-02-04T23:52:35.870658Z", + "modified": "2022-09-08T18:26:13.209889Z", + "name": "Enumerate PE Sections", + "description": "Malware enumerates virtual offsets of code sections.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/code-discovery.md", + "external_id": "B0046.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--83f2e82d-a763-4aa2-bae2-c80d2d4aef3b", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.588443Z", - "modified": "2021-02-10T06:49:35.588443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--95c86aee-57b2-4cc2-9354-772a30b4024f", - "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--35284c4d-652f-40bd-b49b-7d625914bc75", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-08-21T20:49:59.483264Z", + "modified": "2022-09-08T18:26:13.295463Z", + "name": "Check Clipboard Data", + "description": "Checks clipboard data which can be used to detect whether execution is inside a sandbox.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", + "external_id": "B0007.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8473645f-775d-4bdc-8a66-971387760c7c", + "id": "attack-pattern--2080b6b4-a74c-43da-97db-1a2ca33ca589", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.636443Z", - "modified": "2021-02-10T06:49:35.636443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--673cfd52-f67e-4fad-80b2-64465de4f7b0", - "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", + "created": "2020-08-21T20:49:59.464262Z", + "modified": "2022-09-08T18:26:13.315334Z", + "name": "NtQueryInformationProcess", + "description": "Calling NtQueryInformationProcess with its ProcessInformationClass parameter set to 0x07 (ProcessDebugPort constant) will cause the system to set ProcessInformation to -1 if the process is being debugged. Calling with ProcessInformationClass set to 0x0E (ProcessDebugFlags) or 0x11 (ProcessDebugObject) are used similarly. Testing \"ProcessDebugPort\" is equivalent to using the kernel32!CheckRemoteDebuggerPresent API call (see next method).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.012" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8486b307-4ae3-42dc-ab6d-d9d511495390", + "id": "attack-pattern--2bef87a4-e803-4bb7-8f8f-fac4f63a02e1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.511492Z", - "modified": "2021-02-10T06:49:35.511492Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--45f0c217-fd80-4ce1-a9b1-4a62418162bb", - "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", + "created": "2020-08-21T20:49:59.534261Z", + "modified": "2022-09-08T18:26:13.274836Z", + "name": "Erase the PE header", + "description": "Erase PE header from memory.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", + "external_id": "B0006.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8569d3d1-2f9f-44ac-afcc-768271d8a890", + "id": "attack-pattern--2c55e74c-c066-43e0-bdaa-8d74959b7694", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--8226e7fa-8e78-497b-9967-32e5d1395e12", - "target_ref": "attack-pattern--f06491eb-ea99-46cd-81fe-ee55fc12d504", + "created": "2022-02-04T23:52:35.829949Z", + "modified": "2022-09-08T18:26:13.418468Z", + "name": "Export Address Table (EAT) Hooking", + "description": "Malware (e.g. rootkit) hooks the export address table (EAT).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hijack-execution-flow.md", + "external_id": "F0015.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8650287d-c065-4a52-9772-435273ffae82", + "id": "attack-pattern--a6c50b34-3247-4e39-91d5-75f4fb97a9f9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.506476Z", - "modified": "2021-02-10T06:49:35.506476Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--795aa535-959e-44b7-9f5e-2d5d0ca3cd1c", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2021-02-10T06:49:31.993484Z", + "modified": "2022-09-08T18:26:13.390576Z", + "name": "RSA::Encrypt Data", + "description": "Malware encrypts with the RSA algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", + "external_id": "C0027.011" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--868c6012-4082-4b0d-a18e-c641ac0bb05e", + "id": "attack-pattern--d61e7edf-865e-4d88-99cb-09dad9e44195", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.657447Z", - "modified": "2021-02-10T06:49:35.657447Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--d27a6bf4-7e7b-4007-9301-20eec9d8fe20", - "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", + "created": "2020-08-21T20:49:59.657259Z", + "modified": "2022-09-08T18:26:13.430067Z", + "name": "Unhook APIs", + "description": "Security products may hook APIs to monitor the behavior of malware. To avoid being found, malware may load DLLs in memory and overwrite their bytes.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", + "external_id": "F0004.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--86db4afc-b24b-4201-bc24-70d3d23c1710", + "id": "attack-pattern--6636c8bd-41a4-4a1e-965d-642c08be68db", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.656443Z", - "modified": "2021-02-10T06:49:35.656443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--763fa6dd-331c-4c07-bc09-00f40cc958cc", - "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", + "created": "2020-08-21T20:49:59.651264Z", + "modified": "2022-09-08T18:26:13.424712Z", + "name": "Steganography", + "description": "Malware may store information in an image. See related ATT&CK techniques: Data Obfuscation: Steganography [T1001.002](https://attack.mitre.org/techniques/T1001/002), Obfuscated Files or Information: Steganography ([T1027.003](https://attack.mitre.org/techniques/T1027/003), [T1406.001](https://attack.mitre.org/techniques/T1406/001)).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/covert-location.md", + "external_id": "B0040.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--86e0f1c9-6af3-47d6-a16c-68a9c4c853c0", + "id": "attack-pattern--4f3bc817-8162-41b5-b617-5c9a261b66e0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.547447Z", - "modified": "2021-02-10T06:49:35.547447Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--84b9dfc5-4109-40fb-8378-52ecc2919cb4", - "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", + "created": "2020-08-21T20:49:59.460262Z", + "modified": "2022-09-08T18:26:13.313417Z", + "name": "Debugger Artifacts", + "description": "Malware may detect a debugger by its artifact (window title, device driver, exports, etc.).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--87b820ed-3140-4a12-a9bf-48274ba5df8c", + "id": "attack-pattern--968a2baa-33b0-4c2a-afb8-b899e1acbc0a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.461442Z", - "modified": "2021-02-10T06:49:35.461442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--dc49a540-64a4-47e7-8931-0ad5ce595cb7", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2021-02-10T06:49:31.936476Z", + "modified": "2022-09-08T18:26:13.208374Z", + "name": "Log File", + "description": "Malware may look for system log files.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/file-and-directory-discovery.md", + "external_id": "E1083.m01" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8955eb81-a5c8-4ded-964b-4d227ee2c7d2", + "id": "attack-pattern--92ac0cef-de80-4baa-869c-dc993492c0da", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.680442Z", - "modified": "2021-02-10T06:49:35.680442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--0f77be56-a5ef-4c06-8557-46782bb2cd67", - "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", + "created": "2021-02-10T06:49:31.986482Z", + "modified": "2022-09-08T18:26:13.381478Z", + "name": "SHA256::Cryptographic Hash", + "description": "Malware uses a SHA-256 hash.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/cryptographic-hash.md", + "external_id": "C0029.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--89cb978e-d4f7-4a13-95ae-5599dd877131", + "id": "attack-pattern--4c1c0aca-7fca-4aae-9d17-6fc99c8d7d0a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.607256Z", - "modified": "2020-08-21T20:50:04.607256Z", - "relationship_type": "uses", - "description": "Redhip samples are packed with different custom packers.", - "source_ref": "malware--b0625dd2-cc91-4936-9e12-289960aa0b41", - "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", + "created": "2020-08-21T20:49:59.641261Z", + "modified": "2022-09-08T18:26:13.433182Z", + "name": "Bootkit", + "description": "The boot sectors of a hard drive are modified (e.g., Master Boot Record (MBR)). ATT&CK associates bootkits with the Persistence. See ATT&CK: **Pre-OS Boot: Bootkit ([T1067](https://attack.mitre.org/techniques/T1067/))**.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/bootkit.md", + "external_id": "F0013" + }, + { + "source_name": "external_source", + "url": "https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/" + }, + { + "source_name": "external_source", + "url": "https://eclypsium.com/wp-content/uploads/2020/12/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--89f5a894-a725-48cf-a061-fcc45f2d370d", + "id": "attack-pattern--1b5c05fd-3785-4710-8ee2-efadad6ef437", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--5c965b91-a0fd-4a85-b688-9be91a7a5aa8", - "target_ref": "attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263", + "created": "2020-08-21T20:49:59.491263Z", + "modified": "2022-09-08T18:26:13.283506Z", + "name": "Check Running Services", + "description": "VMwareService.exe runs the VMware Tools Service as a child of services.exe. It can be identified by listing services.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.006" + }, + { + "source_name": "external_source", + "url": "https://search.unprotect.it/map/sandbox-evasion/" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8a69d272-6153-4c8f-b19d-cbd9e8d9d15c", + "id": "attack-pattern--9f6817c0-0ec9-4097-a55b-b39b08db2b92", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.478443Z", - "modified": "2021-02-10T06:49:35.478443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--adf43bd9-7112-42fe-8024-7f7fe5a2225f", - "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", + "created": "2020-08-21T20:49:59.57926Z", + "modified": "2022-02-05T00:37:22.585511Z", + "name": "Custom Compression of Code", + "description": "Uses a custom algorithm to compress opcode mnemonics.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", + "external_id": "F0001.006" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8ae4a607-2f5f-45ad-974f-43760f7679f6", + "id": "attack-pattern--ad4ab2e7-0491-4ef3-b69b-f4a73a5a7cd4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.615251Z", - "modified": "2020-08-21T20:50:04.615251Z", - "relationship_type": "uses", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", + "created": "2020-08-21T20:49:59.71926Z", + "modified": "2022-09-08T18:26:13.248354Z", + "name": "Command and Scripting Interpreter", + "description": "Malware may abuse command and script interpreters to execute commands, scripts, or binaries.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/command-and-scripting-interpreter.md", + "external_id": "E1059" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" + }, + { + "source_name": "external_source", + "url": "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8b28534f-1bdb-4794-92d3-a3d63ba71145", + "id": "attack-pattern--1504bfdb-bc65-4fc2-9afd-8d2e82737dd6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.484529Z", - "modified": "2021-02-10T06:49:35.484529Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--a67c8a5d-cce9-4892-9338-9fec55e45419", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2021-02-10T06:49:32.008483Z", + "modified": "2022-09-08T18:26:13.337736Z", + "name": "FNV::Non-Cryptographic Hash", + "description": "Malware uses the FNV hash function.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/noncryptographic-hash.md", + "external_id": "C0030.005" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8b8bcc5d-2756-4161-bc24-c7836b99e405", + "id": "attack-pattern--574e1bad-081e-43d5-a6e5-665cdc815b8d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.48648Z", - "modified": "2021-02-10T06:49:35.48648Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--9406d0e3-7e61-42c9-8532-a35459deb4e7", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.474262Z", + "modified": "2022-09-08T18:26:13.320868Z", + "name": "Timing/Delay Check", + "description": "Malware may compare time between two points to detect unusual execution, such as the (relative) massive delays introduced by debugging.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.028" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8bdc3076-c065-4fc1-a9e6-3a3f0f3080ca", + "id": "attack-pattern--4c4a5671-e788-40b8-8fd9-56d94ba32901", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.470482Z", - "modified": "2021-02-10T06:49:35.470482Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--903b44e8-0547-4945-ac5a-ee21d0898d4d", - "target_ref": "attack-pattern--187b4cd8-132e-4514-9ad2-e0b20abc2b70", + "created": "2021-02-10T06:49:32.012443Z", + "modified": "2022-09-08T18:26:13.348491Z", + "name": "Create Directory", + "description": "Malware creates a directory.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "file-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/create-directory.md", + "external_id": "C0046" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--8c00c944-8bec-46bb-a219-2d31dfd3e97b", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.521443Z", - "modified": "2021-02-10T06:49:35.521443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--71d88456-13b6-48de-b779-e6ff71aa3b5e", - "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7fb51daf-9a09-4cab-b202-fec90ad30e03", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-08-21T20:49:59.798261Z", + "modified": "2022-09-08T18:26:13.267442Z", + "name": "Spamming", + "description": "Malware may use a victim machine to create and send spam.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/spamming.md", + "external_id": "B0039" + }, + { + "source_name": "external_source", + "url": "https://techcrunch.com/2019/07/12/trickbot-spam-millions-emails/" + }, + { + "source_name": "external_source", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8c10f244-a9c2-4815-8040-0f36189df0f0", + "id": "attack-pattern--656e96ac-b245-4c79-8b28-81423fd5d3cf", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.490481Z", - "modified": "2021-02-10T06:49:35.490481Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--a0033d2f-e4c5-4bbf-854b-198fd82d0c0b", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2021-02-10T06:49:32.002478Z", + "modified": "2022-09-08T18:26:13.330215Z", + "name": "QuickLZ::Compress Data", + "description": "Malware compresses data using QuickLZ.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/compress-data.md", + "external_id": "C0024.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8cb22e7d-ca70-4070-96bf-c0b6c3f0bc84", + "id": "attack-pattern--5543a067-b312-42fa-8943-f58e3f709332", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.707444Z", - "modified": "2021-02-10T06:49:35.707444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--88906eb3-c6df-452f-a16d-d276a39a39d4", - "target_ref": "attack-pattern--531f2659-2119-40c0-b3a6-d921feabb3ce", + "created": "2020-08-21T20:49:59.506259Z", + "modified": "2022-09-08T18:26:13.278463Z", + "name": "Encrypted Payloads", + "description": "Decryption key is stored external to the executable or never touches the disk.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/capture-evasion.md", + "external_id": "B0036.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8d7c4d84-81ac-4339-9990-1bb3675f8571", + "id": "attack-pattern--37487e77-eda2-495c-bf1c-48f05062b2ca", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--af70b2f4-e552-4ec0-b6ce-1c8c38e6748c", - "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", + "created": "2021-02-10T06:49:31.989483Z", + "modified": "2022-09-08T18:26:13.385789Z", + "name": "RC4::Decrypt Data", + "description": "Malware decrypts data encrypted with the RC4 algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", + "external_id": "C0031.008" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8e1047a3-1f25-415d-a483-88c1ab79caa5", + "id": "attack-pattern--878a631a-286b-4df2-bd6c-29a14053c402", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.703804Z", - "modified": "2021-02-10T06:49:35.703804Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--013fce9b-0645-41a4-b6ec-03a70b319715", - "target_ref": "attack-pattern--7c7b98c3-b136-439f-83ce-4dd357e76c89", + "created": "2020-08-21T20:49:59.57026Z", + "modified": "2022-09-08T18:26:13.20381Z", + "name": "Multiple VMs", + "description": "Multiple virtual machines with different architectures (CISC, RISC, etc.) can be used inside of a single executable in order to make reverse engineering even more difficult.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-virtualization.md", + "external_id": "B0008.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8e7f6ea7-0241-4cd5-8eea-a7ac14ba0d5b", + "id": "attack-pattern--af706b89-56dd-4b02-81e6-eb64fe57c2e6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.630659Z", - "modified": "2021-02-10T06:49:35.630659Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--5cd1a1ce-0012-4e78-9449-24a8e3b0f4e2", - "target_ref": "attack-pattern--2f16f65d-4fba-4574-882d-97d54392f5bb", + "created": "2020-08-21T20:49:59.516301Z", + "modified": "2022-09-08T18:26:13.309405Z", + "name": "Static Linking", + "description": "Copy locally the whole content of API code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.026" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8e82c079-e3e6-4f74-bdf8-54eb7eddbbc8", + "id": "attack-pattern--d850864e-1db4-40f3-b891-b1db177d48b3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.599445Z", - "modified": "2021-02-10T06:49:35.599445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--6479f655-1a26-4a37-96b4-170c5a57a31d", - "target_ref": "attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200", + "created": "2021-02-10T06:49:31.917484Z", + "modified": "2022-09-08T18:26:13.414968Z", + "name": "Attribute", + "description": "Malware may change or choose an attribute to hide a file or directory.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hidden-files-and-directories.md", + "external_id": "F0005.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8f0f82ff-639b-4c7a-8d5f-46b8ca84f642", + "id": "attack-pattern--7c1bb00d-f8cb-4ca8-aa11-b59f5b108996", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.566483Z", - "modified": "2021-02-10T06:49:35.566483Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--aaa95359-3220-45fe-9ae6-397718608ee4", - "target_ref": "attack-pattern--7d349643-5ab8-4dc6-934f-bf16d0b0ea29", + "created": "2020-08-21T20:49:59.754261Z", + "modified": "2022-09-08T18:26:13.27391Z", + "name": "Automated Exfiltration", + "description": "Malware may exfiltrate data via automated processing or scripting.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/automated-exfiltration.md", + "external_id": "E1020" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8f2864ed-7bf4-4fcd-bc00-050cecb2f038", + "id": "attack-pattern--ad80fa16-a148-4562-951c-be0510a866fb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.530037Z", - "modified": "2021-02-10T06:49:35.530037Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--73478759-d9de-4bbd-a687-081c5f00c935", - "target_ref": "attack-pattern--5146900f-415f-4817-9153-a9a3f857b3cd", + "created": "2021-02-10T06:49:32.041477Z", + "modified": "2022-02-05T00:37:22.835477Z", + "name": "Terminate Thread", + "description": "Malware terminates a thread.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "process-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/terminate-thread.md", + "external_id": "C0039" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8f59ccec-c489-4fcf-b388-c848d701d707", + "id": "attack-pattern--a894c73b-8a05-4d53-86e8-39434b189fb6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.631316Z", - "modified": "2021-02-10T06:49:35.631316Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--bdf66c87-1488-4eed-ae9c-2482bc93e93d", - "target_ref": "attack-pattern--6f4c9cb2-1417-4f3e-a907-bce53e3a68a3", + "created": "2022-02-04T23:52:35.751794Z", + "modified": "2022-09-08T18:26:13.205139Z", + "name": "Implicit Flows", + "description": "Data is propagated via semantic relationships, for example one variable not changing its state could imply the state of another variable.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/data-flow-analysis-evasion.md", + "external_id": "B0045.002" + }, + { + "source_name": "external_source", + "url": "http://www.seclab.cs.sunysb.edu/seclab/pubs/antitaint.pdf" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8fca40b2-f90d-4f34-b7c6-de4a36dc6757", + "id": "attack-pattern--c2e926cc-5d54-4cce-91f3-acf946574563", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.606264Z", - "modified": "2020-08-21T20:50:04.606264Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--4294b63a-0b68-473a-8e57-bd5da8d90bf6", + "created": "2020-08-21T20:49:59.737262Z", + "modified": "2022-02-05T00:37:22.694887Z", + "name": "Download File", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/remote-commands.md", + "external_id": "B0011.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8fe69ecc-eb76-40fd-9942-5621d9a2da2f", + "id": "attack-pattern--c4004f59-4494-4ba9-b5d0-334fd96068ee", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.669444Z", - "modified": "2021-02-10T06:49:35.669444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--f60a86ef-7e8a-4a7b-91fa-64a4c137068c", - "target_ref": "attack-pattern--7c9e2694-0dce-4dc3-aa06-199d5d002a05", + "created": "2021-02-10T06:49:32.00648Z", + "modified": "2022-02-05T00:37:22.788643Z", + "name": "Modulo", + "description": "Malware calculates a modulo value.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/modulo.md", + "external_id": "C0058" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--8ff14244-fcb2-4ab1-a1d5-b9f890d352c4", + "id": "attack-pattern--d5762c67-a576-4aa8-aacd-3fba3a7f4599", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.687789Z", - "modified": "2021-02-10T06:49:35.687789Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--d4b96b74-7cf9-46c2-8c09-ea8fd124b15a", - "target_ref": "attack-pattern--2f605aaf-790b-4ba1-9603-3b14cf2f1c52", + "created": "2022-02-04T23:52:35.877737Z", + "modified": "2022-09-08T18:26:13.243519Z", + "name": "Environmental Keys", + "description": "Malware reads certain attributes of the system (BIOS version string, hostname, MAC address, etc.) and encrypts/decrypts portions of its code or data using those attributes as input, thus preventing itself from being run on an unintended system (e.g., sandbox, emulator, etc.). Also see Deposited Keys Method. The subsequently defined ATT&CK sub-technique [Execution Guardrails: Environmental Keying (T1480.001)](https://attack.mitre.org/techniques/T1480/001/) is related to this MBC method.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md", + "external_id": "B0025.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--9019f14b-be9e-4d46-b63e-652e178cb845", + "id": "attack-pattern--791870bd-2325-4d30-b437-5e90ee997f3c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--80ee5a98-6e25-4cb6-a6d2-3321855e14e2", - "target_ref": "attack-pattern--f06491eb-ea99-46cd-81fe-ee55fc12d504", + "created": "2020-08-21T20:49:59.706262Z", + "modified": "2022-09-08T18:26:13.215899Z", + "name": "Process detection - PE Utilities", + "description": "Malware can scan for the process name associated with common analysis tools. ImportREC / PETools / LordPE", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", + "external_id": "B0013.006" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--9036a685-bb6f-4ce5-a00e-4b20720ebd7c", + "id": "attack-pattern--a9530e23-d959-40a7-870a-bd6b29bee078", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.501442Z", - "modified": "2021-02-10T06:49:35.501442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b7225469-01b6-4708-8bf9-aff549a703ce", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2021-02-10T06:49:32.00648Z", + "modified": "2022-09-08T18:26:13.33634Z", + "name": "Encode Data", + "description": "Malware may encode data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/encode-data.md", + "external_id": "C0026" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--906b23a2-308a-464c-9779-f337b7865b17", + "id": "attack-pattern--26a24fc4-3488-408f-ae36-9e5e881f4b9e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.914452Z", - "modified": "2022-02-04T23:52:40.914452Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--a9dd9c1d-b3dd-4dec-9ab2-1a99f1f3e483", - "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", + "created": "2021-02-10T06:49:32.038481Z", + "modified": "2022-02-05T00:37:22.819853Z", + "name": "Suspend Thread", + "description": "Malware may suspend a thread.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "process-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/suspend-thread.md", + "external_id": "C0055" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--907c56c0-01c4-4600-908c-4917dd56e085", + "id": "attack-pattern--e393c36e-9939-44df-8f4a-8e7cb57c9b4e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.640443Z", - "modified": "2021-02-10T06:49:35.640443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--ebb8ef31-6c69-4dac-9b99-a69e8c76fcd3", - "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", + "created": "2022-02-04T23:52:36.109082Z", + "modified": "2022-02-05T00:37:22.819853Z", + "name": "Open Process", + "description": "Malware opens a process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "process-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/open-process.md", + "external_id": "C0065" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--90d7b068-4825-407d-b547-9cce9f083ba2", + "id": "attack-pattern--55040e64-313d-4656-8e1c-1146ff2f47d7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.681443Z", - "modified": "2021-02-10T06:49:35.681443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--648530a1-e16b-45c6-ae10-d3d47fc8bcb7", - "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", + "created": "2020-08-21T20:49:59.547264Z", + "modified": "2022-09-08T18:26:13.188687Z", + "name": "Invoke NTDLL System Calls via Encoded Table", + "description": "Invokes ntdll.dll functions without using an export table; an encoded translation table on the stack is used instead.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/call-graph-generation-evasion.md", + "external_id": "B0010.002" + }, + { + "source_name": "external_source", + "url": "http://fumalwareanalysis.blogspot.com/2012/01/malware-analysis-tutorial-10-tricks-for.html" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--911a73f0-177c-4664-9bc7-9be9ff2dd265", + "id": "attack-pattern--2f16f65d-4fba-4574-882d-97d54392f5bb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.614292Z", - "modified": "2020-08-21T20:50:04.614292Z", - "relationship_type": "uses", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--64ec233c-8762-4e4a-af40-475ebd3aa127", + "created": "2020-08-21T20:49:59.806261Z", + "modified": "2022-09-08T18:26:13.379974Z", + "name": "DNS Communication", + "description": "The DNS Communication micro-behavior focuses on DNS communication.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/dns-communication.md", + "external_id": "C0011" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--914d11ac-8e6f-40f5-a9b3-04bf4f1c7d97", + "id": "attack-pattern--b7225469-01b6-4708-8bf9-aff549a703ce", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.622442Z", - "modified": "2021-02-10T06:49:35.622442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--a90fbac2-8ec1-486c-85bf-6cb6269a5ea6", - "target_ref": "attack-pattern--e25edc0c-3631-4df8-a37f-4695d3cec86e", + "created": "2020-08-21T20:49:59.511265Z", + "modified": "2022-09-08T18:26:13.304375Z", + "name": "Exception Misdirection", + "description": "Using exception handling (SEH) to cause flow of program to non-obvious paths.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.006" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--924962bf-6608-44d7-9b51-43ffe4276f89", + "id": "attack-pattern--17e05846-68f4-4f0c-bc23-88e01515bfcf", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.476444Z", - "modified": "2021-02-10T06:49:35.476444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--0469984a-07e7-4160-ba64-f1abf02346bb", - "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", + "created": "2022-02-04T23:52:35.720618Z", + "modified": "2022-09-08T18:26:13.305101Z", + "name": "Hook Interrupt", + "description": "Modification of interrupt vector or descriptor tables.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.009" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--9286512d-fe9a-4caf-9989-81c6beda32ee", + "id": "attack-pattern--a03af833-a578-465a-bf8c-43c9db4f4775", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.460442Z", - "modified": "2021-02-10T06:49:35.460442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--35a8f2ce-05e2-4a25-a469-e07a6360eee3", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2022-02-04T23:52:35.783046Z", + "modified": "2022-09-08T18:26:13.227069Z", + "name": "Authenticate", + "description": "Implant may authenticate itself to the controller, controller may authenticate itself to implant, or both. This is often at or near the start of communication. Examples include but are not limited to a simple shared secret (e.g. password), challenge-response with symmetric encryption, or challenge-response with asymmetric encryption.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", + "external_id": "B0030.011" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--92c3ba76-4b47-4b21-a2d4-ca47fcdc7643", + "id": "attack-pattern--56e97c05-06ca-49f9-bf50-d663993dee22", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.511492Z", - "modified": "2021-02-10T06:49:35.511492Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--664457b6-7f76-4745-a92d-6acbfe3ee384", - "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", + "created": "2021-02-10T06:49:32.001445Z", + "modified": "2022-09-08T18:26:13.329457Z", + "name": "Compression Library", + "description": "Malware uses a compression library.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/compression-library.md", + "external_id": "C0060" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--92fe11df-9fa4-4466-b274-1101762ed31d", + "id": "attack-pattern--4283aa07-89f3-40d8-b45f-87ef48c8a86d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.697716Z", - "modified": "2021-02-10T06:49:35.697716Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--461d88f4-10e9-4db1-b91d-e9a8cd0f8654", - "target_ref": "attack-pattern--ef5fd901-d515-4842-9119-c330c900e2e1", + "created": "2020-08-21T20:49:59.490263Z", + "modified": "2022-09-08T18:26:13.282303Z", + "name": "Check Named System Objects", + "description": "Virtual machines often include specific named system objects by default, such as Windows device drivers, which can be detected by testing for specific strings, whether found in the Windows registry or other places.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--93377883-f29a-4a84-b98b-d5eb0d819226", + "id": "attack-pattern--1e5a85a2-73fc-467c-a94b-ec867885b4c3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.449445Z", - "modified": "2021-02-10T06:49:35.449445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--03d1844f-241a-4ed9-858f-47e5e6543746", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2020-08-21T20:49:59.467265Z", + "modified": "2022-09-08T18:26:13.316782Z", + "name": "Page Exception Breakpoint Detection", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.017" + }, + { + "source_name": "external_source", + "description": "Anti Debugging Tricks, Al-Khaser.", + "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--947ee67a-bd5a-4c47-a3f6-45c9c4dd3fcf", + "id": "attack-pattern--1540ed37-87c4-485f-b729-1e418a63762c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.533442Z", - "modified": "2021-02-10T06:49:35.533442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--0fe6e31d-fd22-4140-8e31-6ff5ad8cd47f", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2022-02-04T23:52:35.845581Z", + "modified": "2022-09-08T18:26:13.41022Z", + "name": "Injection via Windows Fibers", + "description": "Malware executes shellcode via Windows fibers by converting a thread to a fiber.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/process-injection.md", + "external_id": "E1055.m05" + }, + { + "source_name": "external_source", + "url": "https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--956ca423-89d4-44bb-a11a-5b9aecf36a27", + "id": "attack-pattern--856d6d11-4b8a-47d6-afb0-b79aa462fa26", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.462442Z", - "modified": "2021-02-10T06:49:35.462442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--89a1d613-7163-493b-8aa9-7a528dd1dd3e", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2021-02-10T06:49:31.990485Z", + "modified": "2022-09-08T18:26:13.386548Z", + "name": "Skipjack::Decrypt Data", + "description": "Malware decrypts data encrypted with the Skipjack block cipher algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", + "external_id": "C0031.011" + } + ], + "x_mitre_is_subtechnique": true }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--956dbc7c-feb2-433c-b3e1-d6a6d8962629", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.914452Z", - "modified": "2022-02-04T23:52:40.914452Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--d4aefa59-0817-4916-ad93-6ef174e070d3", - "target_ref": "attack-pattern--f78bf329-48e4-4f8c-9468-0f8cd2ec08b5", + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--ae4acd7c-89e1-44d8-a5fa-0d53fe88911e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2022-09-08T18:26:13.325559Z", + "modified": "2022-09-08T18:26:13.325559Z", + "name": "API Hammering", + "description": "Uses of a huge number of calls to Windows APIs as a form of extended sleep to evade analysis in sandbox environments.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", + "external_id": "B0003.012" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--9633c105-2f8e-4b77-8d1d-7f237fd85950", + "id": "attack-pattern--62e27cc8-6e08-4d62-af86-2eb0e42fc530", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.637467Z", - "modified": "2021-02-10T06:49:35.637467Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--8d788ace-f057-449d-bd8b-b0db3fdb5b07", - "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", + "created": "2021-02-10T06:49:32.02248Z", + "modified": "2022-02-05T00:37:22.804261Z", + "name": "Simulate Hardware", + "description": "Malware simulates hardware.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "hardware-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/hardware/simulate-hardware.md", + "external_id": "C0057" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--967e87e4-5844-44f7-92be-86cc839ff0e0", + "id": "attack-pattern--2494ac41-5d2b-4112-903a-fdc2a09d376b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.573481Z", - "modified": "2021-02-10T06:49:35.573481Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--9048df12-c89f-45a6-99ac-caaa7446d6db", - "target_ref": "attack-pattern--27a1c173-3d93-430b-9544-8dd2db602b87", + "created": "2022-02-04T23:52:35.783046Z", + "modified": "2022-09-08T18:26:13.228453Z", + "name": "File search", + "description": "Controller requests the implant to search for a given filename pattern, often a [glob](https://en.wikipedia.org/wiki/Glob_(programming)).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", + "external_id": "B0030.015" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--96eda907-3cd1-41bc-b0cf-64b687f1ca53", + "id": "attack-pattern--cbfcfc30-2fa3-4160-a9ba-4cc6c0f48345", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.653444Z", - "modified": "2021-02-10T06:49:35.653444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--82b547ba-e0b0-457f-95fc-c661d1aa0942", - "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", + "created": "2021-02-10T06:49:31.964486Z", + "modified": "2022-02-05T00:37:22.71051Z", + "name": "Mouse", + "description": "The mouse is modified.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/modify-hardware.md", + "external_id": "B0042.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--970a924f-8577-4a75-9507-dc179e7e5cda", + "id": "attack-pattern--010c8801-3ad4-479b-8c56-c29e108121c9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.651444Z", - "modified": "2021-02-10T06:49:35.651444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--f4d0e9ac-c868-42fa-9b1f-0d0bee913da1", - "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", + "created": "2020-08-21T20:49:59.842259Z", + "modified": "2022-02-05T00:37:22.757347Z", + "name": "InternetOpen::WinINet", + "description": "Initializes an application's use of the WinINet functions.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/wininet.md", + "external_id": "C0005.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--97e750dc-f739-4758-a410-8b779187d386", + "id": "attack-pattern--c6f384e3-bf80-4251-8591-265ab51480cc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.704445Z", - "modified": "2021-02-10T06:49:35.704445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--d26aaa4d-5143-4888-b81c-346d3b51641b", - "target_ref": "attack-pattern--7c7b98c3-b136-439f-83ce-4dd357e76c89", + "created": "2021-02-10T06:49:31.987483Z", + "modified": "2022-02-05T00:37:22.757347Z", + "name": "Crypto Library", + "description": "Malware uses a crypto library.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/crypto-lib.md", + "external_id": "C0059" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--98bcdb5a-115d-41b6-bbf0-b6385bf8e556", + "id": "attack-pattern--39df68e5-9065-4b60-8ad1-ff626707b95a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.635443Z", - "modified": "2021-02-10T06:49:35.635443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--0b6c8517-62d1-49c1-9a2d-9300806d1370", - "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", + "created": "2021-02-10T06:49:31.983492Z", + "modified": "2022-09-08T18:26:13.375381Z", + "name": "TCP Client::Socket Communication", + "description": "TCP client behavior.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", + "external_id": "C0001.008" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--98fa4156-cb44-4e34-9529-82f857d4e683", + "id": "attack-pattern--7c5cb62b-9374-47b1-8a2f-82204b8640b6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.692442Z", - "modified": "2021-02-10T06:49:35.692442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--838d57ce-1e63-4898-9054-14851119e5fc", - "target_ref": "attack-pattern--64b0c35c-a5fc-4410-aff8-0c85f9689f60", + "created": "2021-02-10T06:49:31.923443Z", + "modified": "2022-09-08T18:26:13.407231Z", + "name": "Encryption-Custom Algorithm", + "description": "A custom algorithm is used to encrypt a malware sample, file, or other information.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/obfuscated-files-or-information.md", + "external_id": "E1027.m08" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--99d393f2-6357-4e85-b991-b443290b1eb5", + "id": "attack-pattern--97dff623-9e06-4810-b316-8eedabe893f0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.514444Z", - "modified": "2021-02-10T06:49:35.514444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--41746d12-dfb1-4e7d-bd7e-81678b93b977", - "target_ref": "attack-pattern--64ec233c-8762-4e4a-af40-475ebd3aa127", + "created": "2020-08-21T20:49:59.87726Z", + "modified": "2022-09-08T18:26:13.339743Z", + "name": "Executable Stack::Change Memory Protection", + "description": "The stack is made executable.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "memory-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/memory/change-memory-protection.md", + "external_id": "C0008.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--9a76355f-caca-46a7-a0c6-ba286b5d2fb3", + "id": "attack-pattern--da7d23d7-ead0-4926-a7ee-be9ea77bb2cd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.631517Z", - "modified": "2021-02-10T06:49:35.631517Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--112d8251-af9c-404d-b3f6-44bd15c42a5d", - "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", + "created": "2020-08-21T20:49:59.551264Z", + "modified": "2022-09-08T18:26:13.207402Z", + "name": "Variable Recomposition", + "description": "Variables, often strings, are broken into multiple parts and store out of order, in different memory ranges, or both. They must then be recomposed before use.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/disassembler-evasion.md", + "external_id": "B0012.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--9b05c93c-83de-4024-9fb4-5d655db76140", + "id": "attack-pattern--2514d117-a906-491c-bdef-fdc0ca4ab49b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--81062418-20ac-4df8-86e0-856587b02533", - "target_ref": "attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58", + "created": "2020-08-21T20:49:59.895263Z", + "modified": "2022-02-05T00:37:22.835477Z", + "name": "Terminate Process", + "description": "Malware terminates a process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "process-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/terminate-process.md", + "external_id": "C0018" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--9c3eb4b3-53ee-4126-ba9d-fb58632584df", + "id": "attack-pattern--068a3a77-caf2-4951-9e38-97ad68c792d6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:41.041094Z", - "modified": "2022-02-04T23:52:41.041094Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--7f779291-853e-4e30-a57c-0b3276b70905", - "target_ref": "attack-pattern--b9a7ebfb-ce75-4050-b9ac-79d2bf146c4f", + "created": "2020-08-21T20:49:59.510265Z", + "modified": "2022-09-08T18:26:13.304109Z", + "name": "Code Integrity Check", + "description": "Check that the unpacking code is unmodified. Variation exists where unpacking code is part of the \"key\" used to unpack, therefore any Software Breakpoints during debugging causes unpacking to completely fail or result in malformed unpacked code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.005" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--9c76a296-00a9-489c-8651-228df2928b1a", + "id": "attack-pattern--7850a582-f8c8-4582-a473-1b12e1f45929", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--03996e71-dfa7-4585-8a42-da7f95c50436", - "target_ref": "attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58", + "created": "2020-08-21T20:49:59.494264Z", + "modified": "2022-09-08T18:26:13.285417Z", + "name": "Guest Process Testing", + "description": "Virtual machines offer guest additions that can be installed to add functionality such as clipboard sharing. Detecting the process responsible for these tasks, via its name or other methods, is a technique employed by malware for detecting whether it is being executed in a virtual machine.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.010" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--9cdd2bbe-b1b2-46a9-9af7-500237584b53", + "id": "attack-pattern--eab3d576-e947-486b-857c-ffa680b30050", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.714266Z", - "modified": "2021-02-10T06:49:35.714266Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--ecf1cd8c-ffef-40bd-a2e3-441e77a84a77", - "target_ref": "attack-pattern--3955de8e-1ab7-4ab0-b7ca-226822885913", + "created": "2020-08-21T20:49:59.66526Z", + "modified": "2022-02-05T00:37:22.632387Z", + "name": "Remove SMS Warning Messages", + "description": "Malware captures the message body of incoming SMS messages and aborts displaying messages that meets a certain criteria.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/indicator-blocking.md", + "external_id": "F0006.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--9ce01c99-722e-403e-8f24-b9859a9b8912", + "id": "attack-pattern--f93d127d-164b-47c1-81e9-e7011cb478f8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.97859Z", - "modified": "2022-02-04T23:52:40.97859Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--fd9f551a-f0ef-42e2-bf82-acdf1062852b", - "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", + "created": "2020-08-21T20:49:59.80426Z", + "modified": "2022-09-08T18:26:13.37857Z", + "name": "DDNS Domain Connect::DNS Communication", + "description": "Connects to dynamic DNS domain.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/dns-communication.md", + "external_id": "C0011.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--9d173469-1a57-4c12-a13d-09d6bf6012bf", + "id": "attack-pattern--1004c879-79b0-44db-996c-910a7f9e3857", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.644697Z", - "modified": "2021-02-10T06:49:35.644697Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--0947cd27-a2b6-466f-b47c-4d36e4ce06cb", - "target_ref": "attack-pattern--e57c3d95-67fc-4d26-a74e-12953fff494b", + "created": "2021-02-10T06:49:31.974485Z", + "modified": "2022-09-08T18:26:13.366035Z", + "name": "Set Header::HTTP Communication", + "description": "HTTP header is set.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", + "external_id": "C0002.013" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--9d9b9523-ee0e-4ba0-a34e-de3dc1d90981", + "id": "attack-pattern--88906eb3-c6df-452f-a16d-d276a39a39d4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.548449Z", - "modified": "2021-02-10T06:49:35.548449Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--7fac651b-a6ae-494c-9386-d75a454776da", - "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", + "created": "2020-08-21T20:49:59.87726Z", + "modified": "2022-09-08T18:26:13.339477Z", + "name": "Executable Heap::Change Memory Protection", + "description": "The heap is made executable.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "memory-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/memory/change-memory-protection.md", + "external_id": "C0008.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--9dc4df30-f394-4cfd-b66d-a94549722774", + "id": "attack-pattern--2c90706d-0b4a-45e1-b9f0-0292ebb69edf", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.564484Z", - "modified": "2021-02-10T06:49:35.564484Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--acddeb41-5339-4148-8a12-04b9ca687086", - "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", + "created": "2020-08-21T20:49:59.496265Z", + "modified": "2022-09-08T18:26:13.286517Z", + "name": "Instruction Testing - CPUID", + "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM. Checking the CPU ID found within the registry can provide information to system type.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.034" + }, + { + "source_name": "external_source", + "url": "https://search.unprotect.it/map/sandbox-evasion/" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--9fce1966-24ac-4f7b-b6b8-7cf2dcc68220", + "id": "attack-pattern--85d9ce2b-1b52-4de5-8b03-74ed590639d6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.609253Z", - "modified": "2020-08-21T20:50:04.609253Z", - "relationship_type": "uses", - "description": "Stuxnet made the centrifuges at Iran's nuclear plant spin dangerously fast for 15 minutes, before returning to normal speed. About a month later, it slowed the centrifuges down for 50 minutes. This was repeated for several months, and over time the strain destroyed the machines.", - "source_ref": "malware--2640ed9a-24d9-4975-90c2-c8ab94d544e3", - "target_ref": "attack-pattern--09aa0bf7-bdec-4642-ad23-c8f1c9b01297", + "created": "2020-08-21T20:49:59.465264Z", + "modified": "2022-09-08T18:26:13.315828Z", + "name": "NtSetInformationThread", + "description": "Calling this API with a fake class length or thread handle can indicate whether it is hooked. After calling NtSetInformationThread properly, the HideThreadFromDebugger flag is checked with the NtQueryInformationThread API.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.014" + }, + { + "source_name": "external_source", + "description": "Anti Debugging Tricks, Al-Khaser.", + "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a0277302-44bd-4134-9323-df422100c727", + "id": "attack-pattern--665d234f-6c97-4ae2-b43f-18ea89336220", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.612264Z", - "modified": "2020-08-21T20:50:04.612264Z", - "relationship_type": "uses", - "description": "Ursnif uses malware macros to evade sandbox detection.", - "source_ref": "malware--31e78af0-0509-4f7b-b304-77a8e5bf7ead", - "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", + "created": "2021-02-10T06:49:31.973483Z", + "modified": "2022-09-08T18:26:13.364475Z", + "name": "Send Request::HTTP Communication", + "description": "HTTP client sends request (GET).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", + "external_id": "C0002.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a042cf35-5394-4403-90da-07bc34d7c536", + "id": "attack-pattern--06c3d5c7-d4bf-4b28-8385-e169ba81e744", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.490481Z", - "modified": "2021-02-10T06:49:35.490481Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--cd438b37-74b0-433b-85d2-8530724401fa", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.80226Z", + "modified": "2022-02-05T00:37:22.726134Z", + "name": "Exploit Private APIs", + "description": "Malware can exploit private APIs to infect jailbroken and non-jailbroken iOS devices. Research shows that over 100 apps in the App Store have abused private APIs and bypassed Appleā€™s strict code review.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/lateral-movement/supply-chain-compromise.md", + "external_id": "E1195.m02" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a048b365-87c0-4d87-869b-27e4eae36478", + "id": "attack-pattern--8abe31b2-7123-41f1-9ca3-5653bc1c0fdc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.674443Z", - "modified": "2021-02-10T06:49:35.674443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b5f07958-9aea-4414-ab2c-d5a46399dc23", - "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", + "created": "2020-08-21T20:49:59.788262Z", + "modified": "2022-09-08T18:26:13.26055Z", + "name": "Cryptojacking", + "description": "Consume system resources to mine for cryptocurrency (e.g., Bitcoin, Litecoin, etc.).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/resource-hijacking.md", + "external_id": "B0018.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a0e24b8b-680f-425d-9c42-d73ac487c904", + "id": "attack-pattern--2b01bf8e-63cf-495c-8e2f-d18a8c286ad5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--641e7321-439b-4888-8624-f3ceace8465e", - "target_ref": "attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63", + "created": "2020-08-21T20:49:59.499265Z", + "modified": "2022-09-08T18:26:13.288631Z", + "name": "Instruction Testing - VMCPUID", + "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.037" + }, + { + "source_name": "external_source", + "url": "https://search.unprotect.it/map/sandbox-evasion/" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a16e90f8-cf2e-4b7b-b415-2821c143b984", + "id": "attack-pattern--4e688c01-10a1-41e9-a909-5442531069ac", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.668507Z", - "modified": "2021-02-10T06:49:35.668507Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--5f9d93b4-1083-440c-a170-eb181041fc56", - "target_ref": "attack-pattern--7c9e2694-0dce-4dc3-aa06-199d5d002a05", + "created": "2020-08-21T20:49:59.57926Z", + "modified": "2022-02-05T00:37:22.585511Z", + "name": "Custom Compression of Data", + "description": "Uses a custom algorithm to compress strings and variables (executable file data).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", + "external_id": "F0001.007" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a1b9a65b-7f5d-4287-8fe6-3d11a05a93db", + "id": "attack-pattern--85137da0-876b-4ce2-a1ce-d582043ed578", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.97859Z", - "modified": "2022-02-04T23:52:40.97859Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--5706671b-371d-40dd-95ae-d9574ba49291", - "target_ref": "attack-pattern--1a89f398-f3ef-484a-8735-024823241a11", + "created": "2021-02-10T06:49:32.017471Z", + "modified": "2022-02-05T00:37:22.804261Z", + "name": "Read Virtual Disk", + "description": "Malware reads a virtual disk.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "file-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/read-virtual-disk.md", + "external_id": "C0056" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a1cbd858-4fda-4a25-9a48-575ccd20f8b6", + "id": "attack-pattern--b1c9e70b-d514-4924-848d-c6403560e6c5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.452445Z", - "modified": "2021-02-10T06:49:35.452445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--4f3bc817-8162-41b5-b617-5c9a261b66e0", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2020-08-21T20:49:59.90926Z", + "modified": "2022-09-08T18:26:13.256543Z", + "name": "Device Driver", + "description": "Allows kernel to access hardware connected to the system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/persistence/kernel-modules-and-extensions.md", + "external_id": "F0010.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a1df96e9-2ef3-4939-b68c-e13dbcd38c60", + "id": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.456445Z", - "modified": "2021-02-10T06:49:35.456445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--2080b6b4-a74c-43da-97db-1a2ca33ca589", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2020-08-21T20:49:59.68026Z", + "modified": "2022-09-08T18:26:13.408474Z", + "name": "Obfuscated Files or Information", + "description": "Malware may make files or information difficult to discover or analyze by encoding, encrypting, or otherwise obfuscating the content. In addition, a malware sample itself can be encoded or encrypted (i.e., encoding/encryption is a code characteristic).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/obfuscated-files-or-information.md", + "external_id": "E1027" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a1fc39ac-cee5-4bb3-bea5-f356e08e2e6e", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.97859Z", - "modified": "2022-02-04T23:52:40.97859Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--da0fe52b-e2c5-4574-a572-09c999c86b59", - "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", + "id": "attack-pattern--b3bc7ff9-4ea7-4b1a-9301-ea0e07e4a85f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2022-02-04T23:52:36.093464Z", + "modified": "2022-02-05T00:37:22.804261Z", + "name": "Minifilter::Load Driver", + "description": "Malware starts a minifilter.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "hardware-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/hardware/load-driver.md", + "external_id": "C0023.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a248db8d-1741-4285-8c3a-28b4ca1d536d", + "id": "attack-pattern--b7df4632-63d2-4195-a529-643ab6098e16", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.589482Z", - "modified": "2021-02-10T06:49:35.589482Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--968a2baa-33b0-4c2a-afb8-b899e1acbc0a", - "target_ref": "attack-pattern--e2558f71-7409-4203-bd5b-8a331f29327a", + "created": "2022-09-08T18:26:13.325804Z", + "modified": "2022-09-08T18:26:13.325804Z", + "name": "Code Integrity Check", + "description": "Compares memory-based and disk-based versions of itself. If differences are detected, the malware alters its execution, possibly acting destructively.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", + "external_id": "B0003.011" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a25ebab5-27c6-43bc-8067-a1b5e9a8e287", + "id": "attack-pattern--7f30f323-51eb-42a6-8331-834b0da343cc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.606264Z", - "modified": "2020-08-21T20:50:04.606264Z", - "relationship_type": "uses", - "description": "Redhip detects all publicly available automated malware analysis workbenches (ThreatExpert, JoeBox, etc.).", - "source_ref": "malware--b0625dd2-cc91-4936-9e12-289960aa0b41", - "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", + "created": "2020-08-21T20:49:59.512264Z", + "modified": "2022-09-08T18:26:13.305851Z", + "name": "Loop Escapes", + "description": "Use SEH or other methods to break out of a loop instead of a conditional jump.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.012" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a2ac4560-a53c-4584-82b6-0d63adfc3e98", + "id": "attack-pattern--9048df12-c89f-45a6-99ac-caaa7446d6db", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.539444Z", - "modified": "2021-02-10T06:49:35.539444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--677563ae-beb5-47f2-b85c-ece6d7c7dc7e", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2021-02-10T06:49:31.918444Z", + "modified": "2022-09-08T18:26:13.415916Z", + "name": "Timestamp", + "description": "Malware may change the timestamp on a file to prevent detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hidden-files-and-directories.md", + "external_id": "F0005.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a2d5b2c9-df66-4d89-982b-bcbd570043ad", + "id": "attack-pattern--bb0c753c-31a4-48b9-9548-47a29cce149a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--6e6d534f-57ae-49cd-be41-0b6a77fbb6fb", - "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", + "created": "2021-02-10T06:49:31.935444Z", + "modified": "2022-09-08T18:26:13.211201Z", + "name": "Window Text", + "description": "After finding an open application window, malware gets graphical window text.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/application-window-discovery.md", + "external_id": "E1010.m01" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a2efeee6-b13f-42c8-ab8d-288eeaad4905", + "id": "attack-pattern--5a3611aa-4253-4302-b09e-02fe53a1af9d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.599445Z", - "modified": "2021-02-10T06:49:35.599445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--373415cb-bc3b-4602-8032-584b7cf758c5", - "target_ref": "attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200", + "created": "2020-08-21T20:49:59.611265Z", + "modified": "2022-09-08T18:26:13.234033Z", + "name": "Domain Name Generation", + "description": "Malware generates the domain name of the controller to which it connects. Access to on the fly domains enables C2 to operate as domains and IP addresses are blocked. The algorithm can be complicated in more advanced implants; understanding the details so that names can be predicted can be useful in mitigation and response.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/domain-name-generation.md", + "external_id": "B0031" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/security-world/2016/12/explained-domain-generating-algorithm/" + }, + { + "source_name": "external_source", + "url": "http://blog.threatexpert.com/2008/04/kraken-changes-tactics.html" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Conficker" + }, + { + "source_name": "external_source", + "url": "https://www.secureworks.com/research/cryptolocker-ransomware" + }, + { + "source_name": "external_source", + "url": "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a30d8395-e7b5-4fdd-adb9-b347222a3aa2", + "id": "attack-pattern--20bb8954-7d15-4f3f-b015-6de301407391", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.515492Z", - "modified": "2021-02-10T06:49:35.515492Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--e1c3c48b-0b4d-418f-b7af-44715b214972", - "target_ref": "attack-pattern--64ec233c-8762-4e4a-af40-475ebd3aa127", + "created": "2021-02-10T06:49:32.003478Z", + "modified": "2022-09-08T18:26:13.33511Z", + "name": "XOR::Decode Data", + "description": "Malware may use xor to decode data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/decode-data.md", + "external_id": "C0053.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a3391c54-85a9-4153-b9a2-19cb36534ab6", + "id": "attack-pattern--a53ab24d-020a-46dc-8a13-7ef51ab07f35", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.568481Z", - "modified": "2021-02-10T06:49:35.568481Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--6636c8bd-41a4-4a1e-965d-642c08be68db", - "target_ref": "attack-pattern--e365ec9c-2c0b-41fe-9a6a-f2b4042f37f3", + "created": "2020-08-21T20:49:59.883261Z", + "modified": "2022-09-08T18:26:13.341413Z", + "name": "Stack Pivot", + "description": "Stack pivoting involves pointing the stack pointer to an attacker-owned buffer, such as the heap, and facilitates exploits such as ROP-based exploits (see [Bypass DEP](https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/bypass-data-execution-prevention.md) behavior).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "memory-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/memory/stack-pivot.md", + "external_id": "C0009" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a45880ae-06ce-40dc-9cf8-c1048d4703fb", + "id": "attack-pattern--e365ec9c-2c0b-41fe-9a6a-f2b4042f37f3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.604253Z", - "modified": "2020-08-21T20:50:04.604253Z", - "relationship_type": "uses", - "description": "A Trojan downloader.", - "source_ref": "malware--cb022b7d-775c-4db8-ab25-3add7e215d54", - "target_ref": "attack-pattern--cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae", + "created": "2020-08-21T20:49:59.652263Z", + "modified": "2022-02-05T00:37:22.616726Z", + "name": "Covert Location", + "description": "Malware may hide data or binary files within other files, the registry, etc.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/covert-location.md", + "external_id": "B0040" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a47bdcdb-748c-420c-977f-9917f0628b5e", + "id": "attack-pattern--2baec974-fab4-4fe3-92a6-c477893f132d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.462442Z", - "modified": "2021-02-10T06:49:35.462442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--683507af-37f1-4db4-a922-d41cceaa8789", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2020-08-21T20:49:59.509262Z", + "modified": "2022-09-08T18:26:13.303076Z", + "name": "Block Interrupts", + "description": "Block interrupt (via hooking) 1 and/or 3 to prevent debuggers from working.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a6b3bfb6-1551-40b7-85ee-43b40981aa00", + "id": "attack-pattern--70de257e-38ed-4422-864b-3b6d74aa5fab", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.554443Z", - "modified": "2021-02-10T06:49:35.554443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--598efe94-7195-42ad-9af8-d1d9c39433ba", - "target_ref": "attack-pattern--87b6586d-145f-47d9-8183-755ca03e5921", + "created": "2021-02-10T06:49:31.986482Z", + "modified": "2022-09-08T18:26:13.381177Z", + "name": "SHA224::Cryptographic Hash", + "description": "Malware uses a SHA-224 hash.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/cryptographic-hash.md", + "external_id": "C0029.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a6d7f695-1c7d-4eda-b493-a58b49428f03", + "id": "attack-pattern--6495c1d8-c694-4fc0-8063-05f0a42cad27", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.588443Z", - "modified": "2021-02-10T06:49:35.588443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--6287eb18-a197-4822-b0f5-99b4237fe18a", - "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", + "created": "2021-02-10T06:49:31.988483Z", + "modified": "2022-09-08T18:26:13.384191Z", + "name": "Block Cipher::Decrypt Data", + "description": "Malware decrypts data encrypted with a block cipher.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", + "external_id": "C0031.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a7198a08-9f93-495b-973f-f4ba35f11b39", + "id": "attack-pattern--957f9b42-4f80-4da0-8dd1-75738e470fe2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.49545Z", - "modified": "2021-02-10T06:49:35.49545Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--e4678b94-bfec-402e-9682-17a32ae8c379", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2021-02-10T06:49:32.037481Z", + "modified": "2022-02-05T00:37:22.819853Z", + "name": "Create Thread", + "description": "Malware creates a thread.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "process-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/create-thread.md", + "external_id": "C0038" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a73c3c48-d1bd-4e8d-920a-312b103d37ea", + "id": "attack-pattern--4e6169c5-7791-4c39-b6c9-d79628a85448", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.601289Z", - "modified": "2020-08-21T20:50:04.601289Z", - "relationship_type": "uses", - "description": "Geneio installs the browser extension *~/Library/Safari/Extensions/Omnibar.safariextz*. It also creates the app files listed in the description above.", - "source_ref": "malware--2def59e9-a1ba-4c23-9f7d-437935d1e965", - "target_ref": "attack-pattern--cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae", + "created": "2020-08-21T20:49:59.655262Z", + "modified": "2022-09-08T18:26:13.428121Z", + "name": "AMSI Bypass", + "description": "Malware bypasses AMSI (Anti-malware Scan Interface).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", + "external_id": "F0004.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a75d4a45-4b89-4b7f-b716-09f22ce93d22", + "id": "attack-pattern--1011a561-6f17-4f8d-874a-8ad491a2b470", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.612264Z", - "modified": "2020-08-21T20:50:04.612264Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--a6d7b549-6392-47dd-a5b3-f5ba522166c4", + "created": "2020-08-21T20:49:59.729261Z", + "modified": "2022-09-08T18:26:13.241881Z", + "name": "Windows Utilities", + "description": "One or more Windows utilities are used.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/exploitation-for-client-execution.md", + "external_id": "E1203.m06" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a87b3bb5-4abd-4577-b425-0e99af7191fb", + "id": "attack-pattern--9615d610-999a-417d-bf19-54da01c38b89", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.605287Z", - "modified": "2020-08-21T20:50:04.605287Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--1d1b8b46-c3d7-49e5-8856-367b48272f5e", + "created": "2020-08-21T20:49:59.502264Z", + "modified": "2022-09-08T18:26:13.291887Z", + "name": "Unique Hardware/Firmware Check", + "description": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.023" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--a8d00e2f-f309-4c05-8f01-2c429f873dfb", + "id": "attack-pattern--ff66c503-48b3-4f2b-a462-f54258d2cfca", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.694967Z", - "modified": "2021-02-10T06:49:35.694967Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--656e96ac-b245-4c79-8b28-81423fd5d3cf", - "target_ref": "attack-pattern--d1a3a19c-bcd0-40fc-8b5f-9e755260abc2", + "created": "2020-08-21T20:49:59.514301Z", + "modified": "2022-09-08T18:26:13.307628Z", + "name": "Pre-Debug", + "description": "Prevents debugger from attaching to process or to break until after the code of interest has been executed.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.019" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--aa33bb23-b570-4b9c-94ff-a25d0ff61572", + "id": "attack-pattern--8d788ace-f057-449d-bd8b-b0db3fdb5b07", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.914452Z", - "modified": "2022-02-04T23:52:40.914452Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--14abf3a5-065b-4a7b-b5d7-16ba7ae62e3a", - "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", + "created": "2021-02-10T06:49:31.974485Z", + "modified": "2022-09-08T18:26:13.365285Z", + "name": "Send Response::HTTP Communication", + "description": "HTTP server sends response.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", + "external_id": "C0002.016" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--ab9cf0eb-332f-4bad-ab2d-37a909799aec", + "id": "attack-pattern--1dd62131-bc8e-4de7-b68a-1ea4c6b44c03", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.600252Z", - "modified": "2020-08-21T20:50:04.600252Z", - "relationship_type": "uses", - "description": "Gamut probes the infected system's SMTP port 25 by sending a test SMTP transaction to mail.ru and hotmail.com. If port 25 is open, the bot requests the spam template and email list, which it uses to send spam.", - "source_ref": "malware--86cfa430-ca3b-4322-bdfe-989aca5305f0", - "target_ref": "attack-pattern--24ed02f2-afad-49c8-a3c4-8ab1c418443e", + "created": "2021-02-10T06:49:32.005479Z", + "modified": "2022-09-08T18:26:13.335818Z", + "name": "Base64::Encode Data", + "description": "Malware may encode data using Base64.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/encode-data.md", + "external_id": "C0026.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--ae501972-7352-4340-9c15-cdd1120c2d65", + "id": "attack-pattern--91e25008-204c-4723-9c53-ca041c5fd2b1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.479442Z", - "modified": "2021-02-10T06:49:35.479442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--02b99b72-6baa-4329-9a48-1ce8aae4383a", - "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", + "created": "2021-02-10T06:49:31.917484Z", + "modified": "2022-09-08T18:26:13.415303Z", + "name": "Extension", + "description": "Malware may change or use a particular file extension to hide a file.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hidden-files-and-directories.md", + "external_id": "F0005.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--ae997115-bd28-417b-b412-695cfb11cd01", + "id": "attack-pattern--373bb770-4890-4e13-a0d6-94459bed37aa", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.563442Z", - "modified": "2021-02-10T06:49:35.563442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b729ab37-a73c-4d87-a72b-4123385a2581", - "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", + "created": "2020-08-21T20:49:59.566267Z", + "modified": "2022-09-08T18:26:13.202744Z", + "name": "Minification", + "description": "Minification is 'the process of removing all unnecessary characters from source code without changing its functionality.' A simple example is when all the unnecessary whitespace and comments are removed. Minification is distinguished from compression in that it neither adds to nor changes the code seen by the interpreter. Minification is often used for malware written in interpreted languages, such as JavaScript, PHP, or Python. Legitimate code that is transmitted many times a second, such as JavaScript on websites, often uses minification to simply reduce the number of bytes transmitted.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-optimization.md", + "external_id": "B0034.002" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Minification_(programming)" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--aee3da6b-f795-4287-a6da-b7698c7369b0", + "id": "attack-pattern--81062418-20ac-4df8-86e0-856587b02533", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.575481Z", - "modified": "2021-02-10T06:49:35.575481Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--e7d60710-0081-4d47-9fd3-3e2d410828e7", - "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", + "created": "2022-02-04T23:52:35.829949Z", + "modified": "2022-09-08T18:26:13.419331Z", + "name": "Inline Patching", + "description": "Inline patching (inline hooking) is done by modifying the beginning of a function (e.g., first bytes) in order to redirect the execution flow to custom code (i.e. redirecting code flow) before jumping back to the original function.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hijack-execution-flow.md", + "external_id": "F0015.002" + }, + { + "source_name": "external_source", + "url": "https://www.oreilly.com/library/view/learning-malware-analysis/9781788392501/a0a506d6-d062-48c1-a0a8-57d6acb77785.xhtml" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--af581334-f4f3-4b9a-a5e4-b2ca11fc559b", + "id": "attack-pattern--66995783-bfea-4c72-8fcb-4bdb015dc98f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.458443Z", - "modified": "2021-02-10T06:49:35.458443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--79e12011-d4af-449f-b2da-6b4227564808", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2022-02-04T23:52:35.829949Z", + "modified": "2022-09-08T18:26:13.420656Z", + "name": "System Service Dispatch Table Hooking", + "description": "Malware (e.g. rootkit, malicious drivers) may hook the system service dispatch table (SSDT), also called the system service descriptor table. The SSDT contains information about the service tables used by the operating system for dispatching system calls. Hooking the SSDT enables malware to hide files, registry keys, and network connections.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hijack-execution-flow.md", + "external_id": "F0015.005" + }, + { + "source_name": "external_source", + "url": "https://www.mdpi.com/1999-5903/4/4/971/html" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--af859378-d408-42c6-87d5-0e61269535e0", + "id": "attack-pattern--42cea877-6723-4126-a016-6f2b8954eb6b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.703048Z", - "modified": "2021-02-10T06:49:35.703048Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--bbcbbd85-689f-486f-b3be-e36852dfe5c5", - "target_ref": "attack-pattern--7855768b-8130-4981-8420-6e8a8d2a277a", + "created": "2020-08-21T20:49:59.60426Z", + "modified": "2022-09-08T18:26:13.227398Z", + "name": "Check for Payload", + "description": "An implant may check with the controller for additional payloads or instructions, sometimes at a regular interval. This is also known as beaconing.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", + "external_id": "B0030.005" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--afb8eb1b-32cf-466b-893d-1cd2bfe0d0b4", + "id": "attack-pattern--bdeba524-0f2d-4d2f-a107-2b7516a0b496", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.503442Z", - "modified": "2021-02-10T06:49:35.503442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--7f30f323-51eb-42a6-8331-834b0da343cc", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2020-08-21T20:49:59.475261Z", + "modified": "2022-09-08T18:26:13.321116Z", + "name": "Timing/Delay Check GetTickCount", + "description": "Malware uses GetTickCount function in a timing/delay check.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.032" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--b00f5d07-0800-4d73-a10d-01e7453b15b5", + "id": "attack-pattern--c09b91df-e723-4ad4-b021-04d2773094f9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.454445Z", - "modified": "2021-02-10T06:49:35.454445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--fb0ec928-14d1-49f3-9897-14e3613b4ad7", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2020-08-21T20:49:59.566267Z", + "modified": "2022-09-08T18:26:13.203067Z", + "name": "Executable Code Optimization", + "description": "Code is optimized, making it harder to statically analyze.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-optimization.md", + "external_id": "B0034" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Minification_(programming)" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--b050267b-3c92-47fc-993d-705b150c924f", + "id": "attack-pattern--97ebea10-8852-4c4f-bf50-8b866ebc90ab", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.675442Z", - "modified": "2021-02-10T06:49:35.675442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--e5fd1ce1-e1a7-4f9c-b757-58b6895fef2d", - "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", + "created": "2022-09-08T18:26:13.312829Z", + "modified": "2022-09-08T18:26:13.312829Z", + "name": "Check Processes", + "description": "The malware may check running processes for specific strings such as \"malw\" to detect a analysis environment.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.038" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--b06d3a5c-a043-40bf-9499-acce8fbc521e", + "id": "attack-pattern--25dbb3ef-6301-4f8c-a8d2-a03b5c23dafd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.472483Z", - "modified": "2021-02-10T06:49:35.472483Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--35284c4d-652f-40bd-b49b-7d625914bc75", - "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", + "created": "2021-02-10T06:49:32.016478Z", + "modified": "2022-09-08T18:26:13.348991Z", + "name": "Get File Attributes", + "description": "Malware gets the attributes of a file.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "file-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/get-file-attributes.md", + "external_id": "C0049" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--b2b54083-f0bb-419c-a8f6-7ac666e429da", + "id": "attack-pattern--45c5ccc6-f44e-4b7e-b2af-d5b1a0d01cd2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.504443Z", - "modified": "2021-02-10T06:49:35.504443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--d5e09700-cfae-43b7-831e-958a4e64251b", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2020-08-21T20:49:59.489264Z", + "modified": "2022-09-08T18:26:13.281847Z", + "name": "Check Memory Artifacts", + "description": "VMware leaves many artifacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognizable footprints. Malware can search through physical memory for the strings VMware, commonly used to detect memory artifacts.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.002" + }, + { + "source_name": "external_source", + "url": "https://search.unprotect.it/map/sandbox-evasion/" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--b3793626-0c6a-4cfd-8071-c21073e2b8a8", + "id": "attack-pattern--6bb4c9f7-d08e-42c0-bb01-5df9d5ea632d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.579443Z", - "modified": "2021-02-10T06:49:35.579443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--a6389b1f-c2f4-4bb7-8b52-6725b00f6052", - "target_ref": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", + "created": "2020-08-21T20:49:59.638268Z", + "modified": "2022-09-08T18:26:13.434125Z", + "name": "Registry Install", + "description": "Stores itself in the Windows registry.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/alternative-installation-location.md", + "external_id": "B0027.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--b4bd5caa-febb-4ac2-82f0-f22836bdfaf1", + "id": "attack-pattern--d2dd9838-ea8f-4a2f-99f4-8a8a468110a4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.710275Z", - "modified": "2021-02-10T06:49:35.710275Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--81090849-4ac4-4838-9e06-6a027036d936", - "target_ref": "attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b", + "created": "2021-02-10T06:49:31.986482Z", + "modified": "2022-09-08T18:26:13.382007Z", + "name": "Tiger::Cryptographic Hash", + "description": "Malware uses a Tiger hash.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/cryptographic-hash.md", + "external_id": "C0029.005" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--b7758519-6971-4cf9-8ece-36d21527efdc", + "id": "attack-pattern--fd9f551a-f0ef-42e2-bf82-acdf1062852b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.517444Z", - "modified": "2021-02-10T06:49:35.517444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--758df510-b765-4172-94ad-70561cd0ef62", - "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", + "created": "2022-02-04T23:52:35.877737Z", + "modified": "2022-09-08T18:26:13.244845Z", + "name": "Secure Triggers", + "description": "Code and/or data is encrypted until the underlying system satisfies a preselected condition unknown to the analyst (this is a form of Deposited Keys).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md", + "external_id": "B0025.005" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--b77d147a-d61d-4e03-a993-df0ef04320e3", + "id": "attack-pattern--adac5b9d-77f6-4c07-898d-1515fbf37162", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.55463Z", - "modified": "2021-02-10T06:49:35.55463Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--f7edbfa2-7ebf-4e66-bad5-a13150f5ce7a", - "target_ref": "attack-pattern--87b6586d-145f-47d9-8183-755ca03e5921", + "created": "2020-08-21T20:49:59.689263Z", + "modified": "2022-09-08T18:26:13.41057Z", + "name": "Injection using Shims", + "description": "Malware may use shims to target an executable (shims are a way of hooking into APIs and targeting specific executables and are provided by Microsoft for backward compatibility, allowing developers to apply program fixes without rewriting code).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/process-injection.md", + "external_id": "E1055.m03" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--b8236567-fd01-4fb9-800f-d1a333cf253a", + "id": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.97859Z", - "modified": "2022-02-04T23:52:40.97859Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--17cf477e-a8e5-4c52-b207-7023cfd16c1d", - "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", + "created": "2020-08-21T20:49:59.584261Z", + "modified": "2022-09-08T18:26:13.201233Z", + "name": "Software Packing", + "description": "This code characteristic - Software Packing - can make static and behavioral analysis difficult and includes packing with software protectors, such as Themida and Armadillo [[1]](#1). Methods related to anti-analysis are below. This behavior covers both characteristics of the malware (i.e., how it is packed) as well as behaviors of the malware (e.g., the malware packs another executable file).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", + "external_id": "F0001" + }, + { + "source_name": "external_source", + "description": "Ange Albertini, Packers, 5 April 2010,", + "url": "https://gironsec.com/code/packers.pdf" + }, + { + "source_name": "external_source", + "description": "Jiang Ming et al, Towards Paving the Way for Large-Scale Windows Malware Analysis: Generic Binary Unpacking with Orders-of-Magnitude Performance Boost, October 2018,", + "url": "https://dl.acm.org/citation.cfm?id=3243771." + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" + }, + { + "source_name": "external_source", + "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" + }, + { + "source_name": "external_source", + "url": "http://www.csl.sri.com/users/vinod/papers/Conficker/" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" + }, + { + "source_name": "external_source", + "url": "https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" + }, + { + "source_name": "external_source", + "url": "https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--b92e3544-1b6a-4568-b89b-539f04333cb3", + "id": "attack-pattern--f62b419a-6b84-4bc4-865c-b58abc012795", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.546456Z", - "modified": "2021-02-10T06:49:35.546456Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--ce322a95-0385-40cb-af25-96e377a7de8f", - "target_ref": "attack-pattern--c09b91df-e723-4ad4-b021-04d2773094f9", + "created": "2021-02-10T06:49:31.990485Z", + "modified": "2022-09-08T18:26:13.386033Z", + "name": "RC6::Decrypt Data", + "description": "Malware decrypts data encrypted with the RC6 algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", + "external_id": "C0031.009" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--b9410d22-a339-4bc1-9228-9770c6f18a66", + "id": "attack-pattern--69401771-6ed2-45b5-bc81-68444a3dc4c9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.611257Z", - "modified": "2020-08-21T20:50:04.611257Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--24ed02f2-afad-49c8-a3c4-8ab1c418443e", + "created": "2021-02-10T06:49:32.005479Z", + "modified": "2022-09-08T18:26:13.336083Z", + "name": "XOR::Encode Data", + "description": "Malware may use xor to encode data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/encode-data.md", + "external_id": "C0026.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--b94e1b68-3b43-4319-b261-cbedc8870aab", + "id": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.97859Z", - "modified": "2022-02-04T23:52:40.97859Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--9dd6ef57-b3b3-48e8-a77e-233ffee5d45b", - "target_ref": "attack-pattern--1a89f398-f3ef-484a-8735-024823241a11", + "created": "2020-08-21T20:49:59.52526Z", + "modified": "2022-09-08T18:26:13.328554Z", + "name": "Dynamic Analysis Evasion", + "description": "Malware may obstruct dynamic analysis in a sandbox, emulator, or virtual machine.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", + "external_id": "B0003" + }, + { + "source_name": "external_source", + "url": "http://joe4security.blogspot.com/2013/06/overloading-sandboxes-new-generic.html" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf" + }, + { + "source_name": "external_source", + "url": "https://research.checkpoint.com/2019-resurgence-of-smokeloader/" + }, + { + "source_name": "external_source", + "url": "https://blogs.cisco.com/security/talos/rombertik" + }, + { + "source_name": "external_source", + "url": "https://www.joesecurity.org/blog/498839998833561473" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--b9888bd6-f659-4886-88c5-516bb3497e9c", + "id": "attack-pattern--6ffd281c-acc5-4543-9fb5-aa0002339ea8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.489479Z", - "modified": "2021-02-10T06:49:35.489479Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--4f994303-c449-4d22-8ead-5c531a36ecf5", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2021-02-10T06:49:31.981483Z", + "modified": "2022-09-08T18:26:13.373159Z", + "name": "Get Socket Status::Socket Communication", + "description": "Get socket status.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", + "external_id": "C0001.012" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--b99b2728-4bcd-419d-9b2d-e19a4f81fa17", + "id": "attack-pattern--001ca78e-188e-4725-9f43-706d0f487837", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.504443Z", - "modified": "2021-02-10T06:49:35.504443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--8fb51611-3f2a-42e3-9af0-fd8eda882cf8", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2020-08-21T20:49:59.607265Z", + "modified": "2022-09-08T18:26:13.230081Z", + "name": "Send Data", + "description": "Send data to a controller.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", + "external_id": "B0030.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--b9e7e9c7-e68d-4db7-b7d8-8371c7e31037", + "id": "attack-pattern--a5589cd0-a6ee-4d1a-9963-3c44e9734242", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.690461Z", - "modified": "2021-02-10T06:49:35.690461Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--608a4855-fe3a-4bff-a7a2-46db2ffd360b", - "target_ref": "attack-pattern--6dfe201d-34d6-4474-9210-e0364cca9de0", + "created": "2020-08-21T20:49:59.706262Z", + "modified": "2022-09-08T18:26:13.21541Z", + "name": "Process detection - Debuggers", + "description": "Malware can scan for the process name associated with common analysis tools. OllyDBG / ImmunityDebugger / WinDbg / IDA Pro", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", + "external_id": "B0013.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--baa7b7d4-500b-47a4-a4e0-23965ea21fcc", + "id": "attack-pattern--ce6015e7-3065-420f-aea8-c9e0e5d5ed74", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.518445Z", - "modified": "2021-02-10T06:49:35.518445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--2b4653a5-2865-4768-ae75-e1f7cb84b39a", - "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", + "created": "2020-08-21T20:49:59.67026Z", + "modified": "2022-09-08T18:26:13.412487Z", + "name": "Modify Registry", + "description": "Malware may make changes to the Windows Registry to hide execution or to persist on the system (note that ATT&CK does not extend this behavior to the Persistence objective).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/modify-registry.md", + "external_id": "E1112" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HUPIGON" + }, + { + "source_name": "external_source", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/" + }, + { + "source_name": "external_source", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--babfbb26-ae8a-46c7-8ec5-5f172a8b6672", + "id": "attack-pattern--0947cd27-a2b6-466f-b47c-4d36e4ce06cb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.688517Z", - "modified": "2021-02-10T06:49:35.688517Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--f1212d9e-3af6-4ef4-a19e-ff2793564ffd", - "target_ref": "attack-pattern--2f605aaf-790b-4ba1-9603-3b14cf2f1c52", + "created": "2020-08-21T20:49:59.824262Z", + "modified": "2022-09-08T18:26:13.368736Z", + "name": "Write Pipe::Interprocess Communication", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/interprocess-communication.md", + "external_id": "C0003.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--bb344d99-00e5-4697-a116-9968d5ab9ddc", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.867574Z", - "modified": "2022-02-04T23:52:40.867574Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--02f5dda2-da92-4e5b-88bb-67e9e542c444", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a0033d2f-e4c5-4bbf-854b-198fd82d0c0b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-08-21T20:49:59.498264Z", + "modified": "2022-09-08T18:26:13.288016Z", + "name": "Instruction Testing - SMSW", + "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.032" + }, + { + "source_name": "external_source", + "url": "https://search.unprotect.it/map/sandbox-evasion/" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--bb7c22ee-0b34-4097-aa2f-4bc8cd53b271", + "id": "attack-pattern--b9a7ebfb-ce75-4050-b9ac-79d2bf146c4f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.505442Z", - "modified": "2021-02-10T06:49:35.505442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--dd5fd5f1-cc85-409b-a4c0-96cea106cd82", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2021-02-10T06:49:32.020479Z", + "modified": "2022-02-05T00:37:22.804261Z", + "name": "Install Driver", + "description": "Malware installs a driver or minifilter.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "hardware-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/hardware/install-driver.md", + "external_id": "C0037" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--bbf88cc5-ef00-4af1-9bd2-e174454bff2e", + "id": "attack-pattern--cc89a8c1-00d2-4ae2-bda2-a35398a63214", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--ec7f9541-06af-4db7-a9c2-183b513f144a", - "target_ref": "attack-pattern--f06491eb-ea99-46cd-81fe-ee55fc12d504", + "created": "2020-08-21T20:49:59.501259Z", + "modified": "2022-09-08T18:26:13.289829Z", + "name": "Modern Specs Check - Keyboard layout", + "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment. Check keyboard layout.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.019" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--bc7ade6d-84f2-43b6-9a70-3b75b784346e", + "id": "attack-pattern--b5f07958-9aea-4414-ab2c-d5a46399dc23", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.555449Z", - "modified": "2021-02-10T06:49:35.555449Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--4c1e6e56-1c8d-4bce-b696-68ac83cb33f6", - "target_ref": "attack-pattern--1d1b8b46-c3d7-49e5-8856-367b48272f5e", + "created": "2021-02-10T06:49:31.989483Z", + "modified": "2022-09-08T18:26:13.384722Z", + "name": "Camellia::Decrypt Data", + "description": "Malware decrypts data encrypted with the Camellia algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", + "external_id": "C0031.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--bcd12692-9e2b-4267-8c4c-3e4cd0e7a70b", + "id": "attack-pattern--b85681f8-57a9-485e-bc46-ab3602990675", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.602253Z", - "modified": "2020-08-21T20:50:04.602253Z", - "relationship_type": "uses", - "description": "Uses a domain name generator.", - "source_ref": "malware--36e75009-8fd6-467a-aa8c-c6a4d3511dfa", - "target_ref": "attack-pattern--5a3611aa-4253-4302-b09e-02fe53a1af9d", + "created": "2021-02-10T06:49:32.042481Z", + "modified": "2022-09-08T18:26:13.355957Z", + "name": "Set Thread Local Storage Value", + "description": "Malware allocates thread local storage.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "process-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/set-thread-local-storage-value.md", + "external_id": "C0041" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--bd4fadc4-7acb-4ed0-b916-3f2ac4daa301", + "id": "attack-pattern--48018d04-fcd1-4e5d-b29f-6ccf841ae65f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.447445Z", - "modified": "2021-02-10T06:49:35.447445Z", - "relationship_type": "uses", - "description": "Most security products hook some APIs to monitor the behavior of malware. To avoid being found by this technique, WebCobra loads ntdll.dll and user32.dll as data files in memory and overwrites the first 8 bytes of those functions, which unhooks the APIs.", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", + "created": "2020-08-21T20:49:59.848263Z", + "modified": "2022-09-08T18:26:13.395483Z", + "name": "GetTickCount::Generate Pseudo-random Sequence", + "description": "Malware generates a pseudo-random sequence using GetTickCount.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/generate-pseudorandom-sequence.md", + "external_id": "C0021.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--bdcdf7ec-ea76-4ff5-8b35-8e2e365ee0d9", + "id": "attack-pattern--4f994303-c449-4d22-8ead-5c531a36ecf5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.591482Z", - "modified": "2021-02-10T06:49:35.591482Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--56e26c80-e09f-4a51-8947-3c5a07dd3bf9", - "target_ref": "attack-pattern--767a1acf-9e83-4181-82cd-2bcb9d8871d9", + "created": "2020-08-21T20:49:59.498264Z", + "modified": "2022-09-08T18:26:13.287427Z", + "name": "Instruction Testing - SGDT/SLDT (no pill)", + "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM. The No Pill technique relies on the fact that the LDT structure is assigned to a processor not an Operating System. The LDT location on a host machine will be zero and on a virtual machine will be non-zero.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.031" + }, + { + "source_name": "external_source", + "url": "https://search.unprotect.it/map/sandbox-evasion/" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--be0cd60b-1d8f-4b6d-9408-edd531d4ffa4", + "id": "attack-pattern--90006260-5019-4c35-8c88-6ee23826734e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.599252Z", - "modified": "2020-08-21T20:50:04.599252Z", - "relationship_type": "uses", - "description": "Primary behavior is encrypting data.", - "source_ref": "malware--4188f951-4400-406c-8281-509395fc8e11", - "target_ref": "attack-pattern--33ac3946-4bd9-4904-b02e-45e2d17dbfdd", + "created": "2020-08-21T20:49:59.796261Z", + "modified": "2022-02-05T00:37:22.726134Z", + "name": "Reverse Shell", + "description": "Malware may create a reverse shell. For example, malware can invoke cmd.exe and create three pipes (stdin, stdout, stderr) to forward data between cmd.exe and an adversary.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/remote-access.md", + "external_id": "B0022.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--bf274f8b-4ec2-45e0-ba44-49e4de17bff1", + "id": "attack-pattern--7069df4d-92ef-4a18-b5a5-bf27dc9ef446", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.571485Z", - "modified": "2021-02-10T06:49:35.571485Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--10bee884-590b-45f4-8577-5cbe6d6efa1a", - "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", + "created": "2020-08-21T20:49:59.644261Z", + "modified": "2022-09-08T18:26:13.402654Z", + "name": "Bypass Data Execution Prevention", + "description": "Malware may bypass Data Execution Prevention (DEP).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/bypass-data-execution-prevention.md", + "external_id": "B0037" + }, + { + "source_name": "external_source", + "url": "https://medium.com/cybersecurityservices/dep-bypass-using-rop-chains-garima-chopra-e8b3361e50ce" + }, + { + "source_name": "external_source", + "url": "https://www.cybereason.com/blog/research/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--bfb97f13-10a9-430f-9887-80bc455b387c", + "id": "attack-pattern--4f786f90-7679-427a-932b-2d212faffa37", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--1df0593b-0f35-41c8-b7d8-41d6a3e9cf8c", - "target_ref": "attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263", + "created": "2021-02-10T06:49:31.997443Z", + "modified": "2022-09-08T18:26:13.394445Z", + "name": "Import Public Key::Encryption Key", + "description": "Malware imports a public key.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encryption-key.md", + "external_id": "C0028.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--bfc1713b-29d0-47b0-8f7d-d6be58027d61", + "id": "attack-pattern--541b3b19-6e67-4c06-9f03-1b3f5a4395c4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.534443Z", - "modified": "2021-02-10T06:49:35.534443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--c8d17860-f4e4-4403-a28b-02c784a3ca70", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2020-08-21T20:49:59.828261Z", + "modified": "2022-09-08T18:26:13.361771Z", + "name": "SMTP Communication", + "description": "This micro-behavior focuses on SMTP communication.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/smtp-communication.md", + "external_id": "C0012" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--bfcc06d1-954c-4114-a40c-c2255744c773", + "id": "attack-pattern--84b9dfc5-4109-40fb-8378-52ecc2919cb4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:41.041094Z", - "modified": "2022-02-04T23:52:41.041094Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--befe8d09-ebeb-4a60-89a4-9efaaf325e9b", - "target_ref": "attack-pattern--e04595b9-234a-4495-a9ca-25c78e137291", + "created": "2020-08-21T20:49:59.577262Z", + "modified": "2022-02-05T00:37:22.585511Z", + "name": "Armadillo", + "description": "Uses Armadillo.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", + "external_id": "F0001.012" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c057643c-3bdf-4ec3-b571-a33917bc2848", + "id": "attack-pattern--13631209-26c3-481c-bd8c-fa6c57c3dbe5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.622442Z", - "modified": "2021-02-10T06:49:35.622442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--c2c8a6d7-c5be-40c2-98ae-96640b2048af", - "target_ref": "attack-pattern--83145b10-974b-4bcd-8547-1f441be18d36", + "created": "2020-08-21T20:49:59.583262Z", + "modified": "2022-02-05T00:37:22.585511Z", + "name": "VMProtect", + "description": "Uses VMProtect.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", + "external_id": "F0001.010" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c11ecbe7-a3af-4492-b928-922fef8ad123", + "id": "attack-pattern--9c6a7353-74f8-468b-94d8-faee128fa78d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.499441Z", - "modified": "2021-02-10T06:49:35.499441Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--2baec974-fab4-4fe3-92a6-c477893f132d", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2021-02-10T06:49:32.007478Z", + "modified": "2022-09-08T18:26:13.33721Z", + "name": "dhash::Non-Cryptographic Hash", + "description": "Malware uses the dhash hash function.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/noncryptographic-hash.md", + "external_id": "C0030.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c1521290-d1f9-4e3d-871f-5e553e143d2b", + "id": "attack-pattern--b6679c6a-6312-44ec-a6fe-628a66d0cefe", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.715443Z", - "modified": "2021-02-10T06:49:35.715443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--006afc45-b6df-4e75-8102-b38ccb09db58", - "target_ref": "attack-pattern--66639ad1-1214-46af-9ce6-31b526ef6d9c", + "created": "2020-08-21T20:49:59.501259Z", + "modified": "2022-09-08T18:26:13.290074Z", + "name": "Modern Specs Check - Printer", + "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment. Checks whether there is a potential connected printer or default Windows printers; if not a virtual environment is suspected.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.017" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c15c2d7e-945f-4bd9-a19c-cf002adf6398", + "id": "attack-pattern--4d618788-4089-4149-8948-3d3524c766c5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.540444Z", - "modified": "2021-02-10T06:49:35.540444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--3cb4d50f-649d-4b09-b9a4-151bcc7ebc43", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2020-08-21T20:49:59.73826Z", + "modified": "2022-02-05T00:37:22.694887Z", + "name": "Sleep", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/remote-commands.md", + "external_id": "B0011.005" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c2742004-51f3-444a-808a-340150b3b446", + "id": "attack-pattern--30b37187-7b90-4271-b554-e0a5265fc977", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.71359Z", - "modified": "2021-02-10T06:49:35.71359Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--5b93eef5-683e-44cb-b737-0e80feb890d2", - "target_ref": "attack-pattern--3955de8e-1ab7-4ab0-b7ca-226822885913", + "created": "2022-09-08T18:26:13.219183Z", + "modified": "2022-09-08T18:26:13.219183Z", + "name": "Install Certificate", + "description": "Malware may install a certificate to gain access to https traffic.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/privilege-escalation/install-certificate.md", + "external_id": "E1608" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c32e1ecd-2484-43db-900b-a91b5c12313b", + "id": "attack-pattern--9aa6cbcb-2654-4533-a47c-3b44b62cb6a2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.487484Z", - "modified": "2021-02-10T06:49:35.487484Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--7850a582-f8c8-4582-a473-1b12e1f45929", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2021-02-10T06:49:32.031479Z", + "modified": "2022-02-05T00:37:22.819853Z", + "name": "Query Registry Key::Registry", + "description": "Malware queries a registry key.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "operating-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/registry.md", + "external_id": "C0036.005" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c33c9546-3de6-4409-93c2-ca185814abe9", + "id": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.8832Z", - "modified": "2022-02-04T23:52:40.8832Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--a962a19b-79e6-4154-a634-b85d9e9d0264", - "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", + "created": "2020-08-21T20:49:59.486264Z", + "modified": "2022-09-08T18:26:13.300328Z", + "name": "Sandbox Detection", + "description": "Detects whether the malware instance is being executed inside an instrumented sandbox environment (e.g., Cuckoo Sandbox). If so, conditional execution selects a benign execution path.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", + "external_id": "B0007" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" + }, + { + "source_name": "external_source", + "url": "https://blogs.cisco.com/security/talos/rombertik" + }, + { + "source_name": "external_source", + "url": "https://github.com/LordNoteworthy/al-khaser" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://blogs.cisco.com/security/talos/rombertik" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c37197a3-9115-4308-810d-45e2c34336e9", + "id": "attack-pattern--023243fb-9971-4e64-9bca-5976fa84f08f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.625442Z", - "modified": "2021-02-10T06:49:35.625442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--90006260-5019-4c35-8c88-6ee23826734e", - "target_ref": "attack-pattern--c25f5d58-e8e5-49ef-a54d-68e17b4ac824", + "created": "2020-08-21T20:49:59.828261Z", + "modified": "2022-09-08T18:26:13.361213Z", + "name": "Request::SMTP Communication", + "description": "Makes SMTP request.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/smtp-communication.md", + "external_id": "C0012.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c37e1721-4c87-49d5-9693-c80b59b07d46", + "id": "attack-pattern--aaa95359-3220-45fe-9ae6-397718608ee4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.551476Z", - "modified": "2021-02-10T06:49:35.551476Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--405c94b9-4f0e-476b-982d-72bb1905daa9", - "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", + "created": "2020-08-21T20:49:59.637267Z", + "modified": "2022-09-08T18:26:13.433819Z", + "name": "Fileless Malware", + "description": "Stores itself in memory.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/alternative-installation-location.md", + "external_id": "B0027.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c3a6d906-8809-45a7-a764-2cf4418c02e8", + "id": "attack-pattern--7533526d-569f-460b-9e00-5ef2d6eff9e2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.535444Z", - "modified": "2021-02-10T06:49:35.535444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--999fdac4-2cd5-471e-960e-993f82214902", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2022-09-08T18:26:13.258158Z", + "modified": "2022-09-08T18:26:13.258158Z", + "name": "Generate Traffic from Victim", + "description": "Malware may generate traffic from the victim system such as clicks of advertising links that generate fraudulent ad revenue. The ATT&CK technique, **Generate Traffic from Victim ([T1643](https://attack.mitre.org/techniques/T1643/))**, is only associated with the mobile platform, but the behavior is applicable to other platforms as well.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/generate-traffic-from-victim.md", + "external_id": "E1643" + }, + { + "source_name": "external_source", + "url": "https://www.itworld.com/article/2734253/security/behind-the--massive--malware-ad-revenue-fraud-case.html" + }, + { + "source_name": "external_source", + "url": "https://www.fipp.com/news/insightnews/what-are-the-nine-types-of-digital-ad-fraud" + }, + { + "source_name": "external_source", + "url": "https://www.huffingtonpost.com/2011/11/09/click-hijack-hackers-online-ad-scam_n_1084497.html" + }, + { + "source_name": "external_source", + "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c3d81490-069d-4698-b673-3e4228ebfeec", + "id": "attack-pattern--add320e6-3798-40f7-91be-5062eb3a9e00", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.71091Z", - "modified": "2021-02-10T06:49:35.71091Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--8df78326-a8e8-4039-82a7-3dd375910e71", - "target_ref": "attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b", + "created": "2020-08-21T20:49:59.458263Z", + "modified": "2022-09-08T18:26:13.312218Z", + "name": "Anti-debugging Instructions", + "description": "Malware code contains mnemonics related to anti-debugging (e.g., rdtsc, icebp).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.034" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c49c1296-1265-4f09-a11e-e09e84afb3d9", + "id": "attack-pattern--ced26a03-d356-4f8e-8337-9a07c0becd86", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.530939Z", - "modified": "2021-02-10T06:49:35.530939Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--da7d23d7-ead0-4926-a7ee-be9ea77bb2cd", - "target_ref": "attack-pattern--5146900f-415f-4817-9153-a9a3f857b3cd", + "created": "2021-02-10T06:49:31.982483Z", + "modified": "2022-09-08T18:26:13.375069Z", + "name": "TCP Server::Socket Communication", + "description": "TCP server behavior.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", + "external_id": "C0001.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c53091e2-0a17-400c-9b94-a14064d8e51c", + "id": "attack-pattern--3c0f36be-c4c0-4769-9be4-50682bc6a467", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.587443Z", - "modified": "2021-02-10T06:49:35.587443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--791870bd-2325-4d30-b437-5e90ee997f3c", - "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", + "created": "2020-08-21T20:49:59.516301Z", + "modified": "2022-09-08T18:26:13.309137Z", + "name": "Self-Unmapping", + "description": "UnmapViewOfFile() on itself.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.025" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c6e86df7-3fb6-4344-9588-672172c2441a", + "id": "attack-pattern--d83c8fbc-c7bf-4108-ba64-f1a9ac737da1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.550117Z", - "modified": "2021-02-10T06:49:35.550117Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--9f6817c0-0ec9-4097-a55b-b39b08db2b92", - "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", + "created": "2020-08-21T20:49:59.496265Z", + "modified": "2022-09-08T18:26:13.286813Z", + "name": "Instruction Testing - IN", + "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.035" + }, + { + "source_name": "external_source", + "url": "https://search.unprotect.it/map/sandbox-evasion/" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c72e66be-ab97-46b7-b81c-1cab91d74cfc", + "id": "attack-pattern--195e17be-fac3-4ffe-a961-631e2af205bb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.455445Z", - "modified": "2021-02-10T06:49:35.455445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--e97aa9eb-a7d6-4c4a-810f-140f1dda08ca", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2022-02-04T23:52:35.720618Z", + "modified": "2022-09-08T18:26:13.30486Z", + "name": "Guard Pages", + "description": "Encrypt blocks of code individually and decrypt temporarily only upon execution.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.008" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c753676d-6ff4-43c1-8392-a49941e72b4a", + "id": "attack-pattern--d26aaa4d-5143-4888-b81c-346d3b51641b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.460442Z", - "modified": "2021-02-10T06:49:35.460442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--97fc67af-9ec6-44a7-8187-32e07b5cdcb5", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2020-08-21T20:49:59.86526Z", + "modified": "2022-02-05T00:37:22.788643Z", + "name": "Create Ransomware File::Create File", + "description": "Create a file used by ransomware.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "file-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/create-file.md", + "external_id": "C0016.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c79f3ad7-7069-47f0-b139-72773445b23a", + "id": "attack-pattern--603e1968-92e1-41ec-86f1-c2ea0d28b7bf", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:34.192443Z", - "modified": "2021-02-10T06:49:34.192443Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--048440e7-8adb-4a71-9ee3-922ca4040b1f", + "created": "2021-02-10T06:49:31.986482Z", + "modified": "2022-09-08T18:26:13.38087Z", + "name": "SHA1::Cryptographic Hash", + "description": "Malware uses a SHA-1 hash.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/cryptographic-hash.md", + "external_id": "C0029.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c7bc58bb-cf17-4f4a-a465-81e038754c60", + "id": "attack-pattern--f65d15c6-c325-42f5-a824-9ff3089f751f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.451445Z", - "modified": "2021-02-10T06:49:35.451445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b1089154-3ee0-4713-893f-af97047f8ab5", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2021-02-10T06:49:32.023443Z", + "modified": "2022-02-05T00:37:22.804261Z", + "name": "Free Memory", + "description": "Malware may free memory.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "memory-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/memory/free-memory.md", + "external_id": "C0044" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c8b1f9ac-52aa-40f0-b63a-3cfdfc9cc914", + "id": "attack-pattern--3dc536c2-fa47-4acd-9043-1b0a0c2b2db6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.530444Z", - "modified": "2021-02-10T06:49:35.530444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--6a54a038-71b7-4b4c-87c2-2e5b433404af", - "target_ref": "attack-pattern--5146900f-415f-4817-9153-a9a3f857b3cd", + "created": "2020-08-21T20:49:59.70226Z", + "modified": "2022-02-05T00:37:22.663601Z", + "name": "COMSPEC Environment Variable", + "description": "Uninstalls self via COMSPEC environment variable.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/self-deletion.md", + "external_id": "F0007.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c93cceb6-5aad-4dd5-a2c1-ac00b2d8ba7a", + "id": "attack-pattern--36074f02-7b9b-4052-998f-cb6c56447031", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.712031Z", - "modified": "2021-02-10T06:49:35.712031Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--18377be7-e46d-48a0-ac85-b6af8f777b78", - "target_ref": "attack-pattern--e059fc35-3fbe-407e-b4aa-0b3616ae288b", + "created": "2020-08-21T20:49:59.555263Z", + "modified": "2022-09-08T18:26:13.191016Z", + "name": "Code Insertion", + "description": "Insert code to impede disassembly.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", + "external_id": "B0032.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c9e4809e-6742-470f-8721-65acaa27e6c1", + "id": "attack-pattern--373415cb-bc3b-4602-8032-584b7cf758c5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.68898Z", - "modified": "2021-02-10T06:49:35.68898Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--8b1810b0-5885-47ec-963b-b3fecbe1825a", - "target_ref": "attack-pattern--2f605aaf-790b-4ba1-9603-3b14cf2f1c52", + "created": "2020-08-21T20:49:59.73826Z", + "modified": "2022-02-05T00:37:22.694887Z", + "name": "Upload File", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/remote-commands.md", + "external_id": "B0011.007" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--c9f504bf-f2c6-4016-a6b7-9f283209a07f", + "id": "attack-pattern--35d551ab-014b-4fab-8ba8-b91fb42a3985", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.579443Z", - "modified": "2021-02-10T06:49:35.579443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--adac5b9d-77f6-4c07-898d-1515fbf37162", - "target_ref": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", + "created": "2020-08-21T20:49:59.533262Z", + "modified": "2022-09-08T18:26:13.27455Z", + "name": "Code Encryption in Memory", + "description": "Encrypt the executing malware instance code in memory.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", + "external_id": "B0006.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--cc0b0c2b-71f8-4b42-ade1-c89395b15d28", + "id": "attack-pattern--3a9b6fab-01af-47ef-9563-69427ed4090c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.513484Z", - "modified": "2021-02-10T06:49:35.513484Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--cb329a09-0291-4a05-ac20-3b35500bfd9b", - "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", + "created": "2020-08-21T20:49:59.537265Z", + "modified": "2022-09-08T18:26:13.19228Z", + "name": "Guard Pages", + "description": "Encrypt blocks of code individually and decrypt temporarily only upon execution.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", + "external_id": "B0032.010" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--cc3a95b0-d974-4712-800b-84f9a4fd396d", + "id": "attack-pattern--2e82d33e-a804-42a2-9931-57f7b7af78f9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.480441Z", - "modified": "2021-02-10T06:49:35.480441Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--d3656287-db62-4856-860d-6b3ff60e23b2", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2021-02-10T06:49:31.991483Z", + "modified": "2022-09-08T18:26:13.388134Z", + "name": "AES::Encrypt Data", + "description": "Malware encrypts with the AES algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", + "external_id": "C0027.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--cc3f1203-967f-4550-a9be-1622e7528204", + "id": "attack-pattern--b0cd3324-b762-4e02-8e9d-7dd3708d5e0a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.557442Z", - "modified": "2021-02-10T06:49:35.557442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--99bd055e-cadd-4ed3-94a4-b21570cd8350", - "target_ref": "attack-pattern--75f19e70-8d96-4a7b-a3cf-e629c8d5e779", + "created": "2021-02-10T06:49:32.03448Z", + "modified": "2022-09-08T18:26:13.354982Z", + "name": "Check Mutex", + "description": "Malware checks a mutex.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "process-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/check-mutex.md", + "external_id": "C0043" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--ccd33d4b-3108-4947-81a6-35b8b4e1af11", + "id": "attack-pattern--bb3514c7-f3ad-4236-b5b9-a38aa432ea17", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.684442Z", - "modified": "2021-02-10T06:49:35.684442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--e399ce8e-2c1d-4bc4-9669-308cb99f1e10", - "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", + "created": "2020-08-21T20:49:59.764262Z", + "modified": "2022-09-08T18:26:13.263733Z", + "name": "Compromise Data Integrity", + "description": "Data stored on the file system of a compromised system is manipulated to compromise its integrity.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/compromise-data-integrity.md", + "external_id": "B0016" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--cd158b97-3a64-416d-88ce-92fab92241cb", + "id": "attack-pattern--b8311cd4-85f0-4e4c-83c5-0af831e6d7f1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.505442Z", - "modified": "2021-02-10T06:49:35.505442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--68791849-d1ec-436a-983a-b6ca41bea52c", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2020-08-21T20:49:59.772261Z", + "modified": "2022-09-08T18:26:13.264559Z", + "name": "Denial of Service", + "description": "Malware may make a network unavailable, for example, by launching a network-based denial of service (DoS) attack.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/denial-of-service.md", + "external_id": "B0033" + }, + { + "source_name": "external_source", + "url": "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--cd65a36f-bc6c-4788-95da-59b1e5266f18", + "id": "attack-pattern--3b11e590-980e-4850-a9a1-6189b62f62b1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.575481Z", - "modified": "2021-02-10T06:49:35.575481Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--f1b3a223-fa61-4341-9d0c-9f71b399ee00", - "target_ref": "attack-pattern--6168e69c-f827-4f92-8404-cd24fff9802c", + "created": "2021-02-10T06:49:32.00448Z", + "modified": "2022-09-08T18:26:13.331347Z", + "name": "IEncodingFilterFactory::Decompress Data", + "description": "Malware decompresses data using IEncodingFilterFactory.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/decompress-data.md", + "external_id": "C0025.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--cf892647-cc52-464f-b71e-d67b7af8a3ea", + "id": "attack-pattern--d61dcb50-dcf8-408d-96e2-f3cd75f93be0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.602253Z", - "modified": "2020-08-21T20:50:04.602253Z", - "relationship_type": "uses", - "description": "Hupigon drops the file \"Systen.dll\" and adds the registry entry: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\BITS DllName = \"%System%\\Systen.dll\".", - "source_ref": "malware--6a1bde20-a344-4738-9df5-b568fa4b5f33", - "target_ref": "attack-pattern--4294b63a-0b68-473a-8e57-bd5da8d90bf6", + "created": "2020-08-21T20:49:59.520265Z", + "modified": "2022-09-08T18:26:13.325285Z", + "name": "Alternative ntdll.dll", + "description": "A copy of ntdll.dll is dropped to the filesystem and then loaded. This alternative DLL is used to execute function calls to evade sandboxes which use hooking in the operating system's ntdll.dll.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", + "external_id": "B0003.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d0259a59-21f5-4e14-8d25-9af86df83bb1", + "id": "attack-pattern--bad6ec3f-e218-4190-8033-3e4e8dae8d00", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.672443Z", - "modified": "2021-02-10T06:49:35.672443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--a0021942-1e00-442e-8ed8-285293eeb5e9", - "target_ref": "attack-pattern--1cca12fe-f5c4-4c35-979b-5c6962dd9484", + "created": "2020-08-21T20:49:59.580266Z", + "modified": "2022-02-05T00:37:22.585511Z", + "name": "Nested Packing", + "description": "The malware is packed by one packer, the result is packed, etc.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", + "external_id": "F0001.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d037ad47-c862-401f-80a2-c95698aae95f", + "id": "attack-pattern--9aa48852-5d9f-45e3-a094-113bc10c1cbc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.473484Z", - "modified": "2021-02-10T06:49:35.473484Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--9aa48852-5d9f-45e3-a094-113bc10c1cbc", - "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", + "created": "2020-08-21T20:49:59.483264Z", + "modified": "2022-09-08T18:26:13.296154Z", + "name": "Check Files", + "description": "Sandboxes create files on the file system. Malware can check the different folders to find sandbox artifacts.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", + "external_id": "B0007.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d03dc120-1af4-4837-aa97-30100dd25ed7", + "id": "attack-pattern--24464dee-85e0-4fbf-b604-130f783c3689", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.675442Z", - "modified": "2021-02-10T06:49:35.675442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--a8761808-d474-430a-9bd9-c770bc1163be", - "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", + "created": "2022-02-04T23:52:35.720618Z", + "modified": "2022-09-08T18:26:13.309893Z", + "name": "Tampering", + "description": "Erase or corrupt specific file parts to prevent rebuilding (header, packer stub, etc.).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.028" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d073938a-9b01-4297-81ec-71847da4ea1c", + "id": "attack-pattern--cb329a09-0291-4a05-ac20-3b35500bfd9b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.570481Z", - "modified": "2021-02-10T06:49:35.570481Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--ab2e210b-f2a3-4f50-b42a-7304b875429c", - "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", + "created": "2020-08-21T20:49:59.522264Z", + "modified": "2022-09-08T18:26:13.327226Z", + "name": "Encode File", + "description": "Encode a file on disk, such as an implant's config file.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", + "external_id": "B0003.006" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d0a2c078-fd60-437e-9ab2-4b6fb9471175", + "id": "attack-pattern--cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.599252Z", - "modified": "2020-08-21T20:50:04.599252Z", - "relationship_type": "uses", - "description": "Conficker A has routine that causes the process to suicide exit if the keyboard language layout is set to Ukranian.", - "source_ref": "malware--4fe657cf-373f-4a71-a2b8-8de5c109eef9", - "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", + "created": "2020-08-21T20:49:59.73126Z", + "modified": "2022-09-08T18:26:13.235931Z", + "name": "Install Additional Program", + "description": "Installs another, different program on the system. The additional program can be any secondary module; examples include backdoors, malicious drivers, kernel modules, and OS X Apps.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/install-additional-program.md", + "external_id": "B0023" + }, + { + "source_name": "external_source", + "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" + }, + { + "source_name": "external_source", + "url": "https://www.fortinet.com/blog/threat-research/deep-analysis-of-driver-based-mitm-malware-itranslator.html" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://citizenlab.ca/2016/04/between-hong-kong-and-burma/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d0abc3bc-790a-422c-9811-46e9645c4c91", + "id": "attack-pattern--276108d0-bfef-45d8-9e20-0e6f5c107f6f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.547447Z", - "modified": "2021-02-10T06:49:35.547447Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--878a631a-286b-4df2-bd6c-29a14053c402", - "target_ref": "attack-pattern--4c89f923-0e3e-41ff-b128-2e47acbd80b7", + "created": "2020-08-21T20:49:59.650261Z", + "modified": "2022-02-05T00:37:22.616726Z", + "name": "Hide Data in Registry", + "description": "Malware may use a registry key to store a long sequence of bytes.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/covert-location.md", + "external_id": "B0040.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d1bd9f34-171e-4638-9ebd-810ea4ecb683", + "id": "attack-pattern--ce322a95-0385-40cb-af25-96e377a7de8f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.634706Z", - "modified": "2021-02-10T06:49:35.634706Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--35365158-0007-49fa-bc45-da311d3c6246", - "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", + "created": "2020-08-21T20:49:59.565262Z", + "modified": "2022-09-08T18:26:13.20246Z", + "name": "Jump/Call Absolute Address", + "description": "Relative operands of jumps and calls into are made absolute (better compression). May confuse some basic block detection algorithms.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-optimization.md", + "external_id": "B0034.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d1f3731f-61f7-45f4-be59-c3028c327241", + "id": "attack-pattern--9406d0e3-7e61-42c9-8532-a35459deb4e7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.603292Z", - "modified": "2020-08-21T20:50:04.603292Z", - "relationship_type": "uses", - "description": "Dumping Kraken's c.dll module from the heap of its own process is tricky because its PE-header is wiped out.", - "source_ref": "malware--36e75009-8fd6-467a-aa8c-c6a4d3511dfa", - "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", + "created": "2020-08-21T20:49:59.492261Z", + "modified": "2022-09-08T18:26:13.284658Z", + "name": "Check Windows - Title bars", + "description": "Malware may check windows for VM-related characteristics. May inject malicious code to svchost.exe to check all open window title bar text to a list of strings indicating virtualized environment.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.022" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d1f3d7b0-343a-49fb-a5f8-44eee2b1771a", + "id": "attack-pattern--e399ce8e-2c1d-4bc4-9669-308cb99f1e10", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.544446Z", - "modified": "2021-02-10T06:49:35.544446Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--e39e7007-c7b1-4a8c-a1c1-5f94ea3ae8fa", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2021-02-10T06:49:31.993484Z", + "modified": "2022-09-08T18:26:13.390839Z", + "name": "Skipjack::Encrypt Data", + "description": "Malware encrypts with the Skipjack block cipher algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", + "external_id": "C0027.013" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d1fbba93-1094-40ba-b1d7-a34a205cb8bf", + "id": "attack-pattern--da0fe52b-e2c5-4574-a572-09c999c86b59", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.682848Z", - "modified": "2021-02-10T06:49:35.682848Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--f4ee9b7f-24f9-4c1c-9f4d-54d3e6eb47da", - "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", + "created": "2022-02-04T23:52:35.877737Z", + "modified": "2022-09-08T18:26:13.243115Z", + "name": "Deposited Keys", + "description": "Parts of the code and/or data is encrypted or otherwise relies on data external to the file itself. For example, malware that contains code that is encrypted with a key that is downloaded from a server; malware that only runs if certain other software is installed on the system. Also see Environmental Keys Method.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md", + "external_id": "B0025.008" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d24a0361-8f68-4707-840e-780133205819", + "id": "attack-pattern--5f9d93b4-1083-440c-a170-eb181041fc56", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.497442Z", - "modified": "2021-02-10T06:49:35.497442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--155facb0-bb4a-4df0-b276-70c16f4c12f9", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.843259Z", + "modified": "2022-02-05T00:37:22.757347Z", + "name": "InternetReadFile::WinINet", + "description": "Reads data from an open Internet file (URL data).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/wininet.md", + "external_id": "C0005.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d2b79a97-9aa2-4615-982a-469a502dcd48", + "id": "attack-pattern--ab699bec-3a3f-498f-a658-1eabe6fe90c9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.639963Z", - "modified": "2021-02-10T06:49:35.639963Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--80d3bfbb-e88b-4396-9233-9fc88096a938", - "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", + "created": "2021-02-10T06:49:31.981483Z", + "modified": "2022-09-08T18:26:13.372406Z", + "name": "Create UDP Socket::Socket Communication", + "description": "A UDP socket is created.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", + "external_id": "C0001.010" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d2d5d68b-caa0-4b05-a297-3daca76d583e", + "id": "attack-pattern--6287eb18-a197-4822-b0f5-99b4237fe18a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.509442Z", - "modified": "2021-02-10T06:49:35.509442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--dcd263ce-1f73-4f82-a7cf-5571498a8d36", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2020-08-21T20:49:59.708261Z", + "modified": "2022-09-08T18:26:13.217002Z", + "name": "Process detection - SysInternals Suite Tools", + "description": "Malware can scan for the process name associated with common analysis tools. Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", + "external_id": "B0013.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d2fca808-645a-4fb7-a796-5e48ee844732", + "id": "attack-pattern--d10a18cc-23b6-4421-82e1-1ba28319012b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.483443Z", - "modified": "2021-02-10T06:49:35.483443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--200ecf0e-33a7-4a9c-af4a-a3033b64e238", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.90926Z", + "modified": "2022-09-08T18:26:13.256882Z", + "name": "Kernel Modules and Extensions", + "description": "Malware may use loadable kernel modules to persist on a system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. Malware may try to hide drivers or modules by creating them without a name.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/persistence/kernel-modules-and-extensions.md", + "external_id": "F0010" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d3f7d57c-cc02-490d-bd13-834106887821", + "id": "attack-pattern--1cca12fe-f5c4-4c35-979b-5c6962dd9484", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.543445Z", - "modified": "2021-02-10T06:49:35.543445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b16029de-92c1-4b77-b334-733f0d099ecd", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2021-02-10T06:49:31.986482Z", + "modified": "2022-09-08T18:26:13.382259Z", + "name": "Cryptographic Hash", + "description": "Malware may use a cryptographic hash.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/cryptographic-hash.md", + "external_id": "C0029" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d6637fcf-167b-40d3-9f07-194ccc99689b", + "id": "attack-pattern--7d349643-5ab8-4dc6-934f-bf16d0b0ea29", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.536444Z", - "modified": "2021-02-10T06:49:35.536444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--3aa1c4d4-06c4-4d48-bc44-601b29abded8", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2020-08-21T20:49:59.638268Z", + "modified": "2022-09-08T18:26:13.434399Z", + "name": "Alternative Installation Location", + "description": "Malware may install itself not as a file on the hard drive.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/alternative-installation-location.md", + "external_id": "B0027" + }, + { + "source_name": "external_source", + "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/resources/synful-knock-acis" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d6c2d9fb-2437-4510-be5e-c7da4fabee98", + "id": "attack-pattern--38dad326-aeb6-4341-9a2b-233fcd5698cd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.545495Z", - "modified": "2021-02-10T06:49:35.545495Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--26d8815b-c8d1-4fc9-a6f6-218c0436b7a1", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2020-08-21T20:49:59.582262Z", + "modified": "2022-02-05T00:37:22.585511Z", + "name": "Themida", + "description": "Uses Themida.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", + "external_id": "F0001.011" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d7d50e3f-f477-4260-8932-928e09d6d765", + "id": "attack-pattern--f05383f9-1d15-4eb9-97a4-13812f310acd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.678443Z", - "modified": "2021-02-10T06:49:35.678443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--d447c221-2ab5-4378-bb19-78b97869fa58", - "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", + "created": "2020-08-21T20:49:59.684261Z", + "modified": "2022-02-05T00:37:22.648018Z", + "name": "Polymorphic Code", + "description": "Polymorphic code, a file with the same functionality but different execution, is created, often on the fly, making it difficult to detect. This behavior includes metamorphic code where the code is changed (not just executed differently), but with the behavior the same. Polymorphic Code behavior is typically identified through analysis of related samples.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/polymorphic-code.md", + "external_id": "B0029" + }, + { + "source_name": "external_source", + "url": "https://www.mccormick.northwestern.edu/eecs/documents/tech-reports/2010-2014/evaluating-android-anti-malware-against-transformation-attacks.pdf" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d921ecba-5b38-46e4-9929-35e2071c3a00", + "id": "attack-pattern--5389958e-188f-453f-ba90-e886291f200e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.597586Z", - "modified": "2021-02-10T06:49:35.597586Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--6dfa5d14-e016-4572-a2c9-ca4f697c7a14", - "target_ref": "attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200", + "created": "2020-08-21T20:49:59.705262Z", + "modified": "2022-09-08T18:26:13.215097Z", + "name": "Process detection", + "description": "Malware can scan for the process name associated with common analysis tools.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", + "external_id": "B0013.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d93cf5e4-950c-4d4e-b943-0bfb615e266c", + "id": "attack-pattern--a9dd9c1d-b3dd-4dec-9ab2-1a99f1f3e483", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.578443Z", - "modified": "2021-02-10T06:49:35.578443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--74f89ee2-f4c0-4221-8951-e3a8f1fc449b", - "target_ref": "attack-pattern--f05383f9-1d15-4eb9-97a4-13812f310acd", + "created": "2022-02-04T23:52:35.736174Z", + "modified": "2022-09-08T18:26:13.277363Z", + "name": "Patch MmGetPhysicalMemoryRanges", + "description": "Patching this function to always return NULL prevents drivers from getting information about the physical address space layout, preventing memory dumps.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", + "external_id": "B0006.011" + }, + { + "source_name": "external_source", + "description": "J. Stuttgen, M. Cohen, Anti-forensic resilient memory acquisition,", + "url": "https://www.dfrws.org/sites/default/files/session-files/paper-anti-forensic_resilient_memory_acquisition.pdf" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d9e32737-c7be-41bb-925e-424b55bd7c10", + "id": "attack-pattern--a0021942-1e00-442e-8ed8-285293eeb5e9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.452445Z", - "modified": "2021-02-10T06:49:35.452445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--5b65a982-2a1d-4b32-ad40-b9e05b4d0284", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2021-02-10T06:49:31.986482Z", + "modified": "2022-09-08T18:26:13.381759Z", + "name": "Snefru::Cryptographic Hash", + "description": "Malware uses a Snefru hash.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/cryptographic-hash.md", + "external_id": "C0029.006" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--d9f13e0b-1d12-408a-879a-aabaf669aa3e", + "id": "attack-pattern--e7d60710-0081-4d47-9fd3-3e2d410828e7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.586443Z", - "modified": "2021-02-10T06:49:35.586443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--5389958e-188f-453f-ba90-e886291f200e", - "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", + "created": "2021-02-10T06:49:31.922997Z", + "modified": "2022-09-08T18:26:13.40666Z", + "name": "Encoding-Standard Algorithm", + "description": "A standard algorithm (e.g., base64) is used to encode a malware sample, file, or other information.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/obfuscated-files-or-information.md", + "external_id": "E1027.m02" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--da2cf324-3633-4e1b-97ef-6fa9afa8ce2e", + "id": "attack-pattern--dad3c536-a9a6-492b-baae-4353f2c6f601", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.585443Z", - "modified": "2021-02-10T06:49:35.585443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--e82333e9-4719-464b-87d9-164c6b00cb5d", - "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", + "created": "2021-02-10T06:49:31.923443Z", + "modified": "2022-09-08T18:26:13.407875Z", + "name": "Encryption of Code", + "description": "A file's executable code is encrypted, but not necessarily the file's data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/obfuscated-files-or-information.md", + "external_id": "E1027.m06" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--dc0547b4-1a0f-459d-b30d-0b2d841bead5", + "id": "attack-pattern--e5fd1ce1-e1a7-4f9c-b757-58b6895fef2d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.457445Z", - "modified": "2021-02-10T06:49:35.457445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--85d9ce2b-1b52-4de5-8b03-74ed590639d6", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2021-02-10T06:49:31.989483Z", + "modified": "2022-09-08T18:26:13.385545Z", + "name": "HC-256::Decrypt Data", + "description": "Malware decrypts data encrypted with the HC-256 algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/decrypt-data.md", + "external_id": "C0031.007" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--dd089615-2252-4134-8a85-f0776ce79bde", + "id": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.643406Z", - "modified": "2021-02-10T06:49:35.643406Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--c1e8e932-3864-444e-b56b-70292bb7695c", - "target_ref": "attack-pattern--e57c3d95-67fc-4d26-a74e-12953fff494b", + "created": "2021-02-10T06:49:31.983492Z", + "modified": "2022-09-08T18:26:13.37587Z", + "name": "Socket Communication", + "description": "This micro-behavior focuses on socket (TCP, UDP) communication.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", + "external_id": "C0001" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/resources/synful-knock-acis" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--dd3c58e9-b02b-451c-92b4-e294f84bad4a", + "id": "attack-pattern--94813d2d-0eb5-4037-8c03-07896bd7233b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.585443Z", - "modified": "2021-02-10T06:49:35.585443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--62792aba-aba0-4623-b7b7-479bae7d314b", - "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", + "created": "2020-08-21T20:49:59.842259Z", + "modified": "2022-02-05T00:37:22.757347Z", + "name": "InternetConnect::WinINet", + "description": "Opens an FTP or HTTP session for a given site.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/wininet.md", + "external_id": "C0005.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--dd6e0f89-378c-40df-ae01-6700146fd7f5", + "id": "attack-pattern--6ac62da2-e142-4fca-afba-bc0a0722cefc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.48848Z", - "modified": "2021-02-10T06:49:35.48848Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--d83c8fbc-c7bf-4108-ba64-f1a9ac737da1", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.87426Z", + "modified": "2022-09-08T18:26:13.340987Z", + "name": "Heap Spray", + "description": "Malware may use heap spraying to write a sequence of bytes on the heap section of a process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "memory-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/memory/heap-spray.md", + "external_id": "C0006" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--dd9c6578-5364-41b2-a576-7f06aae7afbf", + "id": "attack-pattern--97024953-18b1-43d8-adf2-207ac2dca44e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.613258Z", - "modified": "2020-08-21T20:50:04.613258Z", - "relationship_type": "uses", - "description": "From the command line, drops and unzips a password-protected Cabinet archive file.", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--ad4ab2e7-0491-4ef3-b69b-f4a73a5a7cd4", + "created": "2020-08-21T20:49:59.479261Z", + "modified": "2022-09-08T18:26:13.323623Z", + "name": "Check for Emulator-related Files", + "description": "Checks whether particular files (e.g., QEMU files) exist.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-detection.md", + "external_id": "B0004.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--de382962-a3f9-4076-aa38-988f8559a34f", + "id": "attack-pattern--3cb4d50f-649d-4b09-b9a4-151bcc7ebc43", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.48548Z", - "modified": "2021-02-10T06:49:35.48548Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--93bd89e3-9cfd-47f6-9fed-bb13b58acd82", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.560265Z", + "modified": "2022-09-08T18:26:13.194111Z", + "name": "Merged Code Sections", + "description": "Merge all sections resulting in just one entry in the sections table to make readability more difficult. May affect some detection signatures if written to be section dependent.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", + "external_id": "B0032.015" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--de493b3b-3b2d-4cf8-bc7c-c5831cb22a8d", + "id": "attack-pattern--37eb387f-ecb3-4098-926b-2e1d2c3da16e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--a03af833-a578-465a-bf8c-43c9db4f4775", - "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", + "created": "2020-08-21T20:49:59.828261Z", + "modified": "2022-09-08T18:26:13.361519Z", + "name": "Server Connect::SMTP Communication", + "description": "Connects to an smtp server.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/smtp-communication.md", + "external_id": "C0012.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--de5218cb-6a46-4b8b-bbd7-511edbd5ee67", + "id": "attack-pattern--1ef444d5-6292-4701-be04-7d8bbd677b95", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.69636Z", - "modified": "2021-02-10T06:49:35.69636Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--20bb8954-7d15-4f3f-b015-6de301407391", - "target_ref": "attack-pattern--8cae892e-69de-4f27-a49c-a369c2f8f20a", + "created": "2021-02-10T06:49:31.993484Z", + "modified": "2022-09-08T18:26:13.390211Z", + "name": "RC6::Encrypt Data", + "description": "Malware encrypts with the RC6 algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", + "external_id": "C0027.010" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--dec218fe-55ec-41f2-b7a1-96d74c793989", + "id": "attack-pattern--0a5b94d6-6800-4855-8cd9-d100af9f67d9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.606443Z", - "modified": "2021-02-10T06:49:35.606443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--623daf49-2a74-4fd8-a7f0-e11a8475999f", - "target_ref": "attack-pattern--2ff4ce39-a726-471a-92d9-21a5c51a0bc3", + "created": "2022-09-08T18:26:13.313959Z", + "modified": "2022-09-08T18:26:13.313959Z", + "name": "Interruption", + "description": "If an interruption is mishandled by the debugger, it can cause a single-byte instruction to be inadvertently skipped, which can be detected by malware. Examples include Interrupt 0x2d and Interrupt 1 [7].", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.006" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--deed659f-e020-4b4a-a83c-fe7216aa5cc9", + "id": "attack-pattern--fd682f82-1a49-4f4f-8ff8-18ef8c3d0f8b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.691089Z", - "modified": "2021-02-10T06:49:35.691089Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--3d502650-c707-4d28-b520-f440faa33ade", - "target_ref": "attack-pattern--64b0c35c-a5fc-4410-aff8-0c85f9689f60", + "created": "2020-08-21T20:49:59.823261Z", + "modified": "2022-09-08T18:26:13.368213Z", + "name": "Create Pipe::Interprocess Communication", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/interprocess-communication.md", + "external_id": "C0003.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--df269863-bfd7-413d-96bc-5b8009d8032d", + "id": "attack-pattern--7c01a0a6-5081-4609-9546-120f0652f1d4", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.610253Z", - "modified": "2020-08-21T20:50:04.610253Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", + "created": "2020-08-21T20:49:59.483264Z", + "modified": "2022-09-08T18:26:13.285906Z", + "name": "Human User Check", + "description": "Detects whether there is any \"user\" activity on the machine, such as the movement of the mouse cursor, non-default wallpaper, or recently opened Office files. Directories or file might be counted. If there is no human activity, the machine is suspected to be a virtualized machine and/or sandbox. Other items used to detect a user: mouse clicks (single/double), DialogBox, scrolling, color of background pixel, change in foreground window . This method is very similar to ATT&CK's [Virtualization/Sandbox Evasion: User Activity Based Checks](https://attack.mitre.org/techniques/T1497/002/) sub-technique.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.012" + }, + { + "source_name": "external_source", + "url": "https://github.com/LordNoteworthy/al-khaser" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e0398d36-3ea5-4a01-be20-c154804c4f73", + "id": "attack-pattern--89bb05dd-fd11-40c4-918e-db0c3cde0955", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.604253Z", - "modified": "2020-08-21T20:50:04.604253Z", - "relationship_type": "uses", - "description": "Installs a backdoor.", - "source_ref": "malware--508cadaa-4fd5-4105-803e-8944e388ee45", - "target_ref": "attack-pattern--cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae", + "created": "2021-02-10T06:49:31.922442Z", + "modified": "2022-09-08T18:26:13.406185Z", + "name": "Encoding-Custom Algorithm", + "description": "A custom algorithm is used to encode a malware sample, file or other information.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/obfuscated-files-or-information.md", + "external_id": "E1027.m03" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e05cfe37-204c-40d0-9c8e-6634941d59d8", + "id": "attack-pattern--c1e8e932-3864-444e-b56b-70292bb7695c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.559442Z", - "modified": "2021-02-10T06:49:35.559442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--42cea877-6723-4126-a016-6f2b8954eb6b", - "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", + "created": "2020-08-21T20:49:59.82226Z", + "modified": "2022-09-08T18:26:13.367861Z", + "name": "Connect Pipe::Interprocess Communication", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/interprocess-communication.md", + "external_id": "C0003.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e145ee98-24cb-466b-b8c8-ed6ebea0c410", + "id": "attack-pattern--b7727763-8ffd-4588-b8a1-15168d18f0dd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.457445Z", - "modified": "2021-02-10T06:49:35.457445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--8b39b092-d827-4e58-9b67-a9b9e8c6f297", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2020-08-21T20:49:59.493266Z", + "modified": "2022-09-08T18:26:13.284903Z", + "name": "Check Windows - Unique windows", + "description": "Malware may check windows for VM-related characteristics. May check for the presence of known windows from analysis tools running in a VM.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.021" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e155da38-a648-43ee-98dc-cc74126497df", + "id": "attack-pattern--befe8d09-ebeb-4a60-89a4-9efaaf325e9b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.595442Z", - "modified": "2021-02-10T06:49:35.595442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--c2e926cc-5d54-4cce-91f3-acf946574563", - "target_ref": "attack-pattern--739b9d69-ce7d-4ef5-b39e-9bcdb6796200", + "created": "2022-02-04T23:52:36.109082Z", + "modified": "2022-09-08T18:26:13.4016Z", + "name": "Get Variable::Environment Variable", + "description": "Malware gets an environment variable.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "operating-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/environment-variable.md", + "external_id": "C0034.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e15715b4-5c0e-4cc9-8e53-570f49781ea7", + "id": "attack-pattern--f286389b-6374-4b58-ae99-975a32ad18ce", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.994215Z", - "modified": "2022-02-04T23:52:40.994215Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--74d536e7-5fb3-4633-8f42-ca413aa2beea", - "target_ref": "attack-pattern--2ff4ce39-a726-471a-92d9-21a5c51a0bc3", + "created": "2020-08-21T20:49:59.522264Z", + "modified": "2022-09-08T18:26:13.32674Z", + "name": "Demo Mode", + "description": "Inclusion of a demo binary/mode that is executed when token is absent or not privileged enough.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", + "external_id": "B0003.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e1b148c6-22c8-4cd4-9c09-cd6c935aa8a3", + "id": "attack-pattern--c8a2e7c9-e359-43de-ba00-ca147397701e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.598251Z", - "modified": "2020-08-21T20:50:04.598251Z", - "relationship_type": "uses", - "description": "Bagle uses its own SMTP engine to mass-mail itself as an attachment from an infected computer.", - "source_ref": "malware--f31598c3-8d55-440f-ac5f-4b8ea34fc09b", - "target_ref": "attack-pattern--24ed02f2-afad-49c8-a3c4-8ab1c418443e", + "created": "2021-02-10T06:49:32.011483Z", + "modified": "2022-02-05T00:37:22.788643Z", + "name": "Copy File", + "description": "Malware copies a file.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "file-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/copy-file.md", + "external_id": "C0045" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e1c53003-22cd-41c0-bc29-57e5646b7107", + "id": "attack-pattern--99bd055e-cadd-4ed3-94a4-b21570cd8350", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.605287Z", - "modified": "2020-08-21T20:50:04.605287Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--5d116564-0ef7-4791-9a34-e86d81840b49", + "created": "2020-08-21T20:49:59.598261Z", + "modified": "2022-02-05T00:37:22.601096Z", + "name": "Polling", + "description": "Keystrokes are captured via polling (e.g., user32.GetAsyncKeyState, user32.GetKeyState).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/keylogging.md", + "external_id": "F0002.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e1fe7576-a4b1-4a06-9ca2-65c901aa6592", + "id": "attack-pattern--e04595b9-234a-4495-a9ca-25c78e137291", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.567485Z", - "modified": "2021-02-10T06:49:35.567485Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b5d3d3c7-f9bd-4d61-8a73-593972018a8b", - "target_ref": "attack-pattern--7069df4d-92ef-4a18-b5a5-bf27dc9ef446", + "created": "2021-02-10T06:49:32.029444Z", + "modified": "2022-09-08T18:26:13.401839Z", + "name": "Environment Variable", + "description": "Malware modifies environment variables.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "operating-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/environment-variable.md", + "external_id": "C0034" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e25cc016-f6d4-4d58-901c-11559f4312e3", + "id": "attack-pattern--f1212d9e-3af6-4ef4-a19e-ff2793564ffd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.552443Z", - "modified": "2021-02-10T06:49:35.552443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--83892ea2-fded-49dd-bca7-d415f8fea8f9", - "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", + "created": "2020-08-21T20:49:59.849262Z", + "modified": "2022-09-08T18:26:13.396248Z", + "name": "rand::Generate Pseudo-random Sequence", + "description": "Malware generates a pseudo-random sequence using rand.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/generate-pseudorandom-sequence.md", + "external_id": "C0021.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e27c5b46-0731-4c9b-8428-f92a0a636b4b", + "id": "attack-pattern--8cae892e-69de-4f27-a49c-a369c2f8f20a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.665444Z", - "modified": "2021-02-10T06:49:35.665444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--94813d2d-0eb5-4037-8c03-07896bd7233b", - "target_ref": "attack-pattern--7c9e2694-0dce-4dc3-aa06-199d5d002a05", + "created": "2021-02-10T06:49:32.003478Z", + "modified": "2022-09-08T18:26:13.335406Z", + "name": "Decode Data", + "description": "Malware may decode data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/decode-data.md", + "external_id": "C0053" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e28c8b1d-cbae-4ab6-9def-123c71c2f2e5", + "id": "attack-pattern--be9f9f28-01bb-4b94-b973-14f06a71c968", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.656443Z", - "modified": "2021-02-10T06:49:35.656443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--ab699bec-3a3f-498f-a658-1eabe6fe90c9", - "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", + "created": "2020-08-21T20:49:59.47626Z", + "modified": "2022-09-08T18:26:13.321926Z", + "name": "WudfIsAnyDebuggerPresent", + "description": "Includes use of WudfIsAnyDebuggerPresent, WudfIsKernelDebuggerPresent, WudfIsUserDebuggerPresent.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.031" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e2cbbfd6-92c0-4058-979e-2d61ff9c49e2", + "id": "attack-pattern--fbaedc87-7d0b-447c-a9e5-0f6c2658770a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.467445Z", - "modified": "2021-02-10T06:49:35.467445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--ae167f71-8166-4906-97ba-8b9efb6daca2", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2020-08-21T20:49:59.721261Z", + "modified": "2022-09-08T18:26:13.245148Z", + "name": "Suicide Exit", + "description": "Malware terminates its execution based on a trigger condition or value (or because it has completed).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md", + "external_id": "B0025.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e3c2dd0c-247b-437a-819a-b2d6a2382c94", + "id": "attack-pattern--187b4cd8-132e-4514-9ad2-e0b20abc2b70", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.607256Z", - "modified": "2020-08-21T20:50:04.607256Z", - "relationship_type": "uses", - "description": "Redhip uses general approaches to detecting user level debuggers (e.g., Process Environment Block 'Being Debugged' field), as well as specific checks for kernel level debuggers like SOFICE.", - "source_ref": "malware--b0625dd2-cc91-4936-9e12-289960aa0b41", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2020-08-21T20:49:59.479261Z", + "modified": "2022-09-08T18:26:13.324366Z", + "name": "Emulator Detection", + "description": "Detects whether the malware instance is being executed inside an emulator. If so, conditional execution selects a benign execution path.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-detection.md", + "external_id": "B0004" + }, + { + "source_name": "external_source", + "url": "https://search.unprotect.it/map/sandbox-evasion/" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e4653e74-bf01-43da-966a-bfb8e878d2e4", + "id": "attack-pattern--bab113ca-bbe4-4b39-bcac-d7fa7325b1e9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.502442Z", - "modified": "2021-02-10T06:49:35.502442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--0e87261d-5234-4ccb-87c1-2f9bb32b5c11", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", + "created": "2020-08-21T20:49:59.547264Z", + "modified": "2022-09-08T18:26:13.189329Z", + "name": "Two-layer Function Return", + "description": "Two layer jumping confuses tools plotting call graphs.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/call-graph-generation-evasion.md", + "external_id": "B0010.001" + }, + { + "source_name": "external_source", + "url": "http://fumalwareanalysis.blogspot.com/2012/01/malware-analysis-tutorial-10-tricks-for.html" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e5832f12-846f-4b6d-9c75-f88815a156c3", + "id": "attack-pattern--0e2fb8df-bef3-4664-88f9-f6614b80f107", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.577443Z", - "modified": "2021-02-10T06:49:35.577443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--5280b393-729d-43d5-b9e7-81da3d31b450", - "target_ref": "attack-pattern--f05383f9-1d15-4eb9-97a4-13812f310acd", + "created": "2020-08-21T20:49:59.502264Z", + "modified": "2022-09-08T18:26:13.290615Z", + "name": "Modern Specs Check - Total physical memory", + "description": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment. Most modern machines have at leave 4 GB of memory. (GlobalMemoryStatusEx) .", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.014" + }, + { + "source_name": "external_source", + "url": "https://github.com/LordNoteworthy/al-khaser" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e59f3937-5414-47ad-a701-e29e904dbea1", + "id": "attack-pattern--28c6f55a-126f-436b-ab2e-af77f91d0cec", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.571485Z", - "modified": "2021-02-10T06:49:35.571485Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--d61e7edf-865e-4d88-99cb-09dad9e44195", - "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", + "created": "2020-08-21T20:49:59.597265Z", + "modified": "2022-02-05T00:37:22.601096Z", + "name": "Application Hook", + "description": "Keystrokes are captured with an application hook.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/keylogging.md", + "external_id": "F0002.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e6356d81-4891-4832-9399-ba361a9329db", + "id": "attack-pattern--200ecf0e-33a7-4a9c-af4a-a3033b64e238", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.698444Z", - "modified": "2021-02-10T06:49:35.698444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--1dd62131-bc8e-4de7-b68a-1ea4c6b44c03", - "target_ref": "attack-pattern--a9530e23-d959-40a7-870a-bd6b29bee078", + "created": "2020-08-21T20:49:59.490263Z", + "modified": "2022-09-08T18:26:13.282665Z", + "name": "Check Processes", + "description": "The VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. Malware can list the process and searches for the VMware string. Process related to Virtualbox can be detected by malware by query the process list.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.004" + }, + { + "source_name": "external_source", + "url": "https://search.unprotect.it/map/sandbox-evasion/" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e6cf4711-6b56-4f70-b70e-912b230c6c26", + "id": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.496474Z", - "modified": "2021-02-10T06:49:35.496474Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--98cc634e-8ebb-4c19-b3f1-bea0abef18ae", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.817261Z", + "modified": "2022-09-08T18:26:13.367356Z", + "name": "HTTP Communication", + "description": "This micro-behavior is related to HTTP communication.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", + "external_id": "C0002" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e74dd571-aa94-42bc-becc-a25b981dccbd", + "id": "attack-pattern--2f605aaf-790b-4ba1-9603-3b14cf2f1c52", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.49545Z", - "modified": "2021-02-10T06:49:35.49545Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--cada9d62-2163-42e3-88ec-d37e2ade1030", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.850262Z", + "modified": "2022-09-08T18:26:13.397009Z", + "name": "Generate Pseudo-random Sequence", + "description": "The Generate Pseudo-random Sequence microbehavior can be used for a number of purposes. The methods below include specific functions, as well as pseudorandom number generators (PRNG).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/generate-pseudorandom-sequence.md", + "external_id": "C0021" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e75305d8-b1a5-40e9-a116-b3ed4bf97c45", + "id": "attack-pattern--7c77b8ac-f548-48ae-813d-028de1a8d9fd", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.475444Z", - "modified": "2021-02-10T06:49:35.475444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--0985829f-204f-4760-8ece-ff0f3031a715", - "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", + "created": "2020-08-21T20:49:59.70226Z", + "modified": "2022-09-08T18:26:13.423241Z", + "name": "Self Deletion", + "description": "Malware may uninstall itself to avoid detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/self-deletion.md", + "external_id": "F0007" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/resources/hot-knives-through-butter-evading-file-based-sandboxes" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e75ee57b-7d71-4412-a60c-c8c567a59312", + "id": "attack-pattern--0eb664b8-73e1-4799-9e22-277ab898579d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.614582Z", - "modified": "2021-02-10T06:49:35.614582Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--6c07f7cb-fd9d-4acf-9b99-b15ecafc8dca", - "target_ref": "attack-pattern--f5f2f408-2c67-40aa-9937-8fe582501e0a", + "created": "2020-08-21T20:49:59.728262Z", + "modified": "2022-09-08T18:26:13.241603Z", + "name": "Sysinternals", + "description": "Sysinternals tools are used for additional command line functionality.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/exploitation-for-client-execution.md", + "external_id": "E1203.m05" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e8485cd9-001e-4669-91f8-04a7a825dacb", + "id": "attack-pattern--a5bc5daf-255e-4e9b-a4c4-508dc3a434ff", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.612264Z", - "modified": "2020-08-21T20:50:04.612264Z", - "relationship_type": "uses", - "description": "Injects secondary payload into memory.", - "source_ref": "malware--5dcefe05-4ead-4f84-9919-ebefe968df27", - "target_ref": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", + "created": "2020-08-21T20:49:59.754261Z", + "modified": "2022-09-08T18:26:13.273564Z", + "name": "Exfiltrate via File Hosting Service", + "description": "Malware may exfiltrate files to a file hosting location.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/automated-exfiltration.md", + "external_id": "E1020.m01" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e875346c-2c5a-4883-89a8-e503b3f9fb4a", + "id": "attack-pattern--d27a6bf4-7e7b-4007-9301-20eec9d8fe20", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.708458Z", - "modified": "2021-02-10T06:49:35.708458Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--58245c62-d50e-40d4-b31e-63902657709f", - "target_ref": "attack-pattern--e04595b9-234a-4495-a9ca-25c78e137291", + "created": "2021-02-10T06:49:31.981483Z", + "modified": "2022-09-08T18:26:13.372896Z", + "name": "Connect Socket::Socket Communication", + "description": "A server or client connects via a TCP socket.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", + "external_id": "C0001.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e8b38f28-8c46-4c31-8036-45571c33dde5", + "id": "attack-pattern--7aa33db8-4800-430a-8068-8b57b85a9b8a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.456445Z", - "modified": "2021-02-10T06:49:35.456445Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--89594c9d-1e28-49a2-8969-694ade43e857", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2020-08-21T20:49:59.512264Z", + "modified": "2022-09-08T18:26:13.305611Z", + "name": "Inlining", + "description": "Variation of static linking where full API code inserted everywhere it would have been called.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.011" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e8f8a804-2731-4b39-b6d5-198c6be769ad", + "id": "attack-pattern--006afc45-b6df-4e75-8102-b38ccb09db58", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.502442Z", - "modified": "2021-02-10T06:49:35.502442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--3a9b6fab-01af-47ef-9563-69427ed4090c", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2020-08-21T20:49:59.90226Z", + "modified": "2022-02-05T00:37:22.835477Z", + "name": "Router Firmware", + "description": "Cisco routers can have their firmware images modified in order to maliciously infect and persist on end-user machines in a network. This is accomplished by using default or acquired credentials to gain access to a router and to install a backdoor. The implant resides within a modified Cisco IOS image and, when loaded, maintains its persistence in the environment, even after a system reboot. However, any further modules loaded by the attacker will only exist in the router's volatile memory and will not be available for use after reboot. Known affected hardware includes Cisco routers 1841, 2811, and 3825.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/persistence/component-firmware.md", + "external_id": "F0009.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e8fc5f25-a362-45e2-b289-f676377faee9", + "id": "attack-pattern--54c7f1ed-7132-4022-8f3e-3fd4e5b88169", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.613258Z", - "modified": "2020-08-21T20:50:04.613258Z", - "relationship_type": "uses", - "description": "Executes differently depending on whether it's running on an x86 or x64 system.", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", + "created": "2022-02-04T23:52:36.109082Z", + "modified": "2022-02-05T00:37:22.819853Z", + "name": "Enumerate Threads", + "description": "Malware enumerates threads.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "process-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/enumerate-threads.md", + "external_id": "C0064" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e995ac4c-4fa0-4166-b29c-241a37dafc41", + "id": "attack-pattern--243d3475-704e-4bc1-b8a6-42ca4bda02fc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--c44b1c58-8da1-4ebe-a427-a9f2821e7a85", - "target_ref": "attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63", + "created": "2020-08-21T20:49:59.507263Z", + "modified": "2022-09-08T18:26:13.279541Z", + "name": "Capture Evasion", + "description": "Malware has characteristics enabling it to evade capture from the infected system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/capture-evasion.md", + "external_id": "B0036" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--e9f86b70-5b39-4c87-ba9c-a6753c8f03d0", + "id": "attack-pattern--a60432c5-54ee-4c76-be1b-409f3f0e4795", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.608257Z", - "modified": "2020-08-21T20:50:04.608257Z", - "relationship_type": "uses", - "description": "SamSam is ransomware.", - "source_ref": "malware--a456fdcd-68f2-46fb-adb0-97c6817338c9", - "target_ref": "attack-pattern--33ac3946-4bd9-4904-b02e-45e2d17dbfdd", + "created": "2022-02-04T23:52:35.928367Z", + "modified": "2022-09-08T18:26:13.270304Z", + "name": "Ransom Note", + "description": "Ransomware displays a ransom note. Ransom notes are sometimes used to link instances of ransomware, even when the code or anti-analysis techniques change.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/data-encrypted-for-impact.md", + "external_id": "E1486.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--ea3c0465-c8bd-402a-a907-35c32d0b4d67", + "id": "attack-pattern--f919567a-9038-415c-a76b-10c702d929b0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.461442Z", - "modified": "2021-02-10T06:49:35.461442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--ff838892-3d1a-46ba-a3f5-5787e0e82830", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2021-02-10T06:49:32.038481Z", + "modified": "2022-09-08T18:26:13.357284Z", + "name": "Resume Thread", + "description": "Malware typically resumes a thread in order to execute previously injected code (e.g., in the course of the [Process Injection::Process Hollowing](https://github.com/MBCProject/mbc-markdown/blob/v2.3/https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/process-injection.md)).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "process-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/resume-thread.md", + "external_id": "C0054" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--ea58d3c1-8cd8-406c-9816-fc9fca3b9657", + "id": "attack-pattern--83145b10-974b-4bcd-8547-1f441be18d36", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.602253Z", - "modified": "2020-08-21T20:50:04.602253Z", - "relationship_type": "uses", - "description": "Stores malware files in the Registry instead of the hard drive.", - "source_ref": "malware--fa095747-0ca8-4965-a222-cf1fe7647e12", - "target_ref": "attack-pattern--7d349643-5ab8-4dc6-934f-bf16d0b0ea29", + "created": "2021-02-10T06:49:31.965484Z", + "modified": "2022-02-05T00:37:22.726134Z", + "name": "Modify Hardware", + "description": "Malware modifies hardware.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/modify-hardware.md", + "external_id": "B0042" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--eaa586d2-6279-4254-9a97-260e41a91a94", + "id": "attack-pattern--2bf1a1a6-82ff-4e52-b11c-bd2d0495e830", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--8a7350ca-f1f6-42db-9fbf-aa110d02e338", - "target_ref": "attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263", + "created": "2021-02-10T06:49:32.033478Z", + "modified": "2022-02-05T00:37:22.819853Z", + "name": "Wallpaper", + "description": "Malware modifies the wallpaper.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "operating-system-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/wallpaper.md", + "external_id": "C0035" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--eb80b1d5-e2dd-454f-86f3-b1459c75df93", + "id": "attack-pattern--e82333e9-4719-464b-87d9-164c6b00cb5d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:34.891442Z", - "modified": "2021-02-10T06:49:34.891442Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--e2558f71-7409-4203-bd5b-8a331f29327a", + "created": "2020-08-21T20:49:59.705262Z", + "modified": "2022-09-08T18:26:13.214168Z", + "name": "Known File Location", + "description": "Malware may detect an analysis tool by the presence of a file in a known location.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", + "external_id": "B0013.008" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--ebcb5830-b06f-4524-ad33-1cb034d85e3c", + "id": "attack-pattern--f78bf329-48e4-4f8c-9468-0f8cd2ec08b5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.588443Z", - "modified": "2021-02-10T06:49:35.588443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--42c0847a-d4e3-497e-9540-c691ae0364c1", - "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", + "created": "2022-02-04T23:52:35.751794Z", + "modified": "2022-09-08T18:26:13.205746Z", + "name": "Data Flow Analysis Evasion", + "description": "Malware code evades data flow analysis (also known as information flow analysis and taint-tracking).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/data-flow-analysis-evasion.md", + "external_id": "B0045" + }, + { + "source_name": "external_source", + "url": "http://www.seclab.cs.sunysb.edu/seclab/pubs/antitaint.pdf" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--ebfc4b94-6f8a-4c15-b814-788439c3a0d3", + "id": "attack-pattern--ded5f278-1acc-4f7b-be58-abc38e6b8436", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.693726Z", - "modified": "2021-02-10T06:49:35.693726Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--3bb917e7-25d9-42de-8b23-d040a51c08e5", - "target_ref": "attack-pattern--64b0c35c-a5fc-4410-aff8-0c85f9689f60", + "created": "2020-08-21T20:49:59.820261Z", + "modified": "2022-09-08T18:26:13.378078Z", + "name": "ICMP Communication", + "description": "This micro-behavior is related to ICMP communication.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/icmp-communication.md", + "external_id": "C0014" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--ecceb8ef-d79b-4d04-8bc8-4c2e6d596891", + "id": "attack-pattern--b2320873-c5bb-4691-80f6-ffbd143b8b9a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.180442Z", - "modified": "2021-02-10T06:49:35.180442Z", - "relationship_type": "uses", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--e2558f71-7409-4203-bd5b-8a331f29327a", + "created": "2022-02-04T23:52:35.783046Z", + "modified": "2022-09-08T18:26:13.228169Z", + "name": "Execute Shell Command", + "description": "Execute/run the given command using a built-in program (e.g. cmd.exe, PowerShell, bash). This differs from Start Interactive Shell because the shell process is started only for the received command or set of commands and then exits. There is no loop looking for additional commands while the shell process is still running.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md", + "external_id": "B0030.014" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--ecd59316-0917-4b71-978a-76afa548d9a4", + "id": "attack-pattern--fdd6cb04-8d0a-4808-b50a-0e7f8061b42b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.623442Z", - "modified": "2021-02-10T06:49:35.623442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--8c803835-6fd8-4af8-a178-be3e2dc43687", - "target_ref": "attack-pattern--83145b10-974b-4bcd-8547-1f441be18d36", + "created": "2021-02-10T06:49:32.042481Z", + "modified": "2022-09-08T18:26:13.353915Z", + "name": "Allocate Thread Local Storage", + "description": "Malware allocates thread local storage.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "process-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/allocate-thread-local-storage.md", + "external_id": "C0040" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--ece75804-24e6-4f71-9c07-e8d812e62918", + "id": "attack-pattern--46c39f69-1900-4558-9c0d-2d9fe322dd41", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.715443Z", - "modified": "2021-02-10T06:49:35.715443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--b1c9e70b-d514-4924-848d-c6403560e6c5", - "target_ref": "attack-pattern--d10a18cc-23b6-4421-82e1-1ba28319012b", + "created": "2021-02-10T06:49:31.972483Z", + "modified": "2022-09-08T18:26:13.363326Z", + "name": "Open URL::HTTP Communication", + "description": "HTTP client connects to a URL.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", + "external_id": "C0002.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--ed421b26-6209-4ac5-8474-50b017eeb281", + "id": "attack-pattern--2620e845-cb45-43b5-91a4-dd72dcf3339d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.701491Z", - "modified": "2021-02-10T06:49:35.701491Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--1504bfdb-bc65-4fc2-9afd-8d2e82737dd6", - "target_ref": "attack-pattern--7855768b-8130-4981-8420-6e8a8d2a277a", + "created": "2020-08-21T20:49:59.492261Z", + "modified": "2022-09-08T18:26:13.284407Z", + "name": "Check Windows", + "description": "Malware may check windows for VM-related characteristics.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.009" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--edf19d0b-d821-4779-9688-9f828486204d", + "id": "attack-pattern--f277deb3-f676-4536-b7c0-8cc76354b631", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.498442Z", - "modified": "2021-02-10T06:49:35.498442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--5543a067-b312-42fa-8943-f58e3f709332", - "target_ref": "attack-pattern--243d3475-704e-4bc1-b8a6-42ca4bda02fc", + "created": "2020-08-21T20:49:59.674263Z", + "modified": "2022-09-08T18:26:13.27131Z", + "name": "Encoding", + "description": "Data is encoded.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/archive-collected-data.md", + "external_id": "E1560.m01" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--ee5af496-814b-4795-ba99-408680134e85", + "id": "attack-pattern--b1937ce5-4376-4b5d-944e-5406d8501413", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.572482Z", - "modified": "2021-02-10T06:49:35.572482Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--91e25008-204c-4723-9c53-ca041c5fd2b1", - "target_ref": "attack-pattern--27a1c173-3d93-430b-9544-8dd2db602b87", + "created": "2020-08-21T20:49:59.706262Z", + "modified": "2022-09-08T18:26:13.215656Z", + "name": "Process detection - PCAP Utilities", + "description": "Malware can scan for the process name associated with common analysis tools. Wireshark / Dumpcap", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/analysis-tool-discovery.md", + "external_id": "B0013.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--ee6de7aa-11e1-442a-bbf8-2a8a110e57b4", + "id": "attack-pattern--d4aefa59-0817-4916-ad93-6ef174e070d3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.994215Z", - "modified": "2022-02-04T23:52:40.994215Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--a60432c5-54ee-4c76-be1b-409f3f0e4795", - "target_ref": "attack-pattern--33ac3946-4bd9-4904-b02e-45e2d17dbfdd", + "created": "2022-02-04T23:52:35.751794Z", + "modified": "2022-09-08T18:26:13.205462Z", + "name": "Arbitrary Memory Corruption", + "description": "Data is propagated by corrupting memory, for example overwriting a region of stack space where a file pointer is held.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/data-flow-analysis-evasion.md", + "external_id": "B0045.003" + }, + { + "source_name": "external_source", + "url": "http://www.seclab.cs.sunysb.edu/seclab/pubs/antitaint.pdf" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--eea1dce5-cb18-42da-8ca2-cbf2ca30cbb7", + "id": "attack-pattern--ab2e210b-f2a3-4f50-b42a-7304b875429c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.97859Z", - "modified": "2022-02-04T23:52:40.97859Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--fdc4b63d-2ee4-49af-b2d4-2defeff3d87d", - "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", + "created": "2021-02-10T06:49:31.915483Z", + "modified": "2022-09-08T18:26:13.42906Z", + "name": "Force Lazy Writing", + "description": "Some operating systems will sometimes use a form of \"lazy writing\" for disk I/O, which may obscure the true provenance of the write operation. This method occurs when code intentionally forces the operating system to perform a lazy writing operation. For example, in Windows, a file may be opened, memory mapped, and closed, but the memory map will still exist and can be written to, which will cause a lazy write that looks like it is coming from the System process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/disable-or-evade-security-tools.md", + "external_id": "F0004.006" + }, + { + "source_name": "external_source", + "description": "Alexander Adamov, Stealthy WastedLocker: eluding behavior blockers, but not only. Online:", + "url": "https://vblocalhost.com/conference/presentations/stealthy-wastedlocker-eluding-behaviour-blockers-but-not-only/" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--eeaf78d0-1c5a-46e1-a0e6-031d5da5877a", + "id": "attack-pattern--27a1c173-3d93-430b-9544-8dd2db602b87", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.492443Z", - "modified": "2021-02-10T06:49:35.492443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--1e4a21a9-2d09-48fc-bcea-13d1359f2bbd", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.662262Z", + "modified": "2022-09-08T18:26:13.416183Z", + "name": "Hidden Files and Directories", + "description": "Malware may hide files and folders to avoid detection and/or to persist on the system. See potential methods below.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hidden-files-and-directories.md", + "external_id": "F0005" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--ef5f7499-451a-49fe-b39d-c624f250d50a", + "id": "attack-pattern--d3656287-db62-4856-860d-6b3ff60e23b2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.609253Z", - "modified": "2020-08-21T20:50:04.609253Z", - "relationship_type": "uses", - "description": "The Terminator rat evades a sandbox by not executing until after a reboot. Most sandboxes don't reboot during an analysis.", - "source_ref": "malware--bb2ac91f-90ad-4ed5-95ef-a899346ba4ce", - "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", + "created": "2020-08-21T20:49:59.489264Z", + "modified": "2022-09-08T18:26:13.281218Z", + "name": "Check File and Directory Artifacts", + "description": "Virtual machines create files on the file system (e.g., VMware creates files in the installation directory C:\\Program Files\\VMware\\VMware Tools). Malware can check the different folders to find virtual machine artifacts (e.g., Virtualbox has the artifact VBoxMouse.sys).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.001" + }, + { + "source_name": "external_source", + "url": "https://search.unprotect.it/map/sandbox-evasion/" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--f0c10f1d-a4db-4f0f-83c8-e9de21c5885c", + "id": "attack-pattern--4c89f923-0e3e-41ff-b128-2e47acbd80b7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.631517Z", - "modified": "2021-02-10T06:49:35.631517Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--fe662062-536d-43ca-912b-534a2936ddad", - "target_ref": "attack-pattern--6f4c9cb2-1417-4f3e-a907-bce53e3a68a3", + "created": "2020-08-21T20:49:59.57126Z", + "modified": "2022-09-08T18:26:13.204156Z", + "name": "Executable Code Virtualization", + "description": "Original executable code is virtualized by translating the code into a special format that only a special virtual machine (VM) can run; the VM uses a customized virtual instruction set. A \"stub\" function calls the VM when the code is run. Virtualized code makes static analysis and reverse engineering more difficult; dumped code wonā€™t run without the VM.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-virtualization.md", + "external_id": "B0008" + }, + { + "source_name": "external_source", + "url": "https://github.com/xiaoweime/WProtect" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--f0cd9f17-b82b-48f4-883d-983432608abd", + "id": "attack-pattern--baae0d7a-88a9-479c-879e-9bbd0dea3bf0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.611257Z", - "modified": "2020-08-21T20:50:04.611257Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--4294b63a-0b68-473a-8e57-bd5da8d90bf6", + "created": "2020-08-21T20:49:59.523261Z", + "modified": "2022-09-08T18:26:13.327733Z", + "name": "Hook Interrupt", + "description": "Modification of interrupt vector or descriptor tables.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", + "external_id": "B0003.008" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--f1127fa4-bfd7-43ad-844c-258d37622784", + "id": "attack-pattern--e1be431c-d113-4b11-bfe1-ea117eefc3cf", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.641176Z", - "modified": "2021-02-10T06:49:35.641176Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--2fdbb4b2-a02a-42de-a6de-2263b48392f1", - "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", + "created": "2022-09-08T18:26:13.397531Z", + "modified": "2022-09-08T18:26:13.397531Z", + "name": "Crypto Algorithm", + "description": "A known crypto algorithm is implemented in the code and it is unknown whether it is from a public crypto library.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/crypto-algorithm.md", + "external_id": "C0068" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--f138118b-38d7-40b0-beb2-155b691ade87", + "id": "attack-pattern--0985829f-204f-4760-8ece-ff0f3031a715", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.676443Z", - "modified": "2021-02-10T06:49:35.676443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--f62b419a-6b84-4bc4-865c-b58abc012795", - "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", + "created": "2020-08-21T20:49:59.484262Z", + "modified": "2022-09-08T18:26:13.297178Z", + "name": "Injected DLL Testing", + "description": "Testing for the name of a particular DLL that is known to be injected by a sandbox for API hooking is a common way of detecting sandbox environments. This can be achieved through the kernel32!GetModuleHandle API call and other means.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", + "external_id": "B0007.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--f17d5ec4-580d-4000-9110-b817e63a7e8b", + "id": "attack-pattern--a90fbac2-8ec1-486c-85bf-6cb6269a5ea6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.481442Z", - "modified": "2021-02-10T06:49:35.481442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--45c5ccc6-f44e-4b7e-b2af-d5b1a0d01cd2", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.788262Z", + "modified": "2022-09-08T18:26:13.260856Z", + "name": "Password Cracking", + "description": "Consume system resources for the purpose of password cracking.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/resource-hijacking.md", + "external_id": "B0018.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--f280014a-68d1-48d4-8049-9ce3fd3a17c8", + "id": "attack-pattern--69f9ba6a-eb9e-4486-ae5e-fb7de1012c90", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.595442Z", - "modified": "2021-02-10T06:49:35.595442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--1011a561-6f17-4f8d-874a-8ad491a2b470", - "target_ref": "attack-pattern--767a1acf-9e83-4181-82cd-2bcb9d8871d9", + "created": "2020-08-21T20:49:59.72626Z", + "modified": "2022-09-08T18:26:13.240318Z", + "name": "File Transfer Protocol (FTP) Servers", + "description": "Malware leverages an FTP server.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/exploitation-for-client-execution.md", + "external_id": "E1203.m03" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--f2b3c6e6-e5cd-40c3-a696-db320c47a2f8", + "id": "attack-pattern--352fc821-2bbf-4d2a-a9a2-3a69b3bac30c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.497442Z", - "modified": "2021-02-10T06:49:35.497442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--0be642a6-a030-4ecf-9c30-83f9cbc9fd56", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2021-02-10T06:49:31.974485Z", + "modified": "2022-09-08T18:26:13.365787Z", + "name": "Start Server::HTTP Communication", + "description": "HTTP server is started.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", + "external_id": "C0002.018" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--f3502abe-1bdc-4944-9125-425dc5aff3da", + "id": "attack-pattern--916d6dca-adbc-4af9-b810-eb7cd72779c8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.572482Z", - "modified": "2021-02-10T06:49:35.572482Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--d850864e-1db4-40f3-b891-b1db177d48b3", - "target_ref": "attack-pattern--27a1c173-3d93-430b-9544-8dd2db602b87", + "created": "2020-08-21T20:49:59.868262Z", + "modified": "2022-02-05T00:37:22.804261Z", + "name": "Load Driver", + "description": "Malware loads a device driver or minifilter.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "hardware-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/hardware/load-driver.md", + "external_id": "C0023" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--f41fbd73-623e-4f83-a95b-09ee1bbeed75", + "id": "attack-pattern--0b6c8517-62d1-49c1-9a2d-9300806d1370", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.681443Z", - "modified": "2021-02-10T06:49:35.681443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--becb5385-146e-42a3-a343-5beffc43a15c", - "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", + "created": "2021-02-10T06:49:31.973483Z", + "modified": "2022-09-08T18:26:13.364095Z", + "name": "Create Request::HTTP Communication", + "description": "HTTP client creates request.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", + "external_id": "C0002.012" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--f426b305-9bfc-4427-8514-b050f602c6e1", + "id": "attack-pattern--1d1b8b46-c3d7-49e5-8856-367b48272f5e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.493443Z", - "modified": "2021-02-10T06:49:35.493443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--0e2fb8df-bef3-4664-88f9-f6614b80f107", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.594264Z", + "modified": "2022-09-08T18:26:13.220424Z", + "name": "Input Capture", + "description": "Malware captures user input.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/input-capture.md", + "external_id": "E1056" + }, + { + "source_name": "external_source", + "url": "https://blogs.cisco.com/security/talos/rombertik" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--f4568b14-51ae-4baf-a443-15cba11405f1", + "id": "attack-pattern--e4678b94-bfec-402e-9682-17a32ae8c379", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.591482Z", - "modified": "2021-02-10T06:49:35.591482Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--dd600655-8b9a-4a67-be72-3088d96e0e5a", - "target_ref": "attack-pattern--767a1acf-9e83-4181-82cd-2bcb9d8871d9", + "created": "2020-08-21T20:49:59.503263Z", + "modified": "2022-09-08T18:26:13.292416Z", + "name": "Unique Hardware/Firmware Check - CPU Location", + "description": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment. When an Operating System is virtualized, the CPU is relocated.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.027" + }, + { + "source_name": "external_source", + "url": "https://search.unprotect.it/map/sandbox-evasion/" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--f4652f50-9382-4d5c-9d3b-3b4bd79ce163", + "id": "attack-pattern--73478759-d9de-4bbd-a687-081c5f00c935", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.460442Z", - "modified": "2021-02-10T06:49:35.460442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--07181568-3663-4ade-ac99-3e32bd7d5400", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2020-08-21T20:49:59.550264Z", + "modified": "2022-09-08T18:26:13.206796Z", + "name": "VBA Stomping", + "description": "Typically, VBA source code is compiled into p-code, which is stored with compressed sourced code in the OLE file with VBA macros. VBA Stomping - when the VBA source code is removed and only the p-code remains - makes analysis much harder. See for an analysis of a VBA-Stomped malicious VBA Office document. See for information on Evil Clippy, a tool that creates malicious MS Office documents.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/disassembler-evasion.md", + "external_id": "B0012.005" + }, + { + "source_name": "external_source", + "url": "https://isc.sans.edu/diary/Malicious+VBA+Office+Document+Without+Source+Code/24870" + }, + { + "source_name": "external_source", + "url": "https://boingboing.net/2019/05/05/p-code-r-us.html" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--f4b8c20e-eece-4285-ae9d-b68a6cd0ac49", + "id": "attack-pattern--85da3a4e-287a-45b9-91d2-019b59af07e3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--2494ac41-5d2b-4112-903a-fdc2a09d376b", - "target_ref": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439", + "created": "2020-08-21T20:49:59.473261Z", + "modified": "2022-09-08T18:26:13.319805Z", + "name": "Software Breakpoints", + "description": "(INT3/0xCC)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.025" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--f536601a-3c17-4267-986a-51e27a08ada5", + "id": "attack-pattern--1a89f398-f3ef-484a-8735-024823241a11", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.514444Z", - "modified": "2021-02-10T06:49:35.514444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--48964591-554c-420d-896b-89ad16f17eec", - "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", + "created": "2022-02-04T23:52:35.871658Z", + "modified": "2022-09-08T18:26:13.210662Z", + "name": "Code Discovery", + "description": "Malware may inspect code or enumerate aspects.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/code-discovery.md", + "external_id": "B0046" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--f6d8f34b-6a1e-4805-9482-962c26017251", + "id": "attack-pattern--fe662062-536d-43ca-912b-534a2936ddad", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.512444Z", - "modified": "2021-02-10T06:49:35.512444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--75109dae-5db7-4582-be8b-edcea907659d", - "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", + "created": "2021-02-10T06:49:31.971484Z", + "modified": "2022-09-08T18:26:13.376715Z", + "name": "WinINet::FTP Communication", + "description": "Send FTP command via WinINet.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/ftp-communication.md", + "external_id": "C0004.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--f6eab96c-3825-4127-8516-a98cffc3ec11", + "id": "attack-pattern--623daf49-2a74-4fd8-a7f0-e11a8475999f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.638614Z", - "modified": "2021-02-10T06:49:35.638614Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--352fc821-2bbf-4d2a-a9a2-3a69b3bac30c", - "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", + "created": "2020-08-21T20:49:59.768261Z", + "modified": "2022-02-05T00:37:22.71051Z", + "name": "Delete Application/Software", + "description": "An application or software is deleted.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/data-destruction.md", + "external_id": "E1485.m03" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--f84e13d4-ae67-4f1c-96fa-56a340d01b42", + "id": "attack-pattern--35a8f2ce-05e2-4a25-a469-e07a6360eee3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.611257Z", - "modified": "2020-08-21T20:50:04.611257Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", + "created": "2020-08-21T20:49:59.469264Z", + "modified": "2022-09-08T18:26:13.317913Z", + "name": "Process Environment Block IsDebugged", + "description": "The IsDebugged field is tested to determine whether the process is being debugged.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.037" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--f99239c7-9c45-4ca4-9c38-f4630792dcf2", + "id": "attack-pattern--3d34b429-1686-44be-8b63-bded4942cee7", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.600252Z", - "modified": "2020-08-21T20:50:04.600252Z", - "relationship_type": "uses", - "description": "Primary behavior is encrypting data.", - "source_ref": "malware--549d1c35-f214-4760-ab97-2142c66cf111", - "target_ref": "attack-pattern--33ac3946-4bd9-4904-b02e-45e2d17dbfdd", + "created": "2020-08-21T20:49:59.514301Z", + "modified": "2022-09-08T18:26:13.307383Z", + "name": "Pipeline Misdirection", + "description": "Take advantage of pipelining in modern processors to misdirect debugging, emulation, or static analysis tools. An unpacker can assume a certain number of opcodes will be cached and then proceed to overwrite them in memory, causing a debugger/emulator/analyzer to follow different code than is normally executed.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md", + "external_id": "B0002.018" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--fa38bbbd-0d90-4772-a08e-17efcff22b56", + "id": "attack-pattern--b4931f82-5f27-4329-a0c4-4f953195e6f1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.607256Z", - "modified": "2020-08-21T20:50:04.607256Z", - "relationship_type": "uses", - "description": "Redhip uses general approaches to detecting user level debuggers (e.g., Process Environment Block 'Being Debugged' field), as well as specific checks for kernel level debuggers like SOFICE.", - "source_ref": "malware--b0625dd2-cc91-4936-9e12-289960aa0b41", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2020-08-21T20:49:59.559264Z", + "modified": "2022-09-08T18:26:13.193622Z", + "name": "Jump Insertion", + "description": "Insert jumps to make analysis visually harder.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", + "external_id": "B0032.005" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--fab038b8-deb8-48ac-a137-eb4b5a2203dc", + "id": "attack-pattern--415ff076-0f63-4040-940e-439321695a67", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.634427Z", - "modified": "2021-02-10T06:49:35.634427Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--4a062538-03cd-44da-a19f-6ed4401a4c36", - "target_ref": "attack-pattern--d92af9d8-3491-4c6b-88c2-10785900052e", + "created": "2020-08-21T20:49:59.556264Z", + "modified": "2022-09-08T18:26:13.19154Z", + "name": "Dead Code Insertion", + "description": "Include \"dead\" code with no real functionality.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md", + "external_id": "B0032.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--fb09f83d-1a82-4501-9db6-bad58433707c", + "id": "attack-pattern--48964591-554c-420d-896b-89ad16f17eec", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.613258Z", - "modified": "2020-08-21T20:50:04.613258Z", - "relationship_type": "uses", - "description": "Downloads and executes Claymore's Zcash miner from a remote server.", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae", + "created": "2020-08-21T20:49:59.52526Z", + "modified": "2022-09-08T18:26:13.32831Z", + "name": "Restart", + "description": "Restarts or shuts down system to bypass sandboxing.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", + "external_id": "B0003.010" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--fb64183a-4e8c-49b0-82a1-009363e19e52", + "id": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.67747Z", - "modified": "2021-02-10T06:49:35.67747Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--d37365f4-63c4-4c3e-a81e-be518e7561f1", - "target_ref": "attack-pattern--180d573a-3efb-477c-b306-721bc3906eae", + "created": "2020-08-21T20:49:59.689263Z", + "modified": "2022-09-08T18:26:13.411258Z", + "name": "Process Injection", + "description": "Malware may execute code in the address space of a separate process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/process-injection.md", + "external_id": "E1055" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "external_source", + "url": "https://github.com/LordNoteworthy/al-khaser" + }, + { + "source_name": "external_source", + "url": "https://citizenlab.ca/2016/04/between-hong-kong-and-burma/" + }, + { + "source_name": "external_source", + "url": "https://www.ired.team/offensive-security/code-injection-process-injection/executing-shellcode-with-createfiber" + }, + { + "source_name": "external_source", + "url": "https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/" + }, + { + "source_name": "external_source", + "url": "https://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml" + }, + { + "source_name": "external_source", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--fbfeab65-3b59-42b4-9671-df04b882cf68", + "id": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.515492Z", - "modified": "2021-02-10T06:49:35.515492Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--09c1ddac-3b9f-487d-acba-78be3b686519", - "target_ref": "attack-pattern--64ec233c-8762-4e4a-af40-475ebd3aa127", + "created": "2020-08-21T20:49:59.539263Z", + "modified": "2022-09-08T18:26:13.277642Z", + "name": "Memory Dump Evasion", + "description": "Malware hinders retrieval and/or discovery of the contents of the physical memory of the system on which the malware instance is executing [[1]](#1).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/memory-dump-evasion.md", + "external_id": "B0006" + }, + { + "source_name": "external_source", + "description": "J. Stuttgen, M. Cohen, Anti-forensic resilient memory acquisition,", + "url": "https://www.dfrws.org/sites/default/files/session-files/paper-anti-forensic_resilient_memory_acquisition.pdf" + }, + { + "source_name": "external_source", + "url": "http://blog.threatexpert.com/2008/04/kraken-changes-tactics.html" + }, + { + "source_name": "external_source", + "url": "http://waleedassar.blogspot.com/search/label/anti-dump" + }, + { + "source_name": "external_source", + "url": "https://www.gironsec.com/code/packers.pdf" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--fc27e964-55a5-42c3-bf7b-28fcc8d8b136", + "id": "attack-pattern--cd438b37-74b0-433b-85d2-8530724401fa", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.585443Z", - "modified": "2021-02-10T06:49:35.585443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--3dc536c2-fa47-4acd-9043-1b0a0c2b2db6", - "target_ref": "attack-pattern--7c77b8ac-f548-48ae-813d-028de1a8d9fd", + "created": "2020-08-21T20:49:59.499265Z", + "modified": "2022-09-08T18:26:13.288336Z", + "name": "Instruction Testing - STR", + "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.033" + }, + { + "source_name": "external_source", + "url": "https://search.unprotect.it/map/sandbox-evasion/" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--fc399948-eede-4a80-b003-5eb63573d9e3", + "id": "attack-pattern--f7edbfa2-7ebf-4e66-bad5-a13150f5ce7a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.494443Z", - "modified": "2021-02-10T06:49:35.494443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--9615d610-999a-417d-bf19-54da01c38b89", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", + "created": "2020-08-21T20:49:59.589265Z", + "modified": "2022-02-05T00:37:22.585511Z", + "name": "Zcash", + "description": "Access Zcash data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/cryptocurrency.md", + "external_id": "B0028.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--fc64766c-e137-4801-9206-cfd145ffb001", + "id": "attack-pattern--683507af-37f1-4db4-a922-d41cceaa8789", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.459442Z", - "modified": "2021-02-10T06:49:35.459442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--39d98cff-ebf0-4824-8a7a-55ba1058664b", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", + "created": "2020-08-21T20:49:59.472261Z", + "modified": "2022-09-08T18:26:13.319233Z", + "name": "SeDebugPrivilege", + "description": "(Csrss.exe); Using the OpenProcess function on the csrss.exe process can detect a debugger.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.023" + }, + { + "source_name": "external_source", + "description": "Anti Debugging Tricks, Al-Khaser.", + "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--fcf1224b-44ac-4086-86b0-05649a9414ea", + "id": "attack-pattern--5f35c276-1599-47f2-b4df-468ccfa1e08b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.520444Z", - "modified": "2021-02-10T06:49:35.520444Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--cb5e801d-a60f-497e-93b6-23d5e29c09fd", - "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", + "created": "2021-02-10T06:49:31.972483Z", + "modified": "2022-09-08T18:26:13.362991Z", + "name": "Connect to Server::HTTP Communication", + "description": "HTTP client connects to HTTP server.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/http-communication.md", + "external_id": "C0002.009" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--fd07a2aa-1723-4b81-b2bd-5c3f9082bb49", + "id": "attack-pattern--3110ab37-847b-4f50-be91-9748cee0f4a0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.661442Z", - "modified": "2021-02-10T06:49:35.661442Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--ced26a03-d356-4f8e-8337-9a07c0becd86", - "target_ref": "attack-pattern--77bdb86e-a847-45fa-bf4b-0ef6d2038da6", + "created": "2020-08-21T20:49:59.683261Z", + "modified": "2022-02-05T00:37:22.648018Z", + "name": "Packer Stub", + "description": "A packer stub can generate polymorphic code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/polymorphic-code.md", + "external_id": "B0029.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--fd287f2b-09ce-4f5e-a2ff-7fcba59ee5be", + "id": "attack-pattern--f1f9a410-ce13-4c3d-8728-69e517d71fb9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.626555Z", - "modified": "2021-02-10T06:49:35.626555Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--cb1c9047-e589-4aed-b5d5-c6062a1ab340", - "target_ref": "attack-pattern--3f00f5b3-a3bf-4c9c-8874-f7998c391aa8", + "created": "2022-02-04T23:52:35.829949Z", + "modified": "2022-02-05T00:37:22.632387Z", + "name": "Hidden Userspace Libraries", + "description": "Hides userspace libraries used by the malware instance. Technique refers to hiding libraries loaded in memory (not disk). For example, a userspace library may be injected into a system process such that memory scanning tools may be prevented from finding them. This technique is different than DLL injection, in which the DLL will continue to show up in process metadata that tracks what is stored in memory. This technique involves clearing that metadata or making it inaccessible to security and inspection tools.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hide-artifacts.md", + "external_id": "E1564.m01" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--fe43e943-72cf-47df-892a-96ad269cc626", + "id": "attack-pattern--45f0c217-fd80-4ce1-a9b1-4a62418162bb", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.684783Z", - "modified": "2021-02-10T06:49:35.684783Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--66f0b43c-19fd-40b8-ae4f-de356df77371", - "target_ref": "attack-pattern--33c50b1a-84dd-4b11-ba7b-ba64199ce18f", + "created": "2020-08-21T20:49:59.521266Z", + "modified": "2022-09-08T18:26:13.326471Z", + "name": "Delayed Execution", + "description": "Stalling code is typically executed before any malicious behavior. The malware's aim is to delay the execution of the malicious activity long enough so that an automated dynamic analysis system fails to extract the interesting malicious behavior. This method is very similar to ATT&CK's [Virtualization/Sandbox Evasion: Time Based Evasion](https://attack.mitre.org/techniques/T1497/003/) sub-technique.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/dynamic-analysis-evasion.md", + "external_id": "B0003.003" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--fe8e6a43-aaf5-4d90-9171-fb68dd154b20", + "id": "attack-pattern--772c8a08-0dbb-4059-8459-7ac1193840bc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.672443Z", - "modified": "2021-02-10T06:49:35.672443Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--d2dd9838-ea8f-4a2f-99f4-8a8a468110a4", - "target_ref": "attack-pattern--1cca12fe-f5c4-4c35-979b-5c6962dd9484", + "created": "2020-08-21T20:49:59.550264Z", + "modified": "2022-09-08T18:26:13.20628Z", + "name": "Argument Obfuscation", + "description": "Simple number or string arguments to API calls are calculated at runtime, making linear disassembly more difficult.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/disassembler-evasion.md", + "external_id": "B0012.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--febddf0b-01eb-422c-a5ad-d0977801ec9c", + "id": "attack-pattern--b7a3c18a-0a7c-407a-8857-3e2e8d941775", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.614292Z", - "modified": "2020-08-21T20:50:04.614292Z", - "relationship_type": "uses", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", + "created": "2021-02-10T06:49:31.993484Z", + "modified": "2022-09-08T18:26:13.389718Z", + "name": "HC-256::Encrypt Data", + "description": "Malware encrypts with the HC-256 algorithm.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "cryptography-micro-objective" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/encrypt-data.md", + "external_id": "C0027.007" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--fef23c74-9626-4912-bb2a-d0f1f563aab6", + "id": "attack-pattern--6069021d-57ec-403e-b6fc-013b995aa2f0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.601289Z", - "modified": "2020-08-21T20:50:04.601289Z", - "relationship_type": "uses", - "description": "GotBotKR reinstalls its running instance if it is removed.", - "source_ref": "malware--dd874fc3-691c-4825-95cc-bbe52e5406f5", - "target_ref": "attack-pattern--cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae", + "created": "2020-08-21T20:49:59.734261Z", + "modified": "2022-09-08T18:26:13.234751Z", + "name": "Prevent Concurrent Execution", + "description": "To avoid running multiple instances of itself, malware may check a system to see if it is already running.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/prevent-concurrent-execution.md", + "external_id": "B0024" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/malware/worm_bagle.u" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "relationship", + "type": "attack-pattern", "spec_version": "2.1", - "id": "relationship--ff9cf97c-d31b-4536-b358-93a6575ee178", + "id": "attack-pattern--2ff4ce39-a726-471a-92d9-21a5c51a0bc3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.693726Z", - "modified": "2021-02-10T06:49:35.693726Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--333a4ca2-d8a5-4829-abcb-c42736a41f0d", - "target_ref": "attack-pattern--d1a3a19c-bcd0-40fc-8b5f-9e755260abc2", + "created": "2020-08-21T20:49:59.769263Z", + "modified": "2022-09-08T18:26:13.259774Z", + "name": "Data Destruction", + "description": "Data, system files, or other files are destroyed. Individual files are selected, as opposed to wiping an entire sector.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/data-destruction.md", + "external_id": "E1485" + }, + { + "source_name": "external_source", + "url": "http://www.darkreading.com/attacks-breaches/disk-wiping-shamoon-malware-resurfaces-with-file-erasing-malware-in-tow/d/d-id/1333509" + }, + { + "source_name": "external_source", + "url": "https://blogs.cisco.com/security/talos/rombertik" + }, + { + "source_name": "external_source", + "url": "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Conficker" + }, + { + "source_name": "external_source", + "url": "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "x-mitre-matrix", + "type": "attack-pattern", "spec_version": "2.1", - "id": "x-mitre-matrix--d5eae189-586e-4f87-bf4f-51fa251f0ba6", + "id": "attack-pattern--89cee1bf-b7ab-4c13-8011-22364628422d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-01-01T00:00:00.000Z", - "modified": "2021-02-11T06:49:31.787443Z", - "name": "MBC", - "description": "The Malware Behavior Catalog (MBC) is a catalog of malware objectives and behaviors, created to support malware analysis-oriented use cases, such as labeling, similarity analysis, and standardized reporting.", - "tactic_refs": [ - "x-mitre-tactic--eb6166b0-f3c9-4124-aeb9-662941baa19e", - "x-mitre-tactic--225d85b5-6806-4760-a9d7-b5e38ca66153", - "x-mitre-tactic--69c52ee6-8372-40be-8efc-200896493343", - "x-mitre-tactic--5ca03153-2bfb-4540-acad-4eb54f188589", - "x-mitre-tactic--4fd027ac-dddc-4744-aa72-d1b4598d9898", - "x-mitre-tactic--9b3422b7-bc43-4b28-8d51-ba68782a9da2", - "x-mitre-tactic--9f09f947-5fc6-455f-b7eb-504c2ba972aa", - "x-mitre-tactic--f95436cf-2e09-4541-b88a-f3fb6ec3b63b", - "x-mitre-tactic--911377e6-b712-4754-a865-3e2989512b9a", - "x-mitre-tactic--389367d2-9dea-4ffe-b794-cfeaba83bcf6", - "x-mitre-tactic--1f99e060-c0e8-449c-8629-216ef75d7828", - "x-mitre-tactic--30f8323e-ca97-4067-bb76-b14edff2fa88", - "x-mitre-tactic--db22e244-4c56-4a42-9e3a-6285bde88a5d", - "x-mitre-tactic--408ef4fa-de24-489a-ac9e-1f51af84bf5d", - "x-mitre-tactic--0735bfd3-bffa-4476-9e3b-e33cc5c553e0", - "x-mitre-tactic--578d34bc-28b7-4467-afe1-a969e00797d3", - "x-mitre-tactic--e4edf677-0ea0-474a-a14d-da3ea660d69f", - "x-mitre-tactic--7f07ea86-c44a-4f1f-86d0-3d904c7ddb59", - "x-mitre-tactic--dd9a101e-8fea-4b2e-afd0-4c0c3f0f864e", - "x-mitre-tactic--d2f87328-9fe0-4f81-800e-ea1058f49906", - "x-mitre-tactic--d896bd1c-d0e9-4281-9755-9b76a7c963d3" + "created": "2020-08-21T20:49:59.677261Z", + "modified": "2022-09-08T18:26:13.272368Z", + "name": "Encryption - Custom Encryption", + "description": "Data is encrypted. A custom algorithm is used to encrypt the exfiltrated data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject", - "external_id": "mbc" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/archive-collected-data.md", + "external_id": "E1560.m06" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] + "x_mitre_is_subtechnique": true }, { - "type": "x-mitre-tactic", + "type": "attack-pattern", "spec_version": "2.1", - "id": "x-mitre-tactic--0735bfd3-bffa-4476-9e3b-e33cc5c553e0", + "id": "attack-pattern--dd40dbb6-6220-4b7b-93e1-20fe081eb219", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.283263Z", - "modified": "2022-02-05T00:37:22.397978Z", - "name": "File System Micro-objective", - "description": "Micro-behaviors related to file manipulation.", - "external_references": [ + "created": "2020-08-21T20:49:59.496265Z", + "modified": "2022-09-08T18:26:13.286198Z", + "name": "Instruction Testing", + "description": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM.", + "kill_chain_phases": [ { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/README.md", - "external_id": "OC0001" + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_shortname": "file-system-micro-objective" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/virtual-machine-detection.md", + "external_id": "B0009.029" + }, + { + "source_name": "external_source", + "url": "https://search.unprotect.it/map/sandbox-evasion/" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "x-mitre-tactic", + "type": "attack-pattern", "spec_version": "2.1", - "id": "x-mitre-tactic--1f99e060-c0e8-449c-8629-216ef75d7828", + "id": "attack-pattern--2cab79e4-750b-43e3-9486-0d7801d8fdd8", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-02-05T20:28:15.056Z", - "modified": "2022-02-05T00:37:22.382348Z", - "name": "Lateral Movement", - "description": "Behaviors that enable propagation through a compromised system or infected files. The malware may move actively (e.g., gain access to a machine directly) or passively (e.g., send malicious email).", - "external_references": [ + "created": "2022-02-04T23:52:35.900382Z", + "modified": "2022-02-05T00:37:22.694887Z", + "name": "Delete File", + "kill_chain_phases": [ { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/lateral-movement/README.md", - "external_id": "OB0011" + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_shortname": "lateral-movement" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/remote-commands.md", + "external_id": "B0011.001" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "x-mitre-tactic", + "type": "attack-pattern", "spec_version": "2.1", - "id": "x-mitre-tactic--225d85b5-6806-4760-a9d7-b5e38ca66153", + "id": "attack-pattern--17cf477e-a8e5-4c52-b207-7023cfd16c1d", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-02-05T20:28:15.060Z", - "modified": "2022-02-05T00:37:22.382348Z", - "name": "Anti-Static Analysis", - "description": "Behaviors and code characteristics that prevent static analysis or make it more difficult. Simple static analysis identifies features such as embedded strings, header information, hash values, and file metadata (e.g., creation date). More involved static analysis involves the disassembly of the binary code.", - "external_references": [ + "created": "2022-02-04T23:52:35.877737Z", + "modified": "2022-09-08T18:26:13.244123Z", + "name": "Host Fingerprint Check", + "description": "Compare a previously computed host fingerprint(e.g., based on installed applications) to the current system's to determine if the malware instance is still executing on the same system. If not, execution stops, making debugging or sandbox analysis more difficult.", + "kill_chain_phases": [ { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/README.md", - "external_id": "OB0002" + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" }, { - "source_name": "external_source", - "description": "Unprotect Project, a database about malware self-defense and protection.", - "url": "https://search.unprotect.it/map/sandbox-evasion/" + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" }, { - "source_name": "external_source", - "description": "InDepthUnpacking, course content for teaching malware anti-analysis techniques and mitigations, with emphasis on packers.", - "url": "https://github.com/knowmalware/InDepthUnpacking" + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_shortname": "anti-static-analysis" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/conditional-execution.md", + "external_id": "B0025.004" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "x-mitre-tactic", + "type": "attack-pattern", "spec_version": "2.1", - "id": "x-mitre-tactic--30f8323e-ca97-4067-bb76-b14edff2fa88", + "id": "attack-pattern--e23ee3ae-6960-4b56-b962-33184f999657", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.270263Z", - "modified": "2022-02-05T00:37:22.382348Z", - "name": "Communication Micro-objective", - "description": "Micro-behaviors that enable malware to communicate.", - "external_references": [ + "created": "2020-08-21T20:49:59.688263Z", + "modified": "2022-09-08T18:26:13.409489Z", + "name": "Hook Injection via SetWindowsHooksEx", + "description": "Malware can leverage hooking functionality to have its malicious DLL loaded upon an event getting triggered in a specific thread, which is usually done by calling SetWindowsHookEx to install a hook routine into the hook chain.", + "kill_chain_phases": [ { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/README.md", - "external_id": "OC0006" + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_shortname": "communication-micro-objective" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/process-injection.md", + "external_id": "E1055.m01" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "x-mitre-tactic", + "type": "attack-pattern", "spec_version": "2.1", - "id": "x-mitre-tactic--389367d2-9dea-4ffe-b794-cfeaba83bcf6", + "id": "attack-pattern--bbcbbd85-689f-486f-b3be-e36852dfe5c5", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-02-05T20:28:15.076Z", - "modified": "2022-02-05T00:37:22.382348Z", - "name": "Impact", - "description": "Behaviors that enable malware to achieve its mission of manipulating, interrupting, or destroying systems and/or data.", - "external_references": [ + "created": "2021-02-10T06:49:32.008483Z", + "modified": "2022-09-08T18:26:13.338251Z", + "name": "pHash::Non-Cryptographic Hash", + "description": "Malware uses the pHash hash function.", + "kill_chain_phases": [ { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/README.md", - "external_id": "OB0008" + "kill_chain_name": "mitre-mbc", + "phase_name": "data-micro-objective" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_shortname": "impact" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/noncryptographic-hash.md", + "external_id": "C0030.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "x-mitre-tactic", + "type": "attack-pattern", "spec_version": "2.1", - "id": "x-mitre-tactic--408ef4fa-de24-489a-ac9e-1f51af84bf5d", + "id": "attack-pattern--6168e69c-f827-4f92-8404-cd24fff9802c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.279262Z", - "modified": "2022-02-05T00:37:22.382348Z", - "name": "Data Micro-objective", - "description": "Micro-behaviors related to malware manipulating data.", - "external_references": [ + "created": "2020-08-21T20:49:59.760262Z", + "modified": "2022-09-08T18:26:13.272846Z", + "name": "Archive Collected Data", + "description": "Malware may obfuscate data via encryption or encoding before exfiltration.", + "kill_chain_phases": [ { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/README.md", - "external_id": "OC0004" + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_shortname": "data-micro-objective" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/archive-collected-data.md", + "external_id": "E1560" + }, + { + "source_name": "external_source", + "url": "https://www.bitdefender.com/blog/labs/trickbot-is-dead-long-live-trickbot/" + }, + { + "source_name": "external_source", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" + } + ], + "x_mitre_is_subtechnique": false }, { - "type": "x-mitre-tactic", + "type": "attack-pattern", "spec_version": "2.1", - "id": "x-mitre-tactic--4fd027ac-dddc-4744-aa72-d1b4598d9898", + "id": "attack-pattern--405c94b9-4f0e-476b-982d-72bb1905daa9", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-02-05T20:28:15.074Z", - "modified": "2022-02-05T00:37:22.382348Z", - "name": "Credential Access", - "description": "Behaviors to obtain credential access, allowing it or its underlying threat actor to assume control of an account, with the associated system and network permissions.", - "external_references": [ + "created": "2020-08-21T20:49:59.580266Z", + "modified": "2022-02-05T00:37:22.585511Z", + "name": "Standard Compression", + "description": "Uses a standard algorithm, such as UPX or LZMA, to compress an executable file.", + "kill_chain_phases": [ { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/credential-access/README.md", - "external_id": "OB0005" + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_shortname": "credential-access" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/software-packing.md", + "external_id": "F0001.002" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "x-mitre-tactic", + "type": "attack-pattern", "spec_version": "2.1", - "id": "x-mitre-tactic--578d34bc-28b7-4467-afe1-a969e00797d3", + "id": "attack-pattern--e57c3d95-67fc-4d26-a74e-12953fff494b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.287265Z", - "modified": "2022-02-05T00:37:22.397978Z", - "name": "Hardware Micro-objective", - "description": "Micro-behaviors related to hardware.", - "external_references": [ + "created": "2020-08-21T20:49:59.824262Z", + "modified": "2022-09-08T18:26:13.368972Z", + "name": "Interprocess Communication", + "description": "The Interprocess Communication micro-behavior focuses on interprocess communication.", + "kill_chain_phases": [ { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/hardware/README.md", - "external_id": "OC0007" + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_shortname": "hardware-micro-objective" - }, - { - "type": "x-mitre-tactic", - "spec_version": "2.1", - "id": "x-mitre-tactic--5ca03153-2bfb-4540-acad-4eb54f188589", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-02-05T20:28:15.064Z", - "modified": "2022-02-05T00:37:22.382348Z", - "name": "Command and Control", - "description": "Behaviors malware may use to communicate with systems under its control within a target network. There are many ways malware can establish command and control with various levels of covertness, depending on system configuration and network topology. Behaviors may relate to C2 servers or a bot that is part of a botnet. As \"server\" and \"client\" are confusing terminology in this context, we use the terms **controller** and **implant**. The controller is the software running on adversary-controlled infrastructure and used to send commands to the implant. The implant is the software running on victim-controlled infrastructure that receives commands from the adversary, executes those commands on the victim, and optionally sends the results back to the adversary.", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/README.md", - "external_id": "OB0004" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/interprocess-communication.md", + "external_id": "C0003" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_shortname": "command-and-control" + "x_mitre_is_subtechnique": false }, { - "type": "x-mitre-tactic", + "type": "attack-pattern", "spec_version": "2.1", - "id": "x-mitre-tactic--69c52ee6-8372-40be-8efc-200896493343", + "id": "attack-pattern--ae29c6ea-39f3-47f5-b2e9-49a18cbe3d9f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-02-05T20:28:15.058Z", - "modified": "2022-02-05T00:37:22.382348Z", - "name": "Collection", - "description": "Behaviors that identify and gather information, such as sensitive files, from a target network prior to exfiltration. This objective includes locations on a system or network where the malware may look for information to exfiltrate.", - "external_references": [ + "created": "2022-09-08T18:26:13.249609Z", + "modified": "2022-09-08T18:26:13.249609Z", + "name": "User Execution", + "description": "Malware may include code that relies on specific actions by a user to execute. Note that this MBC behavior differs from [User Execution](https://attack.mitre.org/techniques/T1204) in that it does do not include direct code execution (user action for *initial* execution) - MBC does not encompass ATT&CK's Initial Access Tactic.", + "kill_chain_phases": [ { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/README.md", - "external_id": "OB0003" + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_shortname": "collection" - }, - { - "type": "x-mitre-tactic", - "spec_version": "2.1", - "id": "x-mitre-tactic--7f07ea86-c44a-4f1f-86d0-3d904c7ddb59", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-11T06:49:31.787443Z", - "modified": "2022-02-05T00:37:22.397978Z", - "name": "Operating System Micro-objective", - "description": "Micro-behaviors related to operating systems.", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/README.md", - "external_id": "OC0008" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/user-execution.md", + "external_id": "E1204" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + }, + { + "source_name": "external_source", + "url": "https://blogs.cisco.com/security/talos/rombertik" + }, + { + "source_name": "external_source", + "url": "https://www.mandiant.com/resources/hot-knives-through-butter-evading-file-based-sandboxes" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_shortname": "operating-system-micro-objective" + "x_mitre_is_subtechnique": false }, { - "type": "x-mitre-tactic", + "type": "attack-pattern", "spec_version": "2.1", - "id": "x-mitre-tactic--911377e6-b712-4754-a865-3e2989512b9a", + "id": "attack-pattern--cfa8658b-c504-41eb-9886-05de4962319c", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-02-05T20:28:15.068Z", - "modified": "2022-02-05T00:37:22.382348Z", - "name": "Exfiltration", - "description": "Behaviors that steal data from the system on which it executes. This includes stored data (e.g., files) as well as data input into applications (e.g., web browser).", - "external_references": [ + "created": "2021-02-10T06:49:31.982483Z", + "modified": "2022-09-08T18:26:13.374171Z", + "name": "Receive Data::Socket Communication", + "description": "Receive data on socket.", + "kill_chain_phases": [ { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/README.md", - "external_id": "OB0010" + "kill_chain_name": "mitre-mbc", + "phase_name": "communication-micro-objective" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_shortname": "exfiltration" - }, - { - "type": "x-mitre-tactic", - "spec_version": "2.1", - "id": "x-mitre-tactic--9b3422b7-bc43-4b28-8d51-ba68782a9da2", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-02-05T20:28:15.071Z", - "modified": "2022-02-05T00:37:22.382348Z", - "name": "Defense Evasion", - "description": "Behaviors that evade detection or avoid other defenses.", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/README.md", - "external_id": "OB0006" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/socket-communication.md", + "external_id": "C0001.006" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_shortname": "defense-evasion" + "x_mitre_is_subtechnique": true }, { - "type": "x-mitre-tactic", + "type": "attack-pattern", "spec_version": "2.1", - "id": "x-mitre-tactic--9f09f947-5fc6-455f-b7eb-504c2ba972aa", + "id": "attack-pattern--02b99b72-6baa-4329-9a48-1ce8aae4383a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-02-05T20:28:15.062Z", - "modified": "2022-02-05T00:37:22.382348Z", - "name": "Discovery", - "description": "Behaviors that aim to gain knowledge about the system and internal network.", - "external_references": [ + "created": "2020-08-21T20:49:59.486264Z", + "modified": "2022-09-08T18:26:13.299473Z", + "name": "Timing/Uptime Check", + "description": "Comparing single GetTickCount with some value to see if system has been started at least *X* amount ago. This behavior can be mitigated in non-automated analysis environments.", + "kill_chain_phases": [ { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/README.md", - "external_id": "OB0007" + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_shortname": "discovery" - }, - { - "type": "x-mitre-tactic", - "spec_version": "2.1", - "id": "x-mitre-tactic--d2f87328-9fe0-4f81-800e-ea1058f49906", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-02-05T20:28:15.067Z", - "modified": "2022-02-05T00:37:22.397978Z", - "name": "Persistence", - "description": "Malware aims to remain on a system regardless of system events.", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/persistence/README.md", - "external_id": "OB0012" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md", + "external_id": "B0007.009" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_shortname": "persistence" + "x_mitre_is_subtechnique": true }, { - "type": "x-mitre-tactic", + "type": "attack-pattern", "spec_version": "2.1", - "id": "x-mitre-tactic--d896bd1c-d0e9-4281-9755-9b76a7c963d3", + "id": "attack-pattern--09aa0bf7-bdec-4642-ad23-c8f1c9b01297", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-02-05T20:28:15.072Z", - "modified": "2022-02-05T00:37:22.397978Z", - "name": "Privilege Escalation", - "description": "Behaviors that aim to obtain a higher level of permission.", - "external_references": [ + "created": "2020-08-21T20:49:59.775261Z", + "modified": "2022-02-05T00:37:22.71051Z", + "name": "Destroy Hardware", + "description": "Destroys a physical piece of hardware. For example, malware may cause hardware to overheat.", + "kill_chain_phases": [ { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/privilege-escalation/README.md", - "external_id": "OB0013" + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_shortname": "privilege-escalation" - }, - { - "type": "x-mitre-tactic", - "spec_version": "2.1", - "id": "x-mitre-tactic--db22e244-4c56-4a42-9e3a-6285bde88a5d", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.275263Z", - "modified": "2022-02-05T00:37:22.382348Z", - "name": "Cryptography Micro-objective", - "description": "Micro-behaviors that enable malware to use crypto.", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/README.md", - "external_id": "OC0005" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/destroy-hardware.md", + "external_id": "B0017" + }, + { + "source_name": "external_source", + "url": "https://www.bbc.com/timelines/zc6fbk7" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_shortname": "cryptography-micro-objective" + "x_mitre_is_subtechnique": false }, { - "type": "x-mitre-tactic", + "type": "attack-pattern", "spec_version": "2.1", - "id": "x-mitre-tactic--dd9a101e-8fea-4b2e-afd0-4c0c3f0f864e", + "id": "attack-pattern--9a5f43f7-dd94-4035-b335-9d0d388c93ae", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.296264Z", - "modified": "2022-02-05T00:37:22.397978Z", - "name": "Process Micro-objective", - "description": "Micro-behaviors related to processes.", - "external_references": [ + "created": "2020-08-21T20:49:59.678261Z", + "modified": "2022-09-08T18:26:13.272615Z", + "name": "Encryption - Standard Encryption", + "description": "Data is encrypted. A standard algorithm, such as Rijndael/AES, DES, RC4, is used to encrypt the exfiltrated data.", + "kill_chain_phases": [ { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/README.md", - "external_id": "OC0003" + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_shortname": "process-micro-objective" - }, - { - "type": "x-mitre-tactic", - "spec_version": "2.1", - "id": "x-mitre-tactic--e4edf677-0ea0-474a-a14d-da3ea660d69f", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:49:59.292268Z", - "modified": "2022-02-05T00:37:22.397978Z", - "name": "Memory Micro-objective", - "description": "Micro-behaviors related to malware manipulating machine memory.", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/memory/README.md", - "external_id": "OC0002" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/archive-collected-data.md", + "external_id": "E1560.m05" } ], - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ], - "x_mitre_shortname": "memory-micro-objective" + "x_mitre_is_subtechnique": true }, { - "type": "x-mitre-tactic", + "type": "attack-pattern", "spec_version": "2.1", - "id": "x-mitre-tactic--eb6166b0-f3c9-4124-aeb9-662941baa19e", + "id": "attack-pattern--0aeb39aa-febf-463e-97e0-546f558daed6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-02-05T20:28:15.061Z", - "modified": "2022-02-05T00:37:22.382348Z", - "name": "Anti-Behavioral Analysis", - "description": "Behaviors that prevent, obstruct, or evade behavioral analysis (sandbox, debugger, etc). Because the underlying methods differ, separate \"detection\" and \"evasion\" behaviors are defined for some anti-behavioral analysis areas (e.g., anti-debugger).", - "external_references": [ - { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/README.md", - "external_id": "OB0001" - }, - { - "source_name": "external_source", - "description": "Unprotect Project, a database about malware self-defense and protection.", - "url": "https://search.unprotect.it/map" - }, + "created": "2020-08-21T20:49:59.472261Z", + "modified": "2022-09-08T18:26:13.319554Z", + "name": "SetHandleInformation", + "description": "(Protected Handle)", + "kill_chain_phases": [ { - "source_name": "external_source", - "description": "InDepthUnpacking, course content for teaching malware anti-analysis techniques and mitigations, with emphasis on packers.", - "url": "https://github.com/knowmalware/InDepthUnpacking" + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_shortname": "anti-behavioral-analysis" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md", + "external_id": "B0001.024" + } + ], + "x_mitre_is_subtechnique": true }, { - "type": "x-mitre-tactic", + "type": "attack-pattern", "spec_version": "2.1", - "id": "x-mitre-tactic--f95436cf-2e09-4541-b88a-f3fb6ec3b63b", + "id": "attack-pattern--64ec233c-8762-4e4a-af40-475ebd3aa127", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-02-05T20:28:15.065Z", - "modified": "2022-02-05T00:37:22.382348Z", - "name": "Execution", - "description": "Behaviors that execute code on a system to achieve a variety of goals.", - "external_references": [ + "created": "2020-08-21T20:49:59.530265Z", + "modified": "2022-09-08T18:26:13.302403Z", + "name": "Emulator Evasion", + "description": "Behaviors that obstruct analysis in an emulator.", + "kill_chain_phases": [ { - "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/README.md", - "external_id": "OB0009" + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" } ], "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ], - "x_mitre_shortname": "execution" + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-evasion.md", + "external_id": "B0005" + } + ], + "x_mitre_is_subtechnique": false + }, + { + "type": "marking-definition", + "spec_version": "2.1", + "id": "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-01-01T00:00:00.000Z", + "definition_type": "statement", + "definition": { + "statement": "Copyright (c) 2020-2022, The MITRE Corporation. All rights reserved." + } } ] } \ No newline at end of file diff --git a/mbc/relationship/relationship--040473ba-ea4c-4f70-9afa-61750d1d6d87.json b/mbc/relationship/relationship--040473ba-ea4c-4f70-9afa-61750d1d6d87.json deleted file mode 100644 index 795e4aba..00000000 --- a/mbc/relationship/relationship--040473ba-ea4c-4f70-9afa-61750d1d6d87.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--6674a1b2-d2f3-4862-a450-48f2a44881f3", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--040473ba-ea4c-4f70-9afa-61750d1d6d87", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.610253Z", - "modified": "2020-08-21T20:50:04.610253Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--08ddf2f3-b656-4731-8ef1-514e0c2209e3.json b/mbc/relationship/relationship--08ddf2f3-b656-4731-8ef1-514e0c2209e3.json deleted file mode 100644 index 856a94f8..00000000 --- a/mbc/relationship/relationship--08ddf2f3-b656-4731-8ef1-514e0c2209e3.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--8ebfbc1a-0b22-42ff-825b-950d9fb7bb2b", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--08ddf2f3-b656-4731-8ef1-514e0c2209e3", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.604253Z", - "modified": "2020-08-21T20:50:04.604253Z", - "relationship_type": "uses", - "description": "An MBR bootkit and a BIOS bootkit targeting Award BIOS.", - "source_ref": "malware--cb022b7d-775c-4db8-ab25-3add7e215d54", - "target_ref": "attack-pattern--4c1c0aca-7fca-4aae-9d17-6fc99c8d7d0a", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--101b237e-e613-4c1c-a14e-5f6e023962ea.json b/mbc/relationship/relationship--101b237e-e613-4c1c-a14e-5f6e023962ea.json deleted file mode 100644 index 7feda02d..00000000 --- a/mbc/relationship/relationship--101b237e-e613-4c1c-a14e-5f6e023962ea.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--7eccdc70-0c94-4d4b-a31a-f68ba6abc633", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--101b237e-e613-4c1c-a14e-5f6e023962ea", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.609253Z", - "modified": "2020-08-21T20:50:04.609253Z", - "relationship_type": "uses", - "description": "Modification of the router's firmware image that can be used to maintain persistence within a victim's network.", - "source_ref": "malware--6875c768-4212-474d-85dc-1e89c62e9a65", - "target_ref": "attack-pattern--66639ad1-1214-46af-9ce6-31b526ef6d9c", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--14bb7996-f709-47a8-b56f-284e80a05814.json b/mbc/relationship/relationship--14bb7996-f709-47a8-b56f-284e80a05814.json deleted file mode 100644 index 1fd0863e..00000000 --- a/mbc/relationship/relationship--14bb7996-f709-47a8-b56f-284e80a05814.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--be36e45f-f048-4221-ba08-aa75099f22c7", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--14bb7996-f709-47a8-b56f-284e80a05814", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.611257Z", - "modified": "2020-08-21T20:50:04.611257Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--ad4ab2e7-0491-4ef3-b69b-f4a73a5a7cd4", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--14e22077-05d7-49c6-a6ee-868c7ee5698d.json b/mbc/relationship/relationship--14e22077-05d7-49c6-a6ee-868c7ee5698d.json deleted file mode 100644 index fe110e13..00000000 --- a/mbc/relationship/relationship--14e22077-05d7-49c6-a6ee-868c7ee5698d.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--ff2fa789-602e-4222-9a18-f1c27a639d82", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--14e22077-05d7-49c6-a6ee-868c7ee5698d", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.602253Z", - "modified": "2020-08-21T20:50:04.602253Z", - "relationship_type": "uses", - "description": "Uses API Hashing Method.", - "source_ref": "malware--92f9ba45-2fb3-4d97-9865-eda477e7b779", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--1549dbad-5b3b-4701-b762-6e83daff0d13.json b/mbc/relationship/relationship--1549dbad-5b3b-4701-b762-6e83daff0d13.json deleted file mode 100644 index bde6a5b4..00000000 --- a/mbc/relationship/relationship--1549dbad-5b3b-4701-b762-6e83daff0d13.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--9d6d7749-e2b5-4bd6-a4d9-755b273e16c0", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--1549dbad-5b3b-4701-b762-6e83daff0d13", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.609253Z", - "modified": "2020-08-21T20:50:04.609253Z", - "relationship_type": "uses", - "description": "Sets \"2019\" as Windows' startup folder by modifying a registry value.", - "source_ref": "malware--bb2ac91f-90ad-4ed5-95ef-a899346ba4ce", - "target_ref": "attack-pattern--4294b63a-0b68-473a-8e57-bd5da8d90bf6", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--168fef73-7235-4bdb-a038-94b8c4ec1dfb.json b/mbc/relationship/relationship--168fef73-7235-4bdb-a038-94b8c4ec1dfb.json deleted file mode 100644 index bd979f6b..00000000 --- a/mbc/relationship/relationship--168fef73-7235-4bdb-a038-94b8c4ec1dfb.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--2182968f-0dff-4bd0-b891-409d326c4d8d", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--168fef73-7235-4bdb-a038-94b8c4ec1dfb", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.610253Z", - "modified": "2020-08-21T20:50:04.610253Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--17d45a89-9ebf-4a5b-8dc8-1e6e6e3e6089.json b/mbc/relationship/relationship--17d45a89-9ebf-4a5b-8dc8-1e6e6e3e6089.json deleted file mode 100644 index b8cdbb1b..00000000 --- a/mbc/relationship/relationship--17d45a89-9ebf-4a5b-8dc8-1e6e6e3e6089.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--f50c6f58-8522-4fa3-95c1-76f4b1ce3c1a", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--17d45a89-9ebf-4a5b-8dc8-1e6e6e3e6089", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.603292Z", - "modified": "2020-08-21T20:50:04.603292Z", - "relationship_type": "uses", - "description": "Intercepts data coming into and going out of device.", - "source_ref": "malware--508cadaa-4fd5-4105-803e-8944e388ee45", - "target_ref": "attack-pattern--50e612f9-3481-42fc-aa7f-a468ce59a556", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--1a2f02aa-1fd6-45a7-b189-40ce1956f93c.json b/mbc/relationship/relationship--1a2f02aa-1fd6-45a7-b189-40ce1956f93c.json deleted file mode 100644 index 645f882a..00000000 --- a/mbc/relationship/relationship--1a2f02aa-1fd6-45a7-b189-40ce1956f93c.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--54f95ba4-61c8-4fcd-8acd-302a6ab49ef8", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--1a2f02aa-1fd6-45a7-b189-40ce1956f93c", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.615528Z", - "modified": "2021-02-10T06:49:35.615528Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--be6d8982-3619-4f2f-b5c7-64d9e934ac43", - "target_ref": "attack-pattern--f5f2f408-2c67-40aa-9937-8fe582501e0a", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--234e3d9c-b4f3-494c-987a-c70e725522c4.json b/mbc/relationship/relationship--234e3d9c-b4f3-494c-987a-c70e725522c4.json deleted file mode 100644 index 81b908c5..00000000 --- a/mbc/relationship/relationship--234e3d9c-b4f3-494c-987a-c70e725522c4.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--a00b03f6-535a-4e79-b4a5-faa74eaa7fee", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--234e3d9c-b4f3-494c-987a-c70e725522c4", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.605287Z", - "modified": "2020-08-21T20:50:04.605287Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--ce6015e7-3065-420f-aea8-c9e0e5d5ed74", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--272e945b-6d94-4755-83dd-df035dd5a7ef.json b/mbc/relationship/relationship--272e945b-6d94-4755-83dd-df035dd5a7ef.json deleted file mode 100644 index b76ee2d6..00000000 --- a/mbc/relationship/relationship--272e945b-6d94-4755-83dd-df035dd5a7ef.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--47f953da-14d0-450a-8488-d15e959f6df6", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--272e945b-6d94-4755-83dd-df035dd5a7ef", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.608257Z", - "modified": "2020-08-21T20:50:04.608257Z", - "relationship_type": "uses", - "description": "A 2018 variant includes a component that erases files and then wipes the master boot record, preventing file recovery.", - "source_ref": "malware--d36b0186-1e10-4dd8-a1df-076e9a692c57", - "target_ref": "attack-pattern--2ff4ce39-a726-471a-92d9-21a5c51a0bc3", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--27f65cb2-f647-4914-af5f-949ddd8ed52a.json b/mbc/relationship/relationship--27f65cb2-f647-4914-af5f-949ddd8ed52a.json deleted file mode 100644 index f1c8ca99..00000000 --- a/mbc/relationship/relationship--27f65cb2-f647-4914-af5f-949ddd8ed52a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--380a6a6d-b111-4633-b8b8-e80cab023eaf", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--27f65cb2-f647-4914-af5f-949ddd8ed52a", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.600252Z", - "modified": "2020-08-21T20:50:04.600252Z", - "relationship_type": "uses", - "description": "Allows an attacker to control the system via a GUI.", - "source_ref": "malware--19d14868-ff81-4c8c-9a6a-c57baf7e7f52", - "target_ref": "attack-pattern--c25f5d58-e8e5-49ef-a54d-68e17b4ac824", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--292a4fcc-2932-48f2-a1e6-62584547c6e7.json b/mbc/relationship/relationship--292a4fcc-2932-48f2-a1e6-62584547c6e7.json deleted file mode 100644 index d60619ea..00000000 --- a/mbc/relationship/relationship--292a4fcc-2932-48f2-a1e6-62584547c6e7.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--d593dc98-4b3e-41ad-9ec3-2bee64b3ad3b", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--292a4fcc-2932-48f2-a1e6-62584547c6e7", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.601289Z", - "modified": "2020-08-21T20:50:04.601289Z", - "relationship_type": "uses", - "description": "Checks system temperature by recording thermal readings for detecting VMs. Heat levels indicate whether the system is a VM.", - "source_ref": "malware--e616d9d2-36b4-4510-84ad-66f19442fe3e", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--febddf0b-01eb-422c-a5ad-d0977801ec9c.json b/mbc/relationship/relationship--2c24d182-4d28-489a-ac98-a3db334fc636.json similarity index 53% rename from mbc/relationship/relationship--febddf0b-01eb-422c-a5ad-d0977801ec9c.json rename to mbc/relationship/relationship--2c24d182-4d28-489a-ac98-a3db334fc636.json index c11aff26..116142d5 100644 --- a/mbc/relationship/relationship--febddf0b-01eb-422c-a5ad-d0977801ec9c.json +++ b/mbc/relationship/relationship--2c24d182-4d28-489a-ac98-a3db334fc636.json @@ -1,16 +1,16 @@ { "type": "bundle", - "id": "bundle--ed1c88c0-b301-4efa-abfc-6457ac2e21c0", + "id": "bundle--6083d1c6-355f-4d1c-8864-967a0b05447c", "objects": [ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--febddf0b-01eb-422c-a5ad-d0977801ec9c", + "id": "relationship--2c24d182-4d28-489a-ac98-a3db334fc636", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.614292Z", - "modified": "2020-08-21T20:50:04.614292Z", - "relationship_type": "uses", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", + "created": "2022-09-08T18:26:19.092831Z", + "modified": "2022-09-08T18:26:19.092831Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b7df4632-63d2-4195-a529-643ab6098e16", "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" diff --git a/mbc/relationship/relationship--2cec369a-ebbb-4bf4-ae8a-81311b7ad6ee.json b/mbc/relationship/relationship--2cec369a-ebbb-4bf4-ae8a-81311b7ad6ee.json deleted file mode 100644 index 1669985a..00000000 --- a/mbc/relationship/relationship--2cec369a-ebbb-4bf4-ae8a-81311b7ad6ee.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--c16ac3f5-a95f-4d42-ba3a-536dfbd3c28e", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2cec369a-ebbb-4bf4-ae8a-81311b7ad6ee", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--8c5ccf4d-b443-4803-8e69-eb83b1564c48", - "target_ref": "attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--2d1c8c16-3b50-4d04-b79d-54168c19af90.json b/mbc/relationship/relationship--2d1c8c16-3b50-4d04-b79d-54168c19af90.json deleted file mode 100644 index a8aa6997..00000000 --- a/mbc/relationship/relationship--2d1c8c16-3b50-4d04-b79d-54168c19af90.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--a8e9420e-5336-41aa-a124-3bf5db5e85e6", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--2d1c8c16-3b50-4d04-b79d-54168c19af90", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.608257Z", - "modified": "2020-08-21T20:50:04.608257Z", - "relationship_type": "uses", - "description": "Intercepts encrypted web traffic to inject adds.", - "source_ref": "malware--dbe9ee23-f01d-4cdb-bf53-066c77352dac", - "target_ref": "attack-pattern--50e612f9-3481-42fc-aa7f-a468ce59a556", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--343d0c6c-f9a4-4c0a-9421-1b810982e3fb.json b/mbc/relationship/relationship--343d0c6c-f9a4-4c0a-9421-1b810982e3fb.json deleted file mode 100644 index 347d227f..00000000 --- a/mbc/relationship/relationship--343d0c6c-f9a4-4c0a-9421-1b810982e3fb.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--f00b940e-f336-48cc-a664-56197a7f63be", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--343d0c6c-f9a4-4c0a-9421-1b810982e3fb", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.613258Z", - "modified": "2020-08-21T20:50:04.613258Z", - "relationship_type": "uses", - "description": "Learns about the system so it can drop compatible miner software.", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--bd879126-0126-4f7a-a1b7-d9944efb251f", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--36f2a08b-55c5-46f5-9fbc-71ee8ac382cc.json b/mbc/relationship/relationship--36f2a08b-55c5-46f5-9fbc-71ee8ac382cc.json deleted file mode 100644 index 169321f9..00000000 --- a/mbc/relationship/relationship--36f2a08b-55c5-46f5-9fbc-71ee8ac382cc.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--89a4e16f-756d-49f2-8f41-63380c5e59c8", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--36f2a08b-55c5-46f5-9fbc-71ee8ac382cc", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.604253Z", - "modified": "2020-08-21T20:50:04.604253Z", - "relationship_type": "uses", - "description": "After the Poison-Ivy server is running on the target machine, the attacker uses a Windows GUI client to control the target computer.", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--c25f5d58-e8e5-49ef-a54d-68e17b4ac824", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--3ce0217e-a3e8-4735-9eda-f19656c3d7b2.json b/mbc/relationship/relationship--3ce0217e-a3e8-4735-9eda-f19656c3d7b2.json deleted file mode 100644 index f7a61505..00000000 --- a/mbc/relationship/relationship--3ce0217e-a3e8-4735-9eda-f19656c3d7b2.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--8c1839fc-80ac-4db3-894f-54679301ecb6", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--3ce0217e-a3e8-4735-9eda-f19656c3d7b2", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.612264Z", - "modified": "2020-08-21T20:50:04.612264Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--bd879126-0126-4f7a-a1b7-d9944efb251f", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--3d11a5ca-28e7-4f1e-aed7-14f93c9b7181.json b/mbc/relationship/relationship--3d11a5ca-28e7-4f1e-aed7-14f93c9b7181.json new file mode 100644 index 00000000..000eba83 --- /dev/null +++ b/mbc/relationship/relationship--3d11a5ca-28e7-4f1e-aed7-14f93c9b7181.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--09c7da6e-b856-47d0-b823-cc0eeb6a248f", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--3d11a5ca-28e7-4f1e-aed7-14f93c9b7181", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2022-09-08T18:26:19.048115Z", + "modified": "2022-09-08T18:26:19.048115Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--6f73f473-5fb0-4777-a951-6de90d9ea01f", + "target_ref": "attack-pattern--7533526d-569f-460b-9e00-5ef2d6eff9e2", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/mbc/relationship/relationship--40af3048-e15a-48e0-89f3-bd10073bd777.json b/mbc/relationship/relationship--40af3048-e15a-48e0-89f3-bd10073bd777.json deleted file mode 100644 index 8be1a8fd..00000000 --- a/mbc/relationship/relationship--40af3048-e15a-48e0-89f3-bd10073bd777.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--58655ef0-1fcf-417d-a037-1471820b2475", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--40af3048-e15a-48e0-89f3-bd10073bd777", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.603292Z", - "modified": "2020-08-21T20:50:04.603292Z", - "relationship_type": "uses", - "description": "Code virtualization is added to the Locky Bart binary using WPProtect.", - "source_ref": "malware--542141d9-e98d-4d4a-9b15-dfc3f8933e48", - "target_ref": "attack-pattern--4c89f923-0e3e-41ff-b128-2e47acbd80b7", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--43b39c15-6e60-420f-b0a5-3c2afaa08148.json b/mbc/relationship/relationship--43b39c15-6e60-420f-b0a5-3c2afaa08148.json deleted file mode 100644 index 64bcc78a..00000000 --- a/mbc/relationship/relationship--43b39c15-6e60-420f-b0a5-3c2afaa08148.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--8a8427c4-80ee-4178-8792-462d3e14d286", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--43b39c15-6e60-420f-b0a5-3c2afaa08148", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.605287Z", - "modified": "2020-08-21T20:50:04.605287Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--ad4ab2e7-0491-4ef3-b69b-f4a73a5a7cd4", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--459d2b7d-7d81-4468-bc6a-901ba11fb154.json b/mbc/relationship/relationship--459d2b7d-7d81-4468-bc6a-901ba11fb154.json deleted file mode 100644 index 35fd39df..00000000 --- a/mbc/relationship/relationship--459d2b7d-7d81-4468-bc6a-901ba11fb154.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--e36af245-b827-45c0-9c74-2c108e363858", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--459d2b7d-7d81-4468-bc6a-901ba11fb154", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.615251Z", - "modified": "2020-08-21T20:50:04.615251Z", - "relationship_type": "uses", - "description": "Injects miner code into a running process.", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--46602894-3b25-4e09-b8ef-14a2e0c49208.json b/mbc/relationship/relationship--46602894-3b25-4e09-b8ef-14a2e0c49208.json deleted file mode 100644 index c703a736..00000000 --- a/mbc/relationship/relationship--46602894-3b25-4e09-b8ef-14a2e0c49208.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--af3b5ff5-1bb9-4276-a56e-82e75c2f2890", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--46602894-3b25-4e09-b8ef-14a2e0c49208", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.598251Z", - "modified": "2020-08-21T20:50:04.598251Z", - "relationship_type": "uses", - "description": "Some variants look for an unnamed mutex to ensure only one copy of itself is running on a system.", - "source_ref": "malware--f31598c3-8d55-440f-ac5f-4b8ea34fc09b", - "target_ref": "attack-pattern--6069021d-57ec-403e-b6fc-013b995aa2f0", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--4696f9bf-84c4-4d96-9843-b7d105dfab7c.json b/mbc/relationship/relationship--4696f9bf-84c4-4d96-9843-b7d105dfab7c.json deleted file mode 100644 index a6c61dd2..00000000 --- a/mbc/relationship/relationship--4696f9bf-84c4-4d96-9843-b7d105dfab7c.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--9d2cd63e-5b8f-43f2-9fde-89dcf617af4c", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--4696f9bf-84c4-4d96-9843-b7d105dfab7c", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.610253Z", - "modified": "2020-08-21T20:50:04.610253Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--ce6015e7-3065-420f-aea8-c9e0e5d5ed74", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--52577eb5-283f-4d59-afa3-e2aff4979371.json b/mbc/relationship/relationship--48fec1d5-1bc4-4803-88ad-9220672885c6.json similarity index 59% rename from mbc/relationship/relationship--52577eb5-283f-4d59-afa3-e2aff4979371.json rename to mbc/relationship/relationship--48fec1d5-1bc4-4803-88ad-9220672885c6.json index 94ff1508..ea0b9cc5 100644 --- a/mbc/relationship/relationship--52577eb5-283f-4d59-afa3-e2aff4979371.json +++ b/mbc/relationship/relationship--48fec1d5-1bc4-4803-88ad-9220672885c6.json @@ -1,17 +1,17 @@ { "type": "bundle", - "id": "bundle--7f56c986-9100-4ee3-b7f6-9ef67add4a73", + "id": "bundle--fd8d345a-f6cd-450d-bb41-a132ac540e0a", "objects": [ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--52577eb5-283f-4d59-afa3-e2aff4979371", + "id": "relationship--48fec1d5-1bc4-4803-88ad-9220672885c6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", + "created": "2022-09-08T18:26:19.145194Z", + "modified": "2022-09-08T18:26:19.145194Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--6a958b33-6517-459c-afda-7f4f490ac15d", - "target_ref": "attack-pattern--f06491eb-ea99-46cd-81fe-ee55fc12d504", + "target_ref": "attack-pattern--098a700a-4cc0-4d0a-8bc5-42e7181eff1e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ] diff --git a/mbc/relationship/relationship--4bff68b3-9d4e-4ba5-b2fe-95b583cbc03f.json b/mbc/relationship/relationship--4bff68b3-9d4e-4ba5-b2fe-95b583cbc03f.json deleted file mode 100644 index a1a962fa..00000000 --- a/mbc/relationship/relationship--4bff68b3-9d4e-4ba5-b2fe-95b583cbc03f.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--b3d9e737-0675-456d-9c7c-4f1b0f375228", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--4bff68b3-9d4e-4ba5-b2fe-95b583cbc03f", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:34.329445Z", - "modified": "2021-02-10T06:49:34.329445Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--c550625d-7b0c-4db2-9f30-486767c9cf63", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--4fab69d4-4418-4097-9fba-8aa22661f8d5.json b/mbc/relationship/relationship--4fab69d4-4418-4097-9fba-8aa22661f8d5.json deleted file mode 100644 index 62eb6e03..00000000 --- a/mbc/relationship/relationship--4fab69d4-4418-4097-9fba-8aa22661f8d5.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--989563b0-6368-4afb-934e-f9431d254c20", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--4fab69d4-4418-4097-9fba-8aa22661f8d5", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.602253Z", - "modified": "2020-08-21T20:50:04.602253Z", - "relationship_type": "uses", - "description": "Performs click-fraud.", - "source_ref": "malware--fa095747-0ca8-4965-a222-cf1fe7647e12", - "target_ref": "attack-pattern--f5f2f408-2c67-40aa-9937-8fe582501e0a", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--57543e32-d9cc-4f12-b7f6-9a15aa1f1a73.json b/mbc/relationship/relationship--57543e32-d9cc-4f12-b7f6-9a15aa1f1a73.json deleted file mode 100644 index f1c005a2..00000000 --- a/mbc/relationship/relationship--57543e32-d9cc-4f12-b7f6-9a15aa1f1a73.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--018ebdd0-be91-4f17-9909-028034fdaa8e", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--57543e32-d9cc-4f12-b7f6-9a15aa1f1a73", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.603292Z", - "modified": "2020-08-21T20:50:04.603292Z", - "relationship_type": "uses", - "description": "Encrypts files for ransom without any connection to the Internet.", - "source_ref": "malware--542141d9-e98d-4d4a-9b15-dfc3f8933e48", - "target_ref": "attack-pattern--33ac3946-4bd9-4904-b02e-45e2d17dbfdd", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--576dd954-f983-47d9-a0f8-edd3abfd1660.json b/mbc/relationship/relationship--576dd954-f983-47d9-a0f8-edd3abfd1660.json deleted file mode 100644 index 40bc820d..00000000 --- a/mbc/relationship/relationship--576dd954-f983-47d9-a0f8-edd3abfd1660.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--c67c6146-9621-4115-ae0a-c0f79651bf82", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--576dd954-f983-47d9-a0f8-edd3abfd1660", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.600252Z", - "modified": "2020-08-21T20:50:04.600252Z", - "relationship_type": "uses", - "description": "Emotet macros are heavily obfuscated with junk functions and string substitutions.", - "source_ref": "malware--5fe2035d-58a0-4cd6-9561-cf4442871a10", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--58da90a9-db0b-43cc-99f9-3e562dcf4a90.json b/mbc/relationship/relationship--58da90a9-db0b-43cc-99f9-3e562dcf4a90.json deleted file mode 100644 index 0c426ba1..00000000 --- a/mbc/relationship/relationship--58da90a9-db0b-43cc-99f9-3e562dcf4a90.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--d24be462-e8cd-486d-8e00-572bb2361d00", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--58da90a9-db0b-43cc-99f9-3e562dcf4a90", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.614292Z", - "modified": "2020-08-21T20:50:04.614292Z", - "relationship_type": "uses", - "description": "Drops software that mines for cryptocurrency: Cryptonight or Claymore's Zcash miner, depending on system architecture.", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--e25edc0c-3631-4df8-a37f-4695d3cec86e", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--5d0f5931-bb24-4dff-8119-36c01f33373e.json b/mbc/relationship/relationship--5d0f5931-bb24-4dff-8119-36c01f33373e.json deleted file mode 100644 index de8d4108..00000000 --- a/mbc/relationship/relationship--5d0f5931-bb24-4dff-8119-36c01f33373e.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--dbb59599-eb98-412f-9dfb-e6cd5f699879", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--5d0f5931-bb24-4dff-8119-36c01f33373e", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:34.767441Z", - "modified": "2021-02-10T06:49:34.767441Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--5e02aacb-3140-4ae6-81c3-3512b2862b53.json b/mbc/relationship/relationship--5e02aacb-3140-4ae6-81c3-3512b2862b53.json deleted file mode 100644 index 27315ab2..00000000 --- a/mbc/relationship/relationship--5e02aacb-3140-4ae6-81c3-3512b2862b53.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--6ee38bc7-d76e-4006-890c-809ec2ecebad", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--5e02aacb-3140-4ae6-81c3-3512b2862b53", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.599252Z", - "modified": "2020-08-21T20:50:04.599252Z", - "relationship_type": "uses", - "description": "Uses a domain name generator.", - "source_ref": "malware--4fe657cf-373f-4a71-a2b8-8de5c109eef9", - "target_ref": "attack-pattern--5a3611aa-4253-4302-b09e-02fe53a1af9d", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--5eb31591-a592-41ab-86e3-cb93ed9e1c80.json b/mbc/relationship/relationship--5eb31591-a592-41ab-86e3-cb93ed9e1c80.json deleted file mode 100644 index d22589cc..00000000 --- a/mbc/relationship/relationship--5eb31591-a592-41ab-86e3-cb93ed9e1c80.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--fc2e7576-d440-4eae-816a-fa06472c1b8f", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--5eb31591-a592-41ab-86e3-cb93ed9e1c80", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.611257Z", - "modified": "2020-08-21T20:50:04.611257Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--8911f215-156e-489a-a1fb-f2cdb69772f8", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--627fca8c-c3a2-49cc-a31b-c7e138829e81.json b/mbc/relationship/relationship--627fca8c-c3a2-49cc-a31b-c7e138829e81.json deleted file mode 100644 index e47af1e6..00000000 --- a/mbc/relationship/relationship--627fca8c-c3a2-49cc-a31b-c7e138829e81.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--e53bd1ab-4e64-49da-a158-d14986a098d2", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--627fca8c-c3a2-49cc-a31b-c7e138829e81", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--28715d14-8b3f-4be9-95f6-e306de73f53f", - "target_ref": "attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--63b781c3-a8f4-4c5a-b432-5ea29beb76e5.json b/mbc/relationship/relationship--63b781c3-a8f4-4c5a-b432-5ea29beb76e5.json deleted file mode 100644 index d748ea11..00000000 --- a/mbc/relationship/relationship--63b781c3-a8f4-4c5a-b432-5ea29beb76e5.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--f489f24c-15d2-4b39-ae54-7b581bc142de", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--63b781c3-a8f4-4c5a-b432-5ea29beb76e5", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.606264Z", - "modified": "2020-08-21T20:50:04.606264Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--8911f215-156e-489a-a1fb-f2cdb69772f8", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--65089091-ff7b-4b1a-b96f-24c10d611194.json b/mbc/relationship/relationship--65089091-ff7b-4b1a-b96f-24c10d611194.json deleted file mode 100644 index cf6b0817..00000000 --- a/mbc/relationship/relationship--65089091-ff7b-4b1a-b96f-24c10d611194.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--703a9fe2-a8d2-442a-999d-1a65b1b4baa4", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--65089091-ff7b-4b1a-b96f-24c10d611194", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.605287Z", - "modified": "2020-08-21T20:50:04.605287Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--6da04862-dd32-45b6-b7d4-c18f6594bba9.json b/mbc/relationship/relationship--6da04862-dd32-45b6-b7d4-c18f6594bba9.json deleted file mode 100644 index 99882019..00000000 --- a/mbc/relationship/relationship--6da04862-dd32-45b6-b7d4-c18f6594bba9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--4752bc12-fd88-4c00-b8de-38cb46ab5a00", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--6da04862-dd32-45b6-b7d4-c18f6594bba9", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:34.070442Z", - "modified": "2021-02-10T06:49:34.070442Z", - "relationship_type": "uses", - "description": "Prevents the infected system from installing anti-virus software updates.", - "source_ref": "malware--0c0d59b7-4ff0-4a09-9c64-558334485ece", - "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--41cd43e4-bc45-4ed3-ace0-2efdbf47eafe.json b/mbc/relationship/relationship--6dcabe56-17b8-491b-8fd9-87edae835658.json similarity index 59% rename from mbc/relationship/relationship--41cd43e4-bc45-4ed3-ace0-2efdbf47eafe.json rename to mbc/relationship/relationship--6dcabe56-17b8-491b-8fd9-87edae835658.json index a0cba0d1..6eb46815 100644 --- a/mbc/relationship/relationship--41cd43e4-bc45-4ed3-ace0-2efdbf47eafe.json +++ b/mbc/relationship/relationship--6dcabe56-17b8-491b-8fd9-87edae835658.json @@ -1,17 +1,17 @@ { "type": "bundle", - "id": "bundle--1aae719f-ff48-49b7-a22d-6232bdd5c767", + "id": "bundle--46a56cc2-5cf9-4342-b8d9-450356c7d8c9", "objects": [ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--41cd43e4-bc45-4ed3-ace0-2efdbf47eafe", + "id": "relationship--6dcabe56-17b8-491b-8fd9-87edae835658", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", + "created": "2022-09-08T18:26:19.143737Z", + "modified": "2022-09-08T18:26:19.143737Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--f1f9a410-ce13-4c3d-8728-69e517d71fb9", - "target_ref": "attack-pattern--f06491eb-ea99-46cd-81fe-ee55fc12d504", + "target_ref": "attack-pattern--098a700a-4cc0-4d0a-8bc5-42e7181eff1e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ] diff --git a/mbc/relationship/relationship--706003e5-02d2-4e24-b6fc-731d4b36509c.json b/mbc/relationship/relationship--706003e5-02d2-4e24-b6fc-731d4b36509c.json deleted file mode 100644 index bb58f47a..00000000 --- a/mbc/relationship/relationship--706003e5-02d2-4e24-b6fc-731d4b36509c.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--a1a13e2c-e4ca-48c5-8284-cd476498d54d", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--706003e5-02d2-4e24-b6fc-731d4b36509c", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--23cc9528-7b14-4f75-9daf-0afb8d9c24fa", - "target_ref": "attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--7219324e-57db-4a0a-b08b-62b12c0dc34b.json b/mbc/relationship/relationship--7219324e-57db-4a0a-b08b-62b12c0dc34b.json deleted file mode 100644 index 709abfeb..00000000 --- a/mbc/relationship/relationship--7219324e-57db-4a0a-b08b-62b12c0dc34b.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--8eb54891-83dc-4990-8b4c-6dfbac657ee6", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--7219324e-57db-4a0a-b08b-62b12c0dc34b", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.600252Z", - "modified": "2020-08-21T20:50:04.600252Z", - "relationship_type": "uses", - "description": "Alters DNS server settings to route to a rogue DNS server for the purpose of click hijacking.", - "source_ref": "malware--0c0d59b7-4ff0-4a09-9c64-558334485ece", - "target_ref": "attack-pattern--f5f2f408-2c67-40aa-9937-8fe582501e0a", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--73c3780f-ca3d-4e58-88af-fce45e47d165.json b/mbc/relationship/relationship--73c3780f-ca3d-4e58-88af-fce45e47d165.json deleted file mode 100644 index ab512e14..00000000 --- a/mbc/relationship/relationship--73c3780f-ca3d-4e58-88af-fce45e47d165.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--0efff753-b7de-41b5-b2f1-08b051767384", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--73c3780f-ca3d-4e58-88af-fce45e47d165", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.607256Z", - "modified": "2020-08-21T20:50:04.607256Z", - "relationship_type": "uses", - "description": "Redhip detects VMWare, Virtual PC and Virtual Box. It also detects VM environments in general by considering timing lapses.", - "source_ref": "malware--b0625dd2-cc91-4936-9e12-289960aa0b41", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--743c0cb2-bba4-4dfa-bbd6-ac5ed8875761.json b/mbc/relationship/relationship--743c0cb2-bba4-4dfa-bbd6-ac5ed8875761.json deleted file mode 100644 index 7c58510c..00000000 --- a/mbc/relationship/relationship--743c0cb2-bba4-4dfa-bbd6-ac5ed8875761.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--d45fde95-f4cf-432c-bb0e-e17e1b2bcf05", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--743c0cb2-bba4-4dfa-bbd6-ac5ed8875761", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.615251Z", - "modified": "2020-08-21T20:50:04.615251Z", - "relationship_type": "uses", - "description": "WebCobra injects malicious code to svchost.exe and uses an infinite loop to check all open windows and to compare each window\u2019s title bar text with a set of strings to determine whether it is running in an isolated, malware analysis environment.", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--61eb90ad-4b2a-4d85-b264-7f248a05507d", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--69192ee9-36d6-464b-a53d-c70b6433e7de.json b/mbc/relationship/relationship--76e0d327-5877-43d1-957d-4b07239f216f.json similarity index 59% rename from mbc/relationship/relationship--69192ee9-36d6-464b-a53d-c70b6433e7de.json rename to mbc/relationship/relationship--76e0d327-5877-43d1-957d-4b07239f216f.json index 546f2527..03faf696 100644 --- a/mbc/relationship/relationship--69192ee9-36d6-464b-a53d-c70b6433e7de.json +++ b/mbc/relationship/relationship--76e0d327-5877-43d1-957d-4b07239f216f.json @@ -1,16 +1,16 @@ { "type": "bundle", - "id": "bundle--b9c8139a-c167-4653-9480-5e0e80024ffd", + "id": "bundle--1220cbe9-1a7c-4fb1-b3a3-7ca3ab6901a8", "objects": [ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--69192ee9-36d6-464b-a53d-c70b6433e7de", + "id": "relationship--76e0d327-5877-43d1-957d-4b07239f216f", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.453445Z", - "modified": "2021-02-10T06:49:35.453445Z", + "created": "2022-09-08T18:26:19.081235Z", + "modified": "2022-09-08T18:26:19.081235Z", "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--9108b308-b962-4468-86bf-8921f77c963c", + "source_ref": "attack-pattern--97ebea10-8852-4c4f-bf50-8b866ebc90ab", "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" diff --git a/mbc/relationship/relationship--78d819da-3841-4091-afac-7ab38b3ed476.json b/mbc/relationship/relationship--78d819da-3841-4091-afac-7ab38b3ed476.json new file mode 100644 index 00000000..e5a6d595 --- /dev/null +++ b/mbc/relationship/relationship--78d819da-3841-4091-afac-7ab38b3ed476.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--619edd34-3243-43f8-8163-6dc17830097f", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--78d819da-3841-4091-afac-7ab38b3ed476", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2022-09-08T18:26:19.129589Z", + "modified": "2022-09-08T18:26:19.129589Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a385dfe3-ba5e-4cc7-9a6d-a38349b44739", + "target_ref": "attack-pattern--c6f384e3-bf80-4251-8591-265ab51480cc", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/mbc/relationship/relationship--7a4e0f35-e30b-4447-a0cc-125626d39656.json b/mbc/relationship/relationship--7a4e0f35-e30b-4447-a0cc-125626d39656.json deleted file mode 100644 index bcefc90e..00000000 --- a/mbc/relationship/relationship--7a4e0f35-e30b-4447-a0cc-125626d39656.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--3c00b562-4dd0-4e9c-a653-cf2d7bbcf4aa", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--7a4e0f35-e30b-4447-a0cc-125626d39656", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.606264Z", - "modified": "2020-08-21T20:50:04.606264Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--81f4bfa5-9f8d-4aa1-a84e-b47f33aab606.json b/mbc/relationship/relationship--81f4bfa5-9f8d-4aa1-a84e-b47f33aab606.json deleted file mode 100644 index 8002e133..00000000 --- a/mbc/relationship/relationship--81f4bfa5-9f8d-4aa1-a84e-b47f33aab606.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--8f385bf1-13b1-4587-885f-f7d8e0f1514b", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--81f4bfa5-9f8d-4aa1-a84e-b47f33aab606", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.598251Z", - "modified": "2020-08-21T20:50:04.598251Z", - "relationship_type": "uses", - "description": "Launches distributed denial of service attacks that can target more than one IP address per hostname.", - "source_ref": "malware--cdd198e2-3f6f-42c4-adfd-d97dc66c5f19", - "target_ref": "attack-pattern--b8311cd4-85f0-4e4c-83c5-0af831e6d7f1", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--826fbc55-db75-4781-948b-adde0c819fed.json b/mbc/relationship/relationship--826fbc55-db75-4781-948b-adde0c819fed.json deleted file mode 100644 index d3738a18..00000000 --- a/mbc/relationship/relationship--826fbc55-db75-4781-948b-adde0c819fed.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--5e2f8a91-62cf-434d-add1-768bf4f87c9d", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--826fbc55-db75-4781-948b-adde0c819fed", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.615251Z", - "modified": "2020-08-21T20:50:04.615251Z", - "relationship_type": "uses", - "description": "Can download and install arbitrary iOS apps.", - "source_ref": "malware--a6ad7a2e-f619-4598-914b-16f68b372789", - "target_ref": "attack-pattern--cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--89cb978e-d4f7-4a13-95ae-5599dd877131.json b/mbc/relationship/relationship--89cb978e-d4f7-4a13-95ae-5599dd877131.json deleted file mode 100644 index 370dedc3..00000000 --- a/mbc/relationship/relationship--89cb978e-d4f7-4a13-95ae-5599dd877131.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--421785fa-ff30-4024-8d69-9681f5da6cd3", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--89cb978e-d4f7-4a13-95ae-5599dd877131", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.607256Z", - "modified": "2020-08-21T20:50:04.607256Z", - "relationship_type": "uses", - "description": "Redhip samples are packed with different custom packers.", - "source_ref": "malware--b0625dd2-cc91-4936-9e12-289960aa0b41", - "target_ref": "attack-pattern--ff830778-b9bc-4636-9dc7-884d5dad8c2c", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--89f5a894-a725-48cf-a061-fcc45f2d370d.json b/mbc/relationship/relationship--89f5a894-a725-48cf-a061-fcc45f2d370d.json deleted file mode 100644 index 5e999ad9..00000000 --- a/mbc/relationship/relationship--89f5a894-a725-48cf-a061-fcc45f2d370d.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--455fab0e-3f10-460b-b4be-7e26ad7500d1", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--89f5a894-a725-48cf-a061-fcc45f2d370d", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--5c965b91-a0fd-4a85-b688-9be91a7a5aa8", - "target_ref": "attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--06bd4ba6-d0ca-4c1d-b879-92d6151dbfb0.json b/mbc/relationship/relationship--8a59149c-0a38-46a8-a1c8-2aa236149116.json similarity index 53% rename from mbc/relationship/relationship--06bd4ba6-d0ca-4c1d-b879-92d6151dbfb0.json rename to mbc/relationship/relationship--8a59149c-0a38-46a8-a1c8-2aa236149116.json index 1588fa4a..617964ac 100644 --- a/mbc/relationship/relationship--06bd4ba6-d0ca-4c1d-b879-92d6151dbfb0.json +++ b/mbc/relationship/relationship--8a59149c-0a38-46a8-a1c8-2aa236149116.json @@ -1,16 +1,16 @@ { "type": "bundle", - "id": "bundle--71feb3d3-7b9a-4f24-9c38-65b68b18fffe", + "id": "bundle--ffa92d33-a4ff-48f0-bc4f-dd51fb36bc15", "objects": [ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--06bd4ba6-d0ca-4c1d-b879-92d6151dbfb0", + "id": "relationship--8a59149c-0a38-46a8-a1c8-2aa236149116", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.608257Z", - "modified": "2020-08-21T20:50:04.608257Z", - "relationship_type": "uses", - "source_ref": "malware--30666a55-e3de-40ff-a680-8bca9c163cb0", + "created": "2022-09-08T18:26:19.070707Z", + "modified": "2022-09-08T18:26:19.070707Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--9fb37268-5250-495b-b80c-96315169c1a8", "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" diff --git a/mbc/relationship/relationship--8ae4a607-2f5f-45ad-974f-43760f7679f6.json b/mbc/relationship/relationship--8ae4a607-2f5f-45ad-974f-43760f7679f6.json deleted file mode 100644 index 637f674e..00000000 --- a/mbc/relationship/relationship--8ae4a607-2f5f-45ad-974f-43760f7679f6.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--c3456899-b5b7-4b44-a5d3-617471758732", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--8ae4a607-2f5f-45ad-974f-43760f7679f6", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.615251Z", - "modified": "2020-08-21T20:50:04.615251Z", - "relationship_type": "uses", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--8fca40b2-f90d-4f34-b7c6-de4a36dc6757.json b/mbc/relationship/relationship--8fca40b2-f90d-4f34-b7c6-de4a36dc6757.json deleted file mode 100644 index 9ca45fe6..00000000 --- a/mbc/relationship/relationship--8fca40b2-f90d-4f34-b7c6-de4a36dc6757.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--956eaf35-e967-4e41-a1e8-59d2d4782360", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--8fca40b2-f90d-4f34-b7c6-de4a36dc6757", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.606264Z", - "modified": "2020-08-21T20:50:04.606264Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--4294b63a-0b68-473a-8e57-bd5da8d90bf6", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--911a73f0-177c-4664-9bc7-9be9ff2dd265.json b/mbc/relationship/relationship--911a73f0-177c-4664-9bc7-9be9ff2dd265.json deleted file mode 100644 index f51741bb..00000000 --- a/mbc/relationship/relationship--911a73f0-177c-4664-9bc7-9be9ff2dd265.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--4b02e0ab-2013-4554-b860-3bf9f78416b9", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--911a73f0-177c-4664-9bc7-9be9ff2dd265", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.614292Z", - "modified": "2020-08-21T20:50:04.614292Z", - "relationship_type": "uses", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--64ec233c-8762-4e4a-af40-475ebd3aa127", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--9fce1966-24ac-4f7b-b6b8-7cf2dcc68220.json b/mbc/relationship/relationship--9fce1966-24ac-4f7b-b6b8-7cf2dcc68220.json deleted file mode 100644 index 32a26ffd..00000000 --- a/mbc/relationship/relationship--9fce1966-24ac-4f7b-b6b8-7cf2dcc68220.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--ffc5d085-fa43-4d67-87ac-4b52926e7eaf", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--9fce1966-24ac-4f7b-b6b8-7cf2dcc68220", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.609253Z", - "modified": "2020-08-21T20:50:04.609253Z", - "relationship_type": "uses", - "description": "Stuxnet made the centrifuges at Iran's nuclear plant spin dangerously fast for 15 minutes, before returning to normal speed. About a month later, it slowed the centrifuges down for 50 minutes. This was repeated for several months, and over time the strain destroyed the machines.", - "source_ref": "malware--2640ed9a-24d9-4975-90c2-c8ab94d544e3", - "target_ref": "attack-pattern--09aa0bf7-bdec-4642-ad23-c8f1c9b01297", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--a0277302-44bd-4134-9323-df422100c727.json b/mbc/relationship/relationship--a0277302-44bd-4134-9323-df422100c727.json deleted file mode 100644 index 42f5cf1b..00000000 --- a/mbc/relationship/relationship--a0277302-44bd-4134-9323-df422100c727.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--c4d03e7e-7fc6-4e91-a152-4b46e740f51e", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--a0277302-44bd-4134-9323-df422100c727", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.612264Z", - "modified": "2020-08-21T20:50:04.612264Z", - "relationship_type": "uses", - "description": "Ursnif uses malware macros to evade sandbox detection.", - "source_ref": "malware--31e78af0-0509-4f7b-b304-77a8e5bf7ead", - "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--a25ebab5-27c6-43bc-8067-a1b5e9a8e287.json b/mbc/relationship/relationship--a25ebab5-27c6-43bc-8067-a1b5e9a8e287.json deleted file mode 100644 index 7619988d..00000000 --- a/mbc/relationship/relationship--a25ebab5-27c6-43bc-8067-a1b5e9a8e287.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--6978c802-ac39-4b6f-b8d1-a879dca07d8a", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--a25ebab5-27c6-43bc-8067-a1b5e9a8e287", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.606264Z", - "modified": "2020-08-21T20:50:04.606264Z", - "relationship_type": "uses", - "description": "Redhip detects all publicly available automated malware analysis workbenches (ThreatExpert, JoeBox, etc.).", - "source_ref": "malware--b0625dd2-cc91-4936-9e12-289960aa0b41", - "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--a45880ae-06ce-40dc-9cf8-c1048d4703fb.json b/mbc/relationship/relationship--a45880ae-06ce-40dc-9cf8-c1048d4703fb.json deleted file mode 100644 index 7c8b37f7..00000000 --- a/mbc/relationship/relationship--a45880ae-06ce-40dc-9cf8-c1048d4703fb.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--5fcba977-8475-4e7c-8cc5-fd3500707daf", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--a45880ae-06ce-40dc-9cf8-c1048d4703fb", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.604253Z", - "modified": "2020-08-21T20:50:04.604253Z", - "relationship_type": "uses", - "description": "A Trojan downloader.", - "source_ref": "malware--cb022b7d-775c-4db8-ab25-3add7e215d54", - "target_ref": "attack-pattern--cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--9019f14b-be9e-4d46-b63e-652e178cb845.json b/mbc/relationship/relationship--a60acc51-7a7a-4346-b015-f74485f0beb1.json similarity index 59% rename from mbc/relationship/relationship--9019f14b-be9e-4d46-b63e-652e178cb845.json rename to mbc/relationship/relationship--a60acc51-7a7a-4346-b015-f74485f0beb1.json index e8080a4f..bedf9d7e 100644 --- a/mbc/relationship/relationship--9019f14b-be9e-4d46-b63e-652e178cb845.json +++ b/mbc/relationship/relationship--a60acc51-7a7a-4346-b015-f74485f0beb1.json @@ -1,17 +1,17 @@ { "type": "bundle", - "id": "bundle--821d1a7a-b063-4926-8414-ef8bdecd70a2", + "id": "bundle--e4cb56fe-9676-49f5-a51d-2724b10f8306", "objects": [ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9019f14b-be9e-4d46-b63e-652e178cb845", + "id": "relationship--a60acc51-7a7a-4346-b015-f74485f0beb1", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", + "created": "2022-09-08T18:26:19.144826Z", + "modified": "2022-09-08T18:26:19.144826Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--80ee5a98-6e25-4cb6-a6d2-3321855e14e2", - "target_ref": "attack-pattern--f06491eb-ea99-46cd-81fe-ee55fc12d504", + "target_ref": "attack-pattern--098a700a-4cc0-4d0a-8bc5-42e7181eff1e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ] diff --git a/mbc/relationship/relationship--a73c3c48-d1bd-4e8d-920a-312b103d37ea.json b/mbc/relationship/relationship--a73c3c48-d1bd-4e8d-920a-312b103d37ea.json deleted file mode 100644 index 03066d71..00000000 --- a/mbc/relationship/relationship--a73c3c48-d1bd-4e8d-920a-312b103d37ea.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--bb42485d-2cce-4be2-bafd-626007ebcb4c", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--a73c3c48-d1bd-4e8d-920a-312b103d37ea", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.601289Z", - "modified": "2020-08-21T20:50:04.601289Z", - "relationship_type": "uses", - "description": "Geneio installs the browser extension *~/Library/Safari/Extensions/Omnibar.safariextz*. It also creates the app files listed in the description above.", - "source_ref": "malware--2def59e9-a1ba-4c23-9f7d-437935d1e965", - "target_ref": "attack-pattern--cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--a75d4a45-4b89-4b7f-b716-09f22ce93d22.json b/mbc/relationship/relationship--a75d4a45-4b89-4b7f-b716-09f22ce93d22.json deleted file mode 100644 index a30fe53b..00000000 --- a/mbc/relationship/relationship--a75d4a45-4b89-4b7f-b716-09f22ce93d22.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--78d5c0c4-165e-4c28-bbf6-e4c9b797e542", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--a75d4a45-4b89-4b7f-b716-09f22ce93d22", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.612264Z", - "modified": "2020-08-21T20:50:04.612264Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--a6d7b549-6392-47dd-a5b3-f5ba522166c4", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--a87b3bb5-4abd-4577-b425-0e99af7191fb.json b/mbc/relationship/relationship--a87b3bb5-4abd-4577-b425-0e99af7191fb.json deleted file mode 100644 index 3097c009..00000000 --- a/mbc/relationship/relationship--a87b3bb5-4abd-4577-b425-0e99af7191fb.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--59a7c783-a2c5-4692-8583-1b0d4ade8400", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--a87b3bb5-4abd-4577-b425-0e99af7191fb", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.605287Z", - "modified": "2020-08-21T20:50:04.605287Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--1d1b8b46-c3d7-49e5-8856-367b48272f5e", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--ab9cf0eb-332f-4bad-ab2d-37a909799aec.json b/mbc/relationship/relationship--ab9cf0eb-332f-4bad-ab2d-37a909799aec.json deleted file mode 100644 index 786f0de8..00000000 --- a/mbc/relationship/relationship--ab9cf0eb-332f-4bad-ab2d-37a909799aec.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--2271673a-428b-4634-8856-780bf6c0abb9", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--ab9cf0eb-332f-4bad-ab2d-37a909799aec", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.600252Z", - "modified": "2020-08-21T20:50:04.600252Z", - "relationship_type": "uses", - "description": "Gamut probes the infected system's SMTP port 25 by sending a test SMTP transaction to mail.ru and hotmail.com. If port 25 is open, the bot requests the spam template and email list, which it uses to send spam.", - "source_ref": "malware--86cfa430-ca3b-4322-bdfe-989aca5305f0", - "target_ref": "attack-pattern--24ed02f2-afad-49c8-a3c4-8ab1c418443e", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--eb80b1d5-e2dd-454f-86f3-b1459c75df93.json b/mbc/relationship/relationship--b43139f5-8626-4df1-948b-30f6042af7ae.json similarity index 53% rename from mbc/relationship/relationship--eb80b1d5-e2dd-454f-86f3-b1459c75df93.json rename to mbc/relationship/relationship--b43139f5-8626-4df1-948b-30f6042af7ae.json index be547969..22fcc27b 100644 --- a/mbc/relationship/relationship--eb80b1d5-e2dd-454f-86f3-b1459c75df93.json +++ b/mbc/relationship/relationship--b43139f5-8626-4df1-948b-30f6042af7ae.json @@ -1,16 +1,16 @@ { "type": "bundle", - "id": "bundle--d3ffd628-5915-4d38-a55d-952b4b874a1c", + "id": "bundle--0ac35ed5-e79d-4dad-a893-dadb3f98f146", "objects": [ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--eb80b1d5-e2dd-454f-86f3-b1459c75df93", + "id": "relationship--b43139f5-8626-4df1-948b-30f6042af7ae", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:34.891442Z", - "modified": "2021-02-10T06:49:34.891442Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", + "created": "2022-09-08T18:26:19.030816Z", + "modified": "2022-09-08T18:26:19.030816Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b063a520-75fb-41bc-afd7-bf13a8118dc5", "target_ref": "attack-pattern--e2558f71-7409-4203-bd5b-8a331f29327a", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" diff --git a/mbc/relationship/relationship--2498808a-e193-4149-a3ea-1298d76fb2af.json b/mbc/relationship/relationship--b59c70f6-dd4c-44b9-bf95-d8ea33bf78b2.json similarity index 59% rename from mbc/relationship/relationship--2498808a-e193-4149-a3ea-1298d76fb2af.json rename to mbc/relationship/relationship--b59c70f6-dd4c-44b9-bf95-d8ea33bf78b2.json index 02ebdb21..04de4b54 100644 --- a/mbc/relationship/relationship--2498808a-e193-4149-a3ea-1298d76fb2af.json +++ b/mbc/relationship/relationship--b59c70f6-dd4c-44b9-bf95-d8ea33bf78b2.json @@ -1,16 +1,16 @@ { "type": "bundle", - "id": "bundle--dea6325a-ef89-4787-8de0-56391e49facb", + "id": "bundle--5159e814-ddcd-4b84-a31e-77fe21393dd9", "objects": [ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--2498808a-e193-4149-a3ea-1298d76fb2af", + "id": "relationship--b59c70f6-dd4c-44b9-bf95-d8ea33bf78b2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.453445Z", - "modified": "2021-02-10T06:49:35.453445Z", + "created": "2022-09-08T18:26:19.082428Z", + "modified": "2022-09-08T18:26:19.082428Z", "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--bc6ed4f1-4e73-477a-b05c-a49a3dd52642", + "source_ref": "attack-pattern--0a5b94d6-6800-4855-8cd9-d100af9f67d9", "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" diff --git a/mbc/relationship/relationship--b9410d22-a339-4bc1-9228-9770c6f18a66.json b/mbc/relationship/relationship--b9410d22-a339-4bc1-9228-9770c6f18a66.json deleted file mode 100644 index 431d32a8..00000000 --- a/mbc/relationship/relationship--b9410d22-a339-4bc1-9228-9770c6f18a66.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--cb2c9106-045f-4c9f-abb4-faa33d8e162e", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--b9410d22-a339-4bc1-9228-9770c6f18a66", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.611257Z", - "modified": "2020-08-21T20:50:04.611257Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--24ed02f2-afad-49c8-a3c4-8ab1c418443e", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--bfb97f13-10a9-430f-9887-80bc455b387c.json b/mbc/relationship/relationship--bc673d2f-0836-4e03-992e-e2fe9c3adeb0.json similarity index 51% rename from mbc/relationship/relationship--bfb97f13-10a9-430f-9887-80bc455b387c.json rename to mbc/relationship/relationship--bc673d2f-0836-4e03-992e-e2fe9c3adeb0.json index 037628c0..708d8faf 100644 --- a/mbc/relationship/relationship--bfb97f13-10a9-430f-9887-80bc455b387c.json +++ b/mbc/relationship/relationship--bc673d2f-0836-4e03-992e-e2fe9c3adeb0.json @@ -1,17 +1,17 @@ { "type": "bundle", - "id": "bundle--49300b27-5fdc-4930-9117-d9f4410100e7", + "id": "bundle--d25b492a-33b4-4080-93e5-26860025b279", "objects": [ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--bfb97f13-10a9-430f-9887-80bc455b387c", + "id": "relationship--bc673d2f-0836-4e03-992e-e2fe9c3adeb0", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", + "created": "2022-09-08T18:26:19.032731Z", + "modified": "2022-09-08T18:26:19.032731Z", "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--1df0593b-0f35-41c8-b7d8-41d6a3e9cf8c", - "target_ref": "attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263", + "source_ref": "attack-pattern--c5c986d0-cf3f-44bb-9f0e-023783e6066d", + "target_ref": "attack-pattern--965ddf96-4218-468f-be38-7ccd6ec29397", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ] diff --git a/mbc/relationship/relationship--bcd12692-9e2b-4267-8c4c-3e4cd0e7a70b.json b/mbc/relationship/relationship--bcd12692-9e2b-4267-8c4c-3e4cd0e7a70b.json deleted file mode 100644 index d5b10580..00000000 --- a/mbc/relationship/relationship--bcd12692-9e2b-4267-8c4c-3e4cd0e7a70b.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--d7a3b4cf-e113-4682-8823-5db79bfeb218", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--bcd12692-9e2b-4267-8c4c-3e4cd0e7a70b", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.602253Z", - "modified": "2020-08-21T20:50:04.602253Z", - "relationship_type": "uses", - "description": "Uses a domain name generator.", - "source_ref": "malware--36e75009-8fd6-467a-aa8c-c6a4d3511dfa", - "target_ref": "attack-pattern--5a3611aa-4253-4302-b09e-02fe53a1af9d", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--bd4fadc4-7acb-4ed0-b916-3f2ac4daa301.json b/mbc/relationship/relationship--bd4fadc4-7acb-4ed0-b916-3f2ac4daa301.json deleted file mode 100644 index 3a4f8893..00000000 --- a/mbc/relationship/relationship--bd4fadc4-7acb-4ed0-b916-3f2ac4daa301.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--a0e014c8-11ae-448e-ae2f-c3219103eb2a", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--bd4fadc4-7acb-4ed0-b916-3f2ac4daa301", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.447445Z", - "modified": "2021-02-10T06:49:35.447445Z", - "relationship_type": "uses", - "description": "Most security products hook some APIs to monitor the behavior of malware. To avoid being found by this technique, WebCobra loads ntdll.dll and user32.dll as data files in memory and overwrites the first 8 bytes of those functions, which unhooks the APIs.", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--f25b4262-78aa-48e6-b9c9-6069058a918a", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--be0cd60b-1d8f-4b6d-9408-edd531d4ffa4.json b/mbc/relationship/relationship--be0cd60b-1d8f-4b6d-9408-edd531d4ffa4.json deleted file mode 100644 index 6aa47092..00000000 --- a/mbc/relationship/relationship--be0cd60b-1d8f-4b6d-9408-edd531d4ffa4.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--2a70e1c1-9f54-4eb3-99e8-d972b24d12e7", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--be0cd60b-1d8f-4b6d-9408-edd531d4ffa4", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.599252Z", - "modified": "2020-08-21T20:50:04.599252Z", - "relationship_type": "uses", - "description": "Primary behavior is encrypting data.", - "source_ref": "malware--4188f951-4400-406c-8281-509395fc8e11", - "target_ref": "attack-pattern--33ac3946-4bd9-4904-b02e-45e2d17dbfdd", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--c3b2136c-216f-47e7-a621-b38bd2bf5477.json b/mbc/relationship/relationship--c3b2136c-216f-47e7-a621-b38bd2bf5477.json new file mode 100644 index 00000000..80d9d7f4 --- /dev/null +++ b/mbc/relationship/relationship--c3b2136c-216f-47e7-a621-b38bd2bf5477.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--81dbaca0-aeb0-40af-be7e-e8c39ba911a9", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--c3b2136c-216f-47e7-a621-b38bd2bf5477", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2022-09-08T18:26:19.12996Z", + "modified": "2022-09-08T18:26:19.12996Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--7781ebfd-13bd-4a00-9c51-ed98a45f8749", + "target_ref": "attack-pattern--c6f384e3-bf80-4251-8591-265ab51480cc", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/mbc/relationship/relationship--c4f72d93-9b4a-4115-88d6-bae28231abba.json b/mbc/relationship/relationship--c4f72d93-9b4a-4115-88d6-bae28231abba.json new file mode 100644 index 00000000..0bcc394d --- /dev/null +++ b/mbc/relationship/relationship--c4f72d93-9b4a-4115-88d6-bae28231abba.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--6e046993-d364-40e3-98d8-ce972d4f99a2", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--c4f72d93-9b4a-4115-88d6-bae28231abba", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2022-09-08T18:26:19.142159Z", + "modified": "2022-09-08T18:26:19.142159Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d4b4af24-91a5-4f21-82c6-7f67f316239f", + "target_ref": "attack-pattern--b1f9e736-1435-4f76-9690-06562f843b58", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/mbc/relationship/relationship--c79f3ad7-7069-47f0-b139-72773445b23a.json b/mbc/relationship/relationship--c79f3ad7-7069-47f0-b139-72773445b23a.json deleted file mode 100644 index 1de42425..00000000 --- a/mbc/relationship/relationship--c79f3ad7-7069-47f0-b139-72773445b23a.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--f4eebf5a-00c5-431f-bb1d-e015def1e17f", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--c79f3ad7-7069-47f0-b139-72773445b23a", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:34.192443Z", - "modified": "2021-02-10T06:49:34.192443Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--048440e7-8adb-4a71-9ee3-922ca4040b1f", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--cf892647-cc52-464f-b71e-d67b7af8a3ea.json b/mbc/relationship/relationship--cf892647-cc52-464f-b71e-d67b7af8a3ea.json deleted file mode 100644 index 422f94de..00000000 --- a/mbc/relationship/relationship--cf892647-cc52-464f-b71e-d67b7af8a3ea.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--57692b0b-5e73-4ce1-a7a5-889198a6d8e9", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--cf892647-cc52-464f-b71e-d67b7af8a3ea", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.602253Z", - "modified": "2020-08-21T20:50:04.602253Z", - "relationship_type": "uses", - "description": "Hupigon drops the file \"Systen.dll\" and adds the registry entry: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\BITS DllName = \"%System%\\Systen.dll\".", - "source_ref": "malware--6a1bde20-a344-4738-9df5-b568fa4b5f33", - "target_ref": "attack-pattern--4294b63a-0b68-473a-8e57-bd5da8d90bf6", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--d0a2c078-fd60-437e-9ab2-4b6fb9471175.json b/mbc/relationship/relationship--d0a2c078-fd60-437e-9ab2-4b6fb9471175.json deleted file mode 100644 index 67629178..00000000 --- a/mbc/relationship/relationship--d0a2c078-fd60-437e-9ab2-4b6fb9471175.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--bcd8a2e3-99a1-4558-bd46-4f9cb4c092a1", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--d0a2c078-fd60-437e-9ab2-4b6fb9471175", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.599252Z", - "modified": "2020-08-21T20:50:04.599252Z", - "relationship_type": "uses", - "description": "Conficker A has routine that causes the process to suicide exit if the keyboard language layout is set to Ukranian.", - "source_ref": "malware--4fe657cf-373f-4a71-a2b8-8de5c109eef9", - "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--d1f3731f-61f7-45f4-be59-c3028c327241.json b/mbc/relationship/relationship--d1f3731f-61f7-45f4-be59-c3028c327241.json deleted file mode 100644 index 3be03862..00000000 --- a/mbc/relationship/relationship--d1f3731f-61f7-45f4-be59-c3028c327241.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--3432dd2e-ef12-4d01-8a7a-d4d5b602e79d", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--d1f3731f-61f7-45f4-be59-c3028c327241", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.603292Z", - "modified": "2020-08-21T20:50:04.603292Z", - "relationship_type": "uses", - "description": "Dumping Kraken's c.dll module from the heap of its own process is tricky because its PE-header is wiped out.", - "source_ref": "malware--36e75009-8fd6-467a-aa8c-c6a4d3511dfa", - "target_ref": "attack-pattern--7981f82d-ff58-4d38-a420-69d73a67bbc9", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--d4484029-7085-4b0f-b9c9-576ef3789d4c.json b/mbc/relationship/relationship--d4484029-7085-4b0f-b9c9-576ef3789d4c.json new file mode 100644 index 00000000..a4f974fb --- /dev/null +++ b/mbc/relationship/relationship--d4484029-7085-4b0f-b9c9-576ef3789d4c.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--280b0301-7f26-4192-ba89-844e29b790b5", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--d4484029-7085-4b0f-b9c9-576ef3789d4c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2022-09-08T18:26:19.092463Z", + "modified": "2022-09-08T18:26:19.092463Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--ae4acd7c-89e1-44d8-a5fa-0d53fe88911e", + "target_ref": "attack-pattern--2f1cafa6-177a-4731-aad5-a747e5514ad9", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/mbc/relationship/relationship--dd9c6578-5364-41b2-a576-7f06aae7afbf.json b/mbc/relationship/relationship--dd9c6578-5364-41b2-a576-7f06aae7afbf.json deleted file mode 100644 index 775242a8..00000000 --- a/mbc/relationship/relationship--dd9c6578-5364-41b2-a576-7f06aae7afbf.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--1429b85a-6d71-48f3-ba4e-95394893ab97", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--dd9c6578-5364-41b2-a576-7f06aae7afbf", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.613258Z", - "modified": "2020-08-21T20:50:04.613258Z", - "relationship_type": "uses", - "description": "From the command line, drops and unzips a password-protected Cabinet archive file.", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--ad4ab2e7-0491-4ef3-b69b-f4a73a5a7cd4", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--df269863-bfd7-413d-96bc-5b8009d8032d.json b/mbc/relationship/relationship--df269863-bfd7-413d-96bc-5b8009d8032d.json deleted file mode 100644 index 121df55a..00000000 --- a/mbc/relationship/relationship--df269863-bfd7-413d-96bc-5b8009d8032d.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--8d16c956-76c2-4c04-be50-338693a28e5c", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--df269863-bfd7-413d-96bc-5b8009d8032d", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.610253Z", - "modified": "2020-08-21T20:50:04.610253Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--af4729ed-7659-496d-9028-0b9efbedd9a4", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--e0398d36-3ea5-4a01-be20-c154804c4f73.json b/mbc/relationship/relationship--e0398d36-3ea5-4a01-be20-c154804c4f73.json deleted file mode 100644 index 03dfdb6d..00000000 --- a/mbc/relationship/relationship--e0398d36-3ea5-4a01-be20-c154804c4f73.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--3d7981b3-63b9-459a-b2fc-9ba5a25293e8", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--e0398d36-3ea5-4a01-be20-c154804c4f73", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.604253Z", - "modified": "2020-08-21T20:50:04.604253Z", - "relationship_type": "uses", - "description": "Installs a backdoor.", - "source_ref": "malware--508cadaa-4fd5-4105-803e-8944e388ee45", - "target_ref": "attack-pattern--cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--e1b148c6-22c8-4cd4-9c09-cd6c935aa8a3.json b/mbc/relationship/relationship--e1b148c6-22c8-4cd4-9c09-cd6c935aa8a3.json deleted file mode 100644 index c96613e7..00000000 --- a/mbc/relationship/relationship--e1b148c6-22c8-4cd4-9c09-cd6c935aa8a3.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--ef401db6-0063-412a-a6d6-338da4fa9fa2", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--e1b148c6-22c8-4cd4-9c09-cd6c935aa8a3", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.598251Z", - "modified": "2020-08-21T20:50:04.598251Z", - "relationship_type": "uses", - "description": "Bagle uses its own SMTP engine to mass-mail itself as an attachment from an infected computer.", - "source_ref": "malware--f31598c3-8d55-440f-ac5f-4b8ea34fc09b", - "target_ref": "attack-pattern--24ed02f2-afad-49c8-a3c4-8ab1c418443e", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--e1c53003-22cd-41c0-bc29-57e5646b7107.json b/mbc/relationship/relationship--e1c53003-22cd-41c0-bc29-57e5646b7107.json deleted file mode 100644 index a99a5341..00000000 --- a/mbc/relationship/relationship--e1c53003-22cd-41c0-bc29-57e5646b7107.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--9903ab6d-3244-4c7f-8a66-c01dfed9aa28", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--e1c53003-22cd-41c0-bc29-57e5646b7107", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.605287Z", - "modified": "2020-08-21T20:50:04.605287Z", - "relationship_type": "uses", - "source_ref": "malware--49b9796a-27fd-414e-a87d-b071aaff295b", - "target_ref": "attack-pattern--5d116564-0ef7-4791-9a34-e86d81840b49", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--e3c2dd0c-247b-437a-819a-b2d6a2382c94.json b/mbc/relationship/relationship--e3c2dd0c-247b-437a-819a-b2d6a2382c94.json deleted file mode 100644 index afec2c1a..00000000 --- a/mbc/relationship/relationship--e3c2dd0c-247b-437a-819a-b2d6a2382c94.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--1fc6ab7f-9d62-4cfe-93af-024713d91150", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--e3c2dd0c-247b-437a-819a-b2d6a2382c94", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.607256Z", - "modified": "2020-08-21T20:50:04.607256Z", - "relationship_type": "uses", - "description": "Redhip uses general approaches to detecting user level debuggers (e.g., Process Environment Block 'Being Debugged' field), as well as specific checks for kernel level debuggers like SOFICE.", - "source_ref": "malware--b0625dd2-cc91-4936-9e12-289960aa0b41", - "target_ref": "attack-pattern--c774c10b-dc56-43b1-a30a-a7fdc3485644", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--e75ee57b-7d71-4412-a60c-c8c567a59312.json b/mbc/relationship/relationship--e75ee57b-7d71-4412-a60c-c8c567a59312.json deleted file mode 100644 index f117792d..00000000 --- a/mbc/relationship/relationship--e75ee57b-7d71-4412-a60c-c8c567a59312.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--5110ccaa-eef0-4701-bdb2-4ca32f979c09", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--e75ee57b-7d71-4412-a60c-c8c567a59312", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.614582Z", - "modified": "2021-02-10T06:49:35.614582Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--6c07f7cb-fd9d-4acf-9b99-b15ecafc8dca", - "target_ref": "attack-pattern--f5f2f408-2c67-40aa-9937-8fe582501e0a", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--e8485cd9-001e-4669-91f8-04a7a825dacb.json b/mbc/relationship/relationship--e8485cd9-001e-4669-91f8-04a7a825dacb.json deleted file mode 100644 index d361b50e..00000000 --- a/mbc/relationship/relationship--e8485cd9-001e-4669-91f8-04a7a825dacb.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--0c07912f-617d-4f10-b1db-815072f54e2e", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--e8485cd9-001e-4669-91f8-04a7a825dacb", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.612264Z", - "modified": "2020-08-21T20:50:04.612264Z", - "relationship_type": "uses", - "description": "Injects secondary payload into memory.", - "source_ref": "malware--5dcefe05-4ead-4f84-9919-ebefe968df27", - "target_ref": "attack-pattern--2a23ab2e-fd3b-4c5f-991c-021d9a132754", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--e8fc5f25-a362-45e2-b289-f676377faee9.json b/mbc/relationship/relationship--e8fc5f25-a362-45e2-b289-f676377faee9.json deleted file mode 100644 index f938bd5e..00000000 --- a/mbc/relationship/relationship--e8fc5f25-a362-45e2-b289-f676377faee9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--a1bb7411-b554-49e4-8c0d-ba02ef59bc7b", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--e8fc5f25-a362-45e2-b289-f676377faee9", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.613258Z", - "modified": "2020-08-21T20:50:04.613258Z", - "relationship_type": "uses", - "description": "Executes differently depending on whether it's running on an x86 or x64 system.", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--b1656b25-ea6a-485b-88e2-4c509b69caae", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--e9f86b70-5b39-4c87-ba9c-a6753c8f03d0.json b/mbc/relationship/relationship--e9f86b70-5b39-4c87-ba9c-a6753c8f03d0.json deleted file mode 100644 index 64b56e03..00000000 --- a/mbc/relationship/relationship--e9f86b70-5b39-4c87-ba9c-a6753c8f03d0.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--9100f064-c31c-45a1-aff2-5c2669a21d22", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--e9f86b70-5b39-4c87-ba9c-a6753c8f03d0", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.608257Z", - "modified": "2020-08-21T20:50:04.608257Z", - "relationship_type": "uses", - "description": "SamSam is ransomware.", - "source_ref": "malware--a456fdcd-68f2-46fb-adb0-97c6817338c9", - "target_ref": "attack-pattern--33ac3946-4bd9-4904-b02e-45e2d17dbfdd", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--ea58d3c1-8cd8-406c-9816-fc9fca3b9657.json b/mbc/relationship/relationship--ea58d3c1-8cd8-406c-9816-fc9fca3b9657.json deleted file mode 100644 index 07b3fd6a..00000000 --- a/mbc/relationship/relationship--ea58d3c1-8cd8-406c-9816-fc9fca3b9657.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--91cebd74-47ae-42b5-9139-94570f4a8d42", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--ea58d3c1-8cd8-406c-9816-fc9fca3b9657", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.602253Z", - "modified": "2020-08-21T20:50:04.602253Z", - "relationship_type": "uses", - "description": "Stores malware files in the Registry instead of the hard drive.", - "source_ref": "malware--fa095747-0ca8-4965-a222-cf1fe7647e12", - "target_ref": "attack-pattern--7d349643-5ab8-4dc6-934f-bf16d0b0ea29", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--eaa586d2-6279-4254-9a97-260e41a91a94.json b/mbc/relationship/relationship--eaa586d2-6279-4254-9a97-260e41a91a94.json deleted file mode 100644 index 68f3ae8e..00000000 --- a/mbc/relationship/relationship--eaa586d2-6279-4254-9a97-260e41a91a94.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--67ed8ffe-6a58-445f-aec9-cb87867256ce", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--eaa586d2-6279-4254-9a97-260e41a91a94", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.945699Z", - "modified": "2022-02-04T23:52:40.945699Z", - "relationship_type": "subtechnique-of", - "source_ref": "attack-pattern--8a7350ca-f1f6-42db-9fbf-aa110d02e338", - "target_ref": "attack-pattern--d141c588-8a3c-4cd8-8421-86b2625c9263", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--ecceb8ef-d79b-4d04-8bc8-4c2e6d596891.json b/mbc/relationship/relationship--ecceb8ef-d79b-4d04-8bc8-4c2e6d596891.json deleted file mode 100644 index 77daee70..00000000 --- a/mbc/relationship/relationship--ecceb8ef-d79b-4d04-8bc8-4c2e6d596891.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--6d2fd1e1-1792-4160-8a1f-abf976b1472c", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--ecceb8ef-d79b-4d04-8bc8-4c2e6d596891", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2021-02-10T06:49:35.180442Z", - "modified": "2021-02-10T06:49:35.180442Z", - "relationship_type": "uses", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--e2558f71-7409-4203-bd5b-8a331f29327a", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--bbf88cc5-ef00-4af1-9bd2-e174454bff2e.json b/mbc/relationship/relationship--ece9840d-26ec-4e09-94b7-41f3f523e84a.json similarity index 59% rename from mbc/relationship/relationship--bbf88cc5-ef00-4af1-9bd2-e174454bff2e.json rename to mbc/relationship/relationship--ece9840d-26ec-4e09-94b7-41f3f523e84a.json index 24aff5f0..0a44c46a 100644 --- a/mbc/relationship/relationship--bbf88cc5-ef00-4af1-9bd2-e174454bff2e.json +++ b/mbc/relationship/relationship--ece9840d-26ec-4e09-94b7-41f3f523e84a.json @@ -1,17 +1,17 @@ { "type": "bundle", - "id": "bundle--b87317e6-6c3c-446b-87c7-5ddf68eadb51", + "id": "bundle--85eaef9a-8386-47b7-a74b-7e6737f7d379", "objects": [ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--bbf88cc5-ef00-4af1-9bd2-e174454bff2e", + "id": "relationship--ece9840d-26ec-4e09-94b7-41f3f523e84a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", + "created": "2022-09-08T18:26:19.144126Z", + "modified": "2022-09-08T18:26:19.144126Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--ec7f9541-06af-4db7-a9c2-183b513f144a", - "target_ref": "attack-pattern--f06491eb-ea99-46cd-81fe-ee55fc12d504", + "target_ref": "attack-pattern--098a700a-4cc0-4d0a-8bc5-42e7181eff1e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ] diff --git a/mbc/relationship/relationship--8569d3d1-2f9f-44ac-afcc-768271d8a890.json b/mbc/relationship/relationship--ed91cc79-a8c4-4b1a-88cd-eaccec835932.json similarity index 59% rename from mbc/relationship/relationship--8569d3d1-2f9f-44ac-afcc-768271d8a890.json rename to mbc/relationship/relationship--ed91cc79-a8c4-4b1a-88cd-eaccec835932.json index e315acc0..d004b6d2 100644 --- a/mbc/relationship/relationship--8569d3d1-2f9f-44ac-afcc-768271d8a890.json +++ b/mbc/relationship/relationship--ed91cc79-a8c4-4b1a-88cd-eaccec835932.json @@ -1,17 +1,17 @@ { "type": "bundle", - "id": "bundle--72684b8c-1fa3-4d41-867a-6ef0f2bd04e9", + "id": "bundle--bdf5bcdf-9c33-4da7-9221-7982aa6cee70", "objects": [ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--8569d3d1-2f9f-44ac-afcc-768271d8a890", + "id": "relationship--ed91cc79-a8c4-4b1a-88cd-eaccec835932", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2022-02-04T23:52:40.962929Z", - "modified": "2022-02-04T23:52:40.962929Z", + "created": "2022-09-08T18:26:19.144484Z", + "modified": "2022-09-08T18:26:19.144484Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--8226e7fa-8e78-497b-9967-32e5d1395e12", - "target_ref": "attack-pattern--f06491eb-ea99-46cd-81fe-ee55fc12d504", + "target_ref": "attack-pattern--098a700a-4cc0-4d0a-8bc5-42e7181eff1e", "object_marking_refs": [ "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" ] diff --git a/mbc/relationship/relationship--ef5f7499-451a-49fe-b39d-c624f250d50a.json b/mbc/relationship/relationship--ef5f7499-451a-49fe-b39d-c624f250d50a.json deleted file mode 100644 index b9a49470..00000000 --- a/mbc/relationship/relationship--ef5f7499-451a-49fe-b39d-c624f250d50a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--c96f5a3f-5e58-4121-8b26-39987d68a7b7", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--ef5f7499-451a-49fe-b39d-c624f250d50a", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.609253Z", - "modified": "2020-08-21T20:50:04.609253Z", - "relationship_type": "uses", - "description": "The Terminator rat evades a sandbox by not executing until after a reboot. Most sandboxes don't reboot during an analysis.", - "source_ref": "malware--bb2ac91f-90ad-4ed5-95ef-a899346ba4ce", - "target_ref": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--f0cd9f17-b82b-48f4-883d-983432608abd.json b/mbc/relationship/relationship--f0cd9f17-b82b-48f4-883d-983432608abd.json deleted file mode 100644 index 48bb1c14..00000000 --- a/mbc/relationship/relationship--f0cd9f17-b82b-48f4-883d-983432608abd.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--64a8265a-604c-4100-8c3a-9dc3b5d5122e", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--f0cd9f17-b82b-48f4-883d-983432608abd", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.611257Z", - "modified": "2020-08-21T20:50:04.611257Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--4294b63a-0b68-473a-8e57-bd5da8d90bf6", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--f84e13d4-ae67-4f1c-96fa-56a340d01b42.json b/mbc/relationship/relationship--f84e13d4-ae67-4f1c-96fa-56a340d01b42.json deleted file mode 100644 index f2c703d8..00000000 --- a/mbc/relationship/relationship--f84e13d4-ae67-4f1c-96fa-56a340d01b42.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--a84c79ab-9857-4a16-8e0d-e72bb1d85456", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--f84e13d4-ae67-4f1c-96fa-56a340d01b42", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.611257Z", - "modified": "2020-08-21T20:50:04.611257Z", - "relationship_type": "uses", - "source_ref": "malware--2d46d2ec-cab4-4c6d-b5a6-d2e89341e12e", - "target_ref": "attack-pattern--87adc62c-05e8-4594-94f6-d6e034597859", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--f99239c7-9c45-4ca4-9c38-f4630792dcf2.json b/mbc/relationship/relationship--f99239c7-9c45-4ca4-9c38-f4630792dcf2.json deleted file mode 100644 index d67eab28..00000000 --- a/mbc/relationship/relationship--f99239c7-9c45-4ca4-9c38-f4630792dcf2.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--19932d35-1088-4a71-8de4-e66e2ff26eb0", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--f99239c7-9c45-4ca4-9c38-f4630792dcf2", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.600252Z", - "modified": "2020-08-21T20:50:04.600252Z", - "relationship_type": "uses", - "description": "Primary behavior is encrypting data.", - "source_ref": "malware--549d1c35-f214-4760-ab97-2142c66cf111", - "target_ref": "attack-pattern--33ac3946-4bd9-4904-b02e-45e2d17dbfdd", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--fa38bbbd-0d90-4772-a08e-17efcff22b56.json b/mbc/relationship/relationship--fa38bbbd-0d90-4772-a08e-17efcff22b56.json deleted file mode 100644 index 3434583e..00000000 --- a/mbc/relationship/relationship--fa38bbbd-0d90-4772-a08e-17efcff22b56.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--db740642-d20c-4b0a-bff3-e5d37c516adf", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--fa38bbbd-0d90-4772-a08e-17efcff22b56", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.607256Z", - "modified": "2020-08-21T20:50:04.607256Z", - "relationship_type": "uses", - "description": "Redhip uses general approaches to detecting user level debuggers (e.g., Process Environment Block 'Being Debugged' field), as well as specific checks for kernel level debuggers like SOFICE.", - "source_ref": "malware--b0625dd2-cc91-4936-9e12-289960aa0b41", - "target_ref": "attack-pattern--8f139c3f-7cc6-4d7f-a05e-7139a156fdeb", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--fb09f83d-1a82-4501-9db6-bad58433707c.json b/mbc/relationship/relationship--fb09f83d-1a82-4501-9db6-bad58433707c.json deleted file mode 100644 index 97ec2e41..00000000 --- a/mbc/relationship/relationship--fb09f83d-1a82-4501-9db6-bad58433707c.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--69e3eca6-ba96-492c-981c-3c563e58848f", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--fb09f83d-1a82-4501-9db6-bad58433707c", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.613258Z", - "modified": "2020-08-21T20:50:04.613258Z", - "relationship_type": "uses", - "description": "Downloads and executes Claymore's Zcash miner from a remote server.", - "source_ref": "malware--8297b846-885e-4751-9e2b-d777ae7d21e3", - "target_ref": "attack-pattern--cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/relationship/relationship--fca68d5f-25cb-4d48-a88b-ac71774471f8.json b/mbc/relationship/relationship--fca68d5f-25cb-4d48-a88b-ac71774471f8.json new file mode 100644 index 00000000..8dd2aef0 --- /dev/null +++ b/mbc/relationship/relationship--fca68d5f-25cb-4d48-a88b-ac71774471f8.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--f8c09224-ac77-4dbb-9c71-5fbc9568d762", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--fca68d5f-25cb-4d48-a88b-ac71774471f8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2022-09-08T18:26:19.048454Z", + "modified": "2022-09-08T18:26:19.048454Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--0c59fe14-659a-4248-b205-7fc3371af6c7", + "target_ref": "attack-pattern--7533526d-569f-460b-9e00-5ef2d6eff9e2", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/mbc/relationship/relationship--fef23c74-9626-4912-bb2a-d0f1f563aab6.json b/mbc/relationship/relationship--fef23c74-9626-4912-bb2a-d0f1f563aab6.json deleted file mode 100644 index dff421a1..00000000 --- a/mbc/relationship/relationship--fef23c74-9626-4912-bb2a-d0f1f563aab6.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--fc58e649-9739-4521-aae5-7c56c95a0a5e", - "objects": [ - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--fef23c74-9626-4912-bb2a-d0f1f563aab6", - "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-08-21T20:50:04.601289Z", - "modified": "2020-08-21T20:50:04.601289Z", - "relationship_type": "uses", - "description": "GotBotKR reinstalls its running instance if it is removed.", - "source_ref": "malware--dd874fc3-691c-4825-95cc-bbe52e5406f5", - "target_ref": "attack-pattern--cbc563fa-1d9f-4e91-9803-4d5c2b9a7eae", - "object_marking_refs": [ - "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" - ] - } - ] -} \ No newline at end of file diff --git a/mbc/x-mitre-matrix/x-mitre-matrix--d5eae189-586e-4f87-bf4f-51fa251f0ba6.json b/mbc/x-mitre-matrix/x-mitre-matrix--d5eae189-586e-4f87-bf4f-51fa251f0ba6.json index 170fd322..bd0bac4f 100644 --- a/mbc/x-mitre-matrix/x-mitre-matrix--d5eae189-586e-4f87-bf4f-51fa251f0ba6.json +++ b/mbc/x-mitre-matrix/x-mitre-matrix--d5eae189-586e-4f87-bf4f-51fa251f0ba6.json @@ -12,27 +12,27 @@ "name": "MBC", "description": "The Malware Behavior Catalog (MBC) is a catalog of malware objectives and behaviors, created to support malware analysis-oriented use cases, such as labeling, similarity analysis, and standardized reporting.", "tactic_refs": [ - "x-mitre-tactic--eb6166b0-f3c9-4124-aeb9-662941baa19e", + "x-mitre-tactic--da7738af-46f6-4bc6-bfa2-91a466439391", "x-mitre-tactic--225d85b5-6806-4760-a9d7-b5e38ca66153", + "x-mitre-tactic--9f09f947-5fc6-455f-b7eb-504c2ba972aa", + "x-mitre-tactic--d896bd1c-d0e9-4281-9755-9b76a7c963d3", "x-mitre-tactic--69c52ee6-8372-40be-8efc-200896493343", + "x-mitre-tactic--1f99e060-c0e8-449c-8629-216ef75d7828", "x-mitre-tactic--5ca03153-2bfb-4540-acad-4eb54f188589", - "x-mitre-tactic--4fd027ac-dddc-4744-aa72-d1b4598d9898", - "x-mitre-tactic--9b3422b7-bc43-4b28-8d51-ba68782a9da2", - "x-mitre-tactic--9f09f947-5fc6-455f-b7eb-504c2ba972aa", "x-mitre-tactic--f95436cf-2e09-4541-b88a-f3fb6ec3b63b", - "x-mitre-tactic--911377e6-b712-4754-a865-3e2989512b9a", + "x-mitre-tactic--6771a9e9-03e2-45df-bc92-2ce9249123bc", "x-mitre-tactic--389367d2-9dea-4ffe-b794-cfeaba83bcf6", - "x-mitre-tactic--1f99e060-c0e8-449c-8629-216ef75d7828", - "x-mitre-tactic--30f8323e-ca97-4067-bb76-b14edff2fa88", - "x-mitre-tactic--db22e244-4c56-4a42-9e3a-6285bde88a5d", + "x-mitre-tactic--911377e6-b712-4754-a865-3e2989512b9a", + "x-mitre-tactic--eb6166b0-f3c9-4124-aeb9-662941baa19e", "x-mitre-tactic--408ef4fa-de24-489a-ac9e-1f51af84bf5d", - "x-mitre-tactic--0735bfd3-bffa-4476-9e3b-e33cc5c553e0", - "x-mitre-tactic--578d34bc-28b7-4467-afe1-a969e00797d3", "x-mitre-tactic--e4edf677-0ea0-474a-a14d-da3ea660d69f", - "x-mitre-tactic--7f07ea86-c44a-4f1f-86d0-3d904c7ddb59", + "x-mitre-tactic--578d34bc-28b7-4467-afe1-a969e00797d3", + "x-mitre-tactic--0735bfd3-bffa-4476-9e3b-e33cc5c553e0", "x-mitre-tactic--dd9a101e-8fea-4b2e-afd0-4c0c3f0f864e", - "x-mitre-tactic--d2f87328-9fe0-4f81-800e-ea1058f49906", - "x-mitre-tactic--d896bd1c-d0e9-4281-9755-9b76a7c963d3" + "x-mitre-tactic--30f8323e-ca97-4067-bb76-b14edff2fa88", + "x-mitre-tactic--db22e244-4c56-4a42-9e3a-6285bde88a5d", + "x-mitre-tactic--7f07ea86-c44a-4f1f-86d0-3d904c7ddb59", + "x-mitre-tactic--9b3422b7-bc43-4b28-8d51-ba68782a9da2" ], "external_references": [ { diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--0735bfd3-bffa-4476-9e3b-e33cc5c553e0.json b/mbc/x-mitre-tactic/x-mitre-tactic--0735bfd3-bffa-4476-9e3b-e33cc5c553e0.json index ce8d0e89..0c64efab 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--0735bfd3-bffa-4476-9e3b-e33cc5c553e0.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--0735bfd3-bffa-4476-9e3b-e33cc5c553e0.json @@ -14,7 +14,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/README.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/README.md", "external_id": "OC0001" } ], diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--1f99e060-c0e8-449c-8629-216ef75d7828.json b/mbc/x-mitre-tactic/x-mitre-tactic--1f99e060-c0e8-449c-8629-216ef75d7828.json index 7fb6eb93..a4c13c35 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--1f99e060-c0e8-449c-8629-216ef75d7828.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--1f99e060-c0e8-449c-8629-216ef75d7828.json @@ -8,13 +8,13 @@ "id": "x-mitre-tactic--1f99e060-c0e8-449c-8629-216ef75d7828", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-02-05T20:28:15.056Z", - "modified": "2022-02-05T00:37:22.382348Z", + "modified": "2022-09-08T18:26:13.159756Z", "name": "Lateral Movement", - "description": "Behaviors that enable propagation through a compromised system or infected files. The malware may move actively (e.g., gain access to a machine directly) or passively (e.g., send malicious email).", + "description": "Behaviors that enable malware to propagate or otherwise move through an environment. Lateral movement may be active, happening via direct machine access, or may be passive (for example, done via malicious email).", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/lateral-movement/README.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/lateral-movement/README.md", "external_id": "OB0011" } ], diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--225d85b5-6806-4760-a9d7-b5e38ca66153.json b/mbc/x-mitre-tactic/x-mitre-tactic--225d85b5-6806-4760-a9d7-b5e38ca66153.json index 86dd6282..73814185 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--225d85b5-6806-4760-a9d7-b5e38ca66153.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--225d85b5-6806-4760-a9d7-b5e38ca66153.json @@ -8,13 +8,13 @@ "id": "x-mitre-tactic--225d85b5-6806-4760-a9d7-b5e38ca66153", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-02-05T20:28:15.060Z", - "modified": "2022-02-05T00:37:22.382348Z", + "modified": "2022-09-08T18:26:13.157655Z", "name": "Anti-Static Analysis", - "description": "Behaviors and code characteristics that prevent static analysis or make it more difficult. Simple static analysis identifies features such as embedded strings, header information, hash values, and file metadata (e.g., creation date). More involved static analysis involves the disassembly of the binary code.", + "description": "Behaviors and code characteristics that prevent or hinder static analysis of the malware. Simple static analysis identifies features such as embedded strings, header information, or file metadata. More involved static analysis involves the disassembly of the binary code.", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/README.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/README.md", "external_id": "OB0002" }, { diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--30f8323e-ca97-4067-bb76-b14edff2fa88.json b/mbc/x-mitre-tactic/x-mitre-tactic--30f8323e-ca97-4067-bb76-b14edff2fa88.json index 8e041412..676c47ba 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--30f8323e-ca97-4067-bb76-b14edff2fa88.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--30f8323e-ca97-4067-bb76-b14edff2fa88.json @@ -14,7 +14,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/README.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/README.md", "external_id": "OC0006" } ], diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--389367d2-9dea-4ffe-b794-cfeaba83bcf6.json b/mbc/x-mitre-tactic/x-mitre-tactic--389367d2-9dea-4ffe-b794-cfeaba83bcf6.json index c9cbc8b8..e4b47a69 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--389367d2-9dea-4ffe-b794-cfeaba83bcf6.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--389367d2-9dea-4ffe-b794-cfeaba83bcf6.json @@ -8,13 +8,13 @@ "id": "x-mitre-tactic--389367d2-9dea-4ffe-b794-cfeaba83bcf6", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-02-05T20:28:15.076Z", - "modified": "2022-02-05T00:37:22.382348Z", + "modified": "2022-09-08T18:26:13.161554Z", "name": "Impact", - "description": "Behaviors that enable malware to achieve its mission of manipulating, interrupting, or destroying systems and/or data.", + "description": "Behaviors that enable malware to manipulate, interrupt, or destroy systems and data.", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/impact/README.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/impact/README.md", "external_id": "OB0008" } ], diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--408ef4fa-de24-489a-ac9e-1f51af84bf5d.json b/mbc/x-mitre-tactic/x-mitre-tactic--408ef4fa-de24-489a-ac9e-1f51af84bf5d.json index 28403e76..fc1fe7cb 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--408ef4fa-de24-489a-ac9e-1f51af84bf5d.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--408ef4fa-de24-489a-ac9e-1f51af84bf5d.json @@ -14,7 +14,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/data/README.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/README.md", "external_id": "OC0004" } ], diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--578d34bc-28b7-4467-afe1-a969e00797d3.json b/mbc/x-mitre-tactic/x-mitre-tactic--578d34bc-28b7-4467-afe1-a969e00797d3.json index 01c1d92b..2551c271 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--578d34bc-28b7-4467-afe1-a969e00797d3.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--578d34bc-28b7-4467-afe1-a969e00797d3.json @@ -14,7 +14,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/hardware/README.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/hardware/README.md", "external_id": "OC0007" } ], diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--5ca03153-2bfb-4540-acad-4eb54f188589.json b/mbc/x-mitre-tactic/x-mitre-tactic--5ca03153-2bfb-4540-acad-4eb54f188589.json index 25a06e69..477bad7d 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--5ca03153-2bfb-4540-acad-4eb54f188589.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--5ca03153-2bfb-4540-acad-4eb54f188589.json @@ -8,14 +8,18 @@ "id": "x-mitre-tactic--5ca03153-2bfb-4540-acad-4eb54f188589", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-02-05T20:28:15.064Z", - "modified": "2022-02-05T00:37:22.382348Z", + "modified": "2022-09-08T18:26:13.16016Z", "name": "Command and Control", - "description": "Behaviors malware may use to communicate with systems under its control within a target network. There are many ways malware can establish command and control with various levels of covertness, depending on system configuration and network topology. Behaviors may relate to C2 servers or a bot that is part of a botnet. As \"server\" and \"client\" are confusing terminology in this context, we use the terms **controller** and **implant**. The controller is the software running on adversary-controlled infrastructure and used to send commands to the implant. The implant is the software running on victim-controlled infrastructure that receives commands from the adversary, executes those commands on the victim, and optionally sends the results back to the adversary.", + "description": "Behaviors that enable malware to communicate with systems such as C2 servers or bots. Malware can establish command and control with various levels of covertness, depending on system configuration and network topology.", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/README.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/README.md", "external_id": "OB0004" + }, + { + "source_name": "external_source", + "url": "https://www.bitdefender.com/blog/labs/trickbot-is-dead-long-live-trickbot/" } ], "object_marking_refs": [ diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--d2f87328-9fe0-4f81-800e-ea1058f49906.json b/mbc/x-mitre-tactic/x-mitre-tactic--6771a9e9-03e2-45df-bc92-2ce9249123bc.json similarity index 58% rename from mbc/x-mitre-tactic/x-mitre-tactic--d2f87328-9fe0-4f81-800e-ea1058f49906.json rename to mbc/x-mitre-tactic/x-mitre-tactic--6771a9e9-03e2-45df-bc92-2ce9249123bc.json index 09591ad3..3e0dea51 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--d2f87328-9fe0-4f81-800e-ea1058f49906.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--6771a9e9-03e2-45df-bc92-2ce9249123bc.json @@ -1,21 +1,21 @@ { "type": "bundle", - "id": "bundle--6dfd1efa-319a-4f25-9c73-602f935fbc14", + "id": "bundle--bce3768a-dd3a-436e-8f71-33f45194abb0", "objects": [ { "type": "x-mitre-tactic", "spec_version": "2.1", - "id": "x-mitre-tactic--d2f87328-9fe0-4f81-800e-ea1058f49906", + "id": "x-mitre-tactic--6771a9e9-03e2-45df-bc92-2ce9249123bc", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-02-05T20:28:15.067Z", - "modified": "2022-02-05T00:37:22.397978Z", + "created": "2022-09-08T18:26:13.16108Z", + "modified": "2022-09-08T18:26:13.16108Z", "name": "Persistence", - "description": "Malware aims to remain on a system regardless of system events.", + "description": "Behaviors that enable malware to remain on a system regardless of system events, such as reboots.", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/persistence/README.md", - "external_id": "OB0012" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/persistence/README.md", + "external_id": "OB00012" } ], "object_marking_refs": [ diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--69c52ee6-8372-40be-8efc-200896493343.json b/mbc/x-mitre-tactic/x-mitre-tactic--69c52ee6-8372-40be-8efc-200896493343.json index 15dfc0b3..b29634b2 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--69c52ee6-8372-40be-8efc-200896493343.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--69c52ee6-8372-40be-8efc-200896493343.json @@ -8,13 +8,13 @@ "id": "x-mitre-tactic--69c52ee6-8372-40be-8efc-200896493343", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-02-05T20:28:15.058Z", - "modified": "2022-02-05T00:37:22.382348Z", + "modified": "2022-09-08T18:26:13.159242Z", "name": "Collection", - "description": "Behaviors that identify and gather information, such as sensitive files, from a target network prior to exfiltration. This objective includes locations on a system or network where the malware may look for information to exfiltrate.", + "description": "Behaviors that enable malware to identify and gather information, such as sensitive files, from a machine or network. Sources often targeted include drives, browsers, audio/video, and email. Often the malware's next objective is to exfiltrate the information gathered.", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/collection/README.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/collection/README.md", "external_id": "OB0003" } ], diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--7f07ea86-c44a-4f1f-86d0-3d904c7ddb59.json b/mbc/x-mitre-tactic/x-mitre-tactic--7f07ea86-c44a-4f1f-86d0-3d904c7ddb59.json index 74be5c9c..180c306e 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--7f07ea86-c44a-4f1f-86d0-3d904c7ddb59.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--7f07ea86-c44a-4f1f-86d0-3d904c7ddb59.json @@ -14,7 +14,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/operating-system/README.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/operating-system/README.md", "external_id": "OC0008" } ], diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--911377e6-b712-4754-a865-3e2989512b9a.json b/mbc/x-mitre-tactic/x-mitre-tactic--911377e6-b712-4754-a865-3e2989512b9a.json index d1cedddb..f4dea7a8 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--911377e6-b712-4754-a865-3e2989512b9a.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--911377e6-b712-4754-a865-3e2989512b9a.json @@ -8,13 +8,13 @@ "id": "x-mitre-tactic--911377e6-b712-4754-a865-3e2989512b9a", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-02-05T20:28:15.068Z", - "modified": "2022-02-05T00:37:22.382348Z", + "modified": "2022-09-08T18:26:13.162044Z", "name": "Exfiltration", - "description": "Behaviors that steal data from the system on which it executes. This includes stored data (e.g., files) as well as data input into applications (e.g., web browser).", + "description": "Behaviors that enable malware to steal data from a system. This includes stored data, such as files, as well as data input into applications, such as web browsers.", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/exfiltration/README.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/exfiltration/README.md", "external_id": "OB0010" } ], diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--9b3422b7-bc43-4b28-8d51-ba68782a9da2.json b/mbc/x-mitre-tactic/x-mitre-tactic--9b3422b7-bc43-4b28-8d51-ba68782a9da2.json index 18b81140..68ab5cd9 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--9b3422b7-bc43-4b28-8d51-ba68782a9da2.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--9b3422b7-bc43-4b28-8d51-ba68782a9da2.json @@ -8,13 +8,13 @@ "id": "x-mitre-tactic--9b3422b7-bc43-4b28-8d51-ba68782a9da2", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-02-05T20:28:15.071Z", - "modified": "2022-02-05T00:37:22.382348Z", + "modified": "2022-09-08T18:26:13.1667Z", "name": "Defense Evasion", - "description": "Behaviors that evade detection or avoid other defenses.", + "description": "Behaviors that enable malware to evade detection.", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/README.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/README.md", "external_id": "OB0006" } ], diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--9f09f947-5fc6-455f-b7eb-504c2ba972aa.json b/mbc/x-mitre-tactic/x-mitre-tactic--9f09f947-5fc6-455f-b7eb-504c2ba972aa.json index b0325cd0..4cc52705 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--9f09f947-5fc6-455f-b7eb-504c2ba972aa.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--9f09f947-5fc6-455f-b7eb-504c2ba972aa.json @@ -8,13 +8,13 @@ "id": "x-mitre-tactic--9f09f947-5fc6-455f-b7eb-504c2ba972aa", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-02-05T20:28:15.062Z", - "modified": "2022-02-05T00:37:22.382348Z", + "modified": "2022-09-08T18:26:13.158338Z", "name": "Discovery", - "description": "Behaviors that aim to gain knowledge about the system and internal network.", + "description": "Behaviors that enable malware to gain knowledge about the system and network.", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/README.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/README.md", "external_id": "OB0007" } ], diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--d896bd1c-d0e9-4281-9755-9b76a7c963d3.json b/mbc/x-mitre-tactic/x-mitre-tactic--d896bd1c-d0e9-4281-9755-9b76a7c963d3.json index f212a5a3..29689258 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--d896bd1c-d0e9-4281-9755-9b76a7c963d3.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--d896bd1c-d0e9-4281-9755-9b76a7c963d3.json @@ -8,13 +8,13 @@ "id": "x-mitre-tactic--d896bd1c-d0e9-4281-9755-9b76a7c963d3", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-02-05T20:28:15.072Z", - "modified": "2022-02-05T00:37:22.397978Z", + "modified": "2022-09-08T18:26:13.158803Z", "name": "Privilege Escalation", - "description": "Behaviors that aim to obtain a higher level of permission.", + "description": "Behaviors that enable malware to obtain higher level permissions. These behaviors often overlap with Persistence behaviors.", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/privilege-escalation/README.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/privilege-escalation/README.md", "external_id": "OB0013" } ], diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--4fd027ac-dddc-4744-aa72-d1b4598d9898.json b/mbc/x-mitre-tactic/x-mitre-tactic--da7738af-46f6-4bc6-bfa2-91a466439391.json similarity index 65% rename from mbc/x-mitre-tactic/x-mitre-tactic--4fd027ac-dddc-4744-aa72-d1b4598d9898.json rename to mbc/x-mitre-tactic/x-mitre-tactic--da7738af-46f6-4bc6-bfa2-91a466439391.json index 9f81eeda..586730ee 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--4fd027ac-dddc-4744-aa72-d1b4598d9898.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--da7738af-46f6-4bc6-bfa2-91a466439391.json @@ -1,21 +1,21 @@ { "type": "bundle", - "id": "bundle--479d1d7a-5643-4c19-b86d-3f71fb601aa0", + "id": "bundle--d11ced16-34e7-4452-b1cd-5cf9c43af530", "objects": [ { "type": "x-mitre-tactic", "spec_version": "2.1", - "id": "x-mitre-tactic--4fd027ac-dddc-4744-aa72-d1b4598d9898", + "id": "x-mitre-tactic--da7738af-46f6-4bc6-bfa2-91a466439391", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", - "created": "2020-02-05T20:28:15.074Z", - "modified": "2022-02-05T00:37:22.382348Z", + "created": "2022-09-08T18:26:13.156705Z", + "modified": "2022-09-08T18:26:13.156705Z", "name": "Credential Access", - "description": "Behaviors to obtain credential access, allowing it or its underlying threat actor to assume control of an account, with the associated system and network permissions.", + "description": "Behaviors to obtain credential access, allowing it or its underlying threat actor to assume control of an account with the associated system and network permissions.", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/credential-access/README.md", - "external_id": "OB0005" + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/credential-access/README.md", + "external_id": "OB0006" } ], "object_marking_refs": [ diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--db22e244-4c56-4a42-9e3a-6285bde88a5d.json b/mbc/x-mitre-tactic/x-mitre-tactic--db22e244-4c56-4a42-9e3a-6285bde88a5d.json index 8079e444..8ec0a6ef 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--db22e244-4c56-4a42-9e3a-6285bde88a5d.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--db22e244-4c56-4a42-9e3a-6285bde88a5d.json @@ -14,7 +14,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/README.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/README.md", "external_id": "OC0005" } ], diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--dd9a101e-8fea-4b2e-afd0-4c0c3f0f864e.json b/mbc/x-mitre-tactic/x-mitre-tactic--dd9a101e-8fea-4b2e-afd0-4c0c3f0f864e.json index 32baade8..ed5791a8 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--dd9a101e-8fea-4b2e-afd0-4c0c3f0f864e.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--dd9a101e-8fea-4b2e-afd0-4c0c3f0f864e.json @@ -14,7 +14,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/process/README.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/process/README.md", "external_id": "OC0003" } ], diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--e4edf677-0ea0-474a-a14d-da3ea660d69f.json b/mbc/x-mitre-tactic/x-mitre-tactic--e4edf677-0ea0-474a-a14d-da3ea660d69f.json index 6e54cda1..2ad11682 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--e4edf677-0ea0-474a-a14d-da3ea660d69f.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--e4edf677-0ea0-474a-a14d-da3ea660d69f.json @@ -14,7 +14,7 @@ "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/memory/README.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/memory/README.md", "external_id": "OC0002" } ], diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--eb6166b0-f3c9-4124-aeb9-662941baa19e.json b/mbc/x-mitre-tactic/x-mitre-tactic--eb6166b0-f3c9-4124-aeb9-662941baa19e.json index 6900d750..18bb8c25 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--eb6166b0-f3c9-4124-aeb9-662941baa19e.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--eb6166b0-f3c9-4124-aeb9-662941baa19e.json @@ -8,13 +8,13 @@ "id": "x-mitre-tactic--eb6166b0-f3c9-4124-aeb9-662941baa19e", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-02-05T20:28:15.061Z", - "modified": "2022-02-05T00:37:22.382348Z", + "modified": "2022-09-08T18:26:13.162561Z", "name": "Anti-Behavioral Analysis", - "description": "Behaviors that prevent, obstruct, or evade behavioral analysis (sandbox, debugger, etc). Because the underlying methods differ, separate \"detection\" and \"evasion\" behaviors are defined for some anti-behavioral analysis areas (e.g., anti-debugger).", + "description": "Behaviors that prevent, obstruct, or evade behavioral analysis of malware--for example, analysis done using a sandbox or debugger. Because the underlying methods differ, separate \"detection\" and \"evasion\" behaviors are defined for some anti-behavioral analysis areas.", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/README.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/README.md", "external_id": "OB0001" }, { diff --git a/mbc/x-mitre-tactic/x-mitre-tactic--f95436cf-2e09-4541-b88a-f3fb6ec3b63b.json b/mbc/x-mitre-tactic/x-mitre-tactic--f95436cf-2e09-4541-b88a-f3fb6ec3b63b.json index 0e9912e5..0bcb857e 100644 --- a/mbc/x-mitre-tactic/x-mitre-tactic--f95436cf-2e09-4541-b88a-f3fb6ec3b63b.json +++ b/mbc/x-mitre-tactic/x-mitre-tactic--f95436cf-2e09-4541-b88a-f3fb6ec3b63b.json @@ -8,13 +8,13 @@ "id": "x-mitre-tactic--f95436cf-2e09-4541-b88a-f3fb6ec3b63b", "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", "created": "2020-02-05T20:28:15.065Z", - "modified": "2022-02-05T00:37:22.382348Z", + "modified": "2022-09-08T18:26:13.160607Z", "name": "Execution", - "description": "Behaviors that execute code on a system to achieve a variety of goals.", + "description": "Behaviors that enable malware to execute code on a system to achieve a variety of goals.", "external_references": [ { "source_name": "mitre-mbc", - "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/execution/README.md", + "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/README.md", "external_id": "OB0009" } ],