Skip to content

Commit

Permalink
Merge pull request #14 from ryantxu1/master
Browse files Browse the repository at this point in the history 
01-2022 update
  • Loading branch information
@dzbeck
dzbeck authored Jan 30, 2023
2 parents 84e3cf8 + f1bd326 commit 8b59260
Show file tree
Hide file tree
Showing 457 changed files with 13,071 additions and 1,183 deletions.
6 changes: 5 additions & 1 deletion mbc/attack-pattern/attack-pattern--05f154ce-4547-45cf-a664-ca231fdcff54.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"id": "attack-pattern--05f154ce-4547-45cf-a664-ca231fdcff54",
"created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
"created": "2022-09-08T18:26:13.423869Z",
"modified": "2022-09-08T18:26:13.423869Z",
"modified": "2023-01-30T20:16:28.423135Z",
"name": "Install Insecure or Malicious Configuration",
"description": "Malware may install malicious configuration settings or may modify existing configuration settings. For example, malware may change configuration settings associated with security mechanisms to make it difficult to detect or change configuration settings to maintain a foothold on the network.",
"kill_chain_phases": [
Expand All @@ -30,6 +30,10 @@
{
"source_name": "external_source",
"url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf"
},
{
"source_name": "external_source",
"url": "http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"
}
],
"object_marking_refs": [
Expand Down
4 changes: 2 additions & 2 deletions mbc/attack-pattern/attack-pattern--098a700a-4cc0-4d0a-8bc5-42e7181eff1e.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@
"id": "attack-pattern--098a700a-4cc0-4d0a-8bc5-42e7181eff1e",
"created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
"created": "2022-09-08T18:26:13.427132Z",
"modified": "2022-12-07T14:16:51.520041Z",
"modified": "2023-01-30T20:16:28.42561Z",
"name": "Hide Artifacts",
"description": "Malware may hide artifacts to evade detection and/or to persist on the system. See potential methods related to malware below.",
"description": "Malware may hide artifacts to evade detection and/or to persist on the system. See potential methods related to malware below. \n\nSee ATT&CK: **Hide Artifacts ([T1564](https://attack.mitre.org/techniques/T1564/), [T1628](https://attack.mitre.org/techniques/T1628/))**.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mbc",
Expand Down
6 changes: 5 additions & 1 deletion mbc/attack-pattern/attack-pattern--09aa0bf7-bdec-4642-ad23-c8f1c9b01297.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"id": "attack-pattern--09aa0bf7-bdec-4642-ad23-c8f1c9b01297",
"created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
"created": "2020-08-21T20:49:59.775261Z",
"modified": "2022-02-05T00:37:22.71051Z",
"modified": "2023-01-30T20:16:28.295091Z",
"name": "Destroy Hardware",
"description": "Destroys a physical piece of hardware. For example, malware may cause hardware to overheat.",
"kill_chain_phases": [
Expand All @@ -26,6 +26,10 @@
{
"source_name": "external_source",
"url": "https://www.bbc.com/timelines/zc6fbk7"
},
{
"source_name": "external_source",
"url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
Expand Down
4 changes: 2 additions & 2 deletions mbc/attack-pattern/attack-pattern--1506d910-1208-4064-a633-8291f6d36e74.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"id": "attack-pattern--1506d910-1208-4064-a633-8291f6d36e74",
"created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
"created": "2020-08-21T20:49:59.554264Z",
"modified": "2022-09-08T18:26:13.190681Z",
"modified": "2023-01-30T20:16:28.235135Z",
"name": "API Hashing",
"description": "Instead of storing function names in the Import Address Table (IAT) and calling GetProcAddress, a DLL is loaded and the name of each of its exports is hashed until it matches a specific hash. Manual symbol resolution is then used to access and execute the exported function. This method is often used by shellcode because it reduces the size of each import from a human-readable string to a sequence of four bytes. The Method is also known as \"Imports by Hash\" and \"GET_APIS_WITH_CRC.\"",
"kill_chain_phases": [
Expand All @@ -25,7 +25,7 @@
},
{
"source_name": "external_source",
"url": "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html"
"url": "https://blogs.cisco.com/security/talos/rombertik"
}
],
"object_marking_refs": [
Expand Down
8 changes: 4 additions & 4 deletions mbc/attack-pattern/attack-pattern--1d1b8b46-c3d7-49e5-8856-367b48272f5e.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@
"id": "attack-pattern--1d1b8b46-c3d7-49e5-8856-367b48272f5e",
"created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
"created": "2020-08-21T20:49:59.594264Z",
"modified": "2022-12-07T14:16:51.305743Z",
"modified": "2023-01-30T20:16:28.260378Z",
"name": "Input Capture",
"description": "Malware captures user input.",
"description": "Malware captures user input.\n\nSee ATT&CK: **Input Capture ([T1056](https://attack.mitre.org/techniques/T1056), [T1417](https://attack.mitre.org/techniques/T1417/))**.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mbc",
Expand All @@ -37,15 +37,15 @@
},
{
"source_name": "external_source",
"url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/"
"url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking"
},
{
"source_name": "external_source",
"url": "https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy"
},
{
"source_name": "external_source",
"url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking"
"url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf"
},
{
"source_name": "mitre-attack",
Expand Down
24 changes: 22 additions & 2 deletions mbc/attack-pattern/attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@
"id": "attack-pattern--2010a1d6-4a0a-4a07-ae97-2fbad0f81439",
"created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
"created": "2020-08-21T20:49:59.609265Z",
"modified": "2022-12-07T14:16:51.317544Z",
"modified": "2023-01-30T20:16:28.269429Z",
"name": "C2 Communication",
"description": "All command and control malware use implant/controller communication. The methods listed below can be used to capture explicit communication details. Remote file copy behavior is captured separately, as is done in ATT&CK - see **Ingress Tool Transfer ([E1105](https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/ingress-tool-transfer.md))**.",
"description": "All command and control malware use implant/controller communication. The methods listed below can be used to capture explicit communication details. Remote file copy behavior is captured separately, as is done in ATT&CK - see **Ingress Tool Transfer ([E1105](https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/ingress-tool-transfer.md))**.\n\nCommand and Control Communication relates to *autonomous* communications, not explicit, on-demand commands that malware provides to an adversary (such commands should be captured with [Remote Commands](https://github.com/MBCProject/mbc-markdown/blob/v2.3/execution/remote-commands.md) under the Execution objective).\n\nAs \"server\" and \"client\" are confusing terminology, we use the terms \"controller\" and \"implant\". The controller is the software running on adversary-controlled infrastructure and used to send commands to the implant. The implant is the software running on victim-controlled infrastructure that receives commands from the adversary, executes those commands on the victim, and optionally sends the results back to the adversary.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mbc",
Expand Down Expand Up @@ -66,6 +66,26 @@
{
"source_name": "external_source",
"url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking"
},
{
"source_name": "external_source",
"url": "https://www.secureworks.com/research/cryptolocker-ransomware"
},
{
"source_name": "external_source",
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/"
},
{
"source_name": "external_source",
"url": "https://blogs.cisco.com/security/talos/rombertik"
},
{
"source_name": "external_source",
"url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection/"
},
{
"source_name": "external_source",
"url": "https://unit42.paloaltonetworks.com/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/"
}
],
"object_marking_refs": [
Expand Down
8 changes: 6 additions & 2 deletions mbc/attack-pattern/attack-pattern--24ed02f2-afad-49c8-a3c4-8ab1c418443e.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@
"id": "attack-pattern--24ed02f2-afad-49c8-a3c4-8ab1c418443e",
"created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
"created": "2020-08-21T20:49:59.743261Z",
"modified": "2022-12-07T14:16:51.321419Z",
"modified": "2023-01-30T20:16:28.274383Z",
"name": "Send Email",
"description": "Sends an email message from the system on which the malware is executing to one or more recipients, mostly commonly for the purpose of spamming or for distributing a malicious attachment or URL (malspamming).",
"description": "Sends an email message from the system on which the malware is executing to one or more recipients, mostly commonly for the purpose of spamming or for distributing a malicious attachment or URL (malspamming).\n\nThis behavior is related to the **Phishing ([T1566](https://attack.mitre.org/techniques/T1566/))** ATT&CK technique defined under ATT&CK's Initial Access tactic.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mbc",
Expand Down Expand Up @@ -39,6 +39,10 @@
"source_name": "external_source",
"url": "https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/"
},
{
"source_name": "external_source",
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/"
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1566/",
Expand Down
3 changes: 1 addition & 2 deletions mbc/attack-pattern/attack-pattern--25dbb3ef-6301-4f8c-a8d2-a03b5c23dafd.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,8 @@
"id": "attack-pattern--25dbb3ef-6301-4f8c-a8d2-a03b5c23dafd",
"created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
"created": "2021-02-10T06:49:32.016478Z",
"modified": "2022-09-08T18:26:13.348991Z",
"modified": "2023-01-30T20:16:28.36139Z",
"name": "Get File Attributes",
"description": "Malware gets the attributes of a file.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mbc",
Expand Down
3 changes: 1 addition & 2 deletions mbc/attack-pattern/attack-pattern--26a24fc4-3488-408f-ae36-9e5e881f4b9e.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,8 @@
"id": "attack-pattern--26a24fc4-3488-408f-ae36-9e5e881f4b9e",
"created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
"created": "2021-02-10T06:49:32.038481Z",
"modified": "2022-02-05T00:37:22.819853Z",
"modified": "2023-01-30T20:16:28.367298Z",
"name": "Suspend Thread",
"description": "Malware may suspend a thread.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mbc",
Expand Down
16 changes: 8 additions & 8 deletions ...3bb917e7-25d9-42de-8b23-d040a51c08e5.json → ...2745d64c-8dd7-4d50-8159-d57652bc8ef8.json
View file
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
{
"type": "bundle",
"id": "bundle--bfa24d07-57ab-4755-b30b-2e35ac196328",
"id": "bundle--92575a35-c396-4c9f-9a8c-000a05d650cc",
"objects": [
{
"type": "attack-pattern",
"spec_version": "2.1",
"id": "attack-pattern--3bb917e7-25d9-42de-8b23-d040a51c08e5",
"id": "attack-pattern--2745d64c-8dd7-4d50-8159-d57652bc8ef8",
"created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
"created": "2021-02-10T06:49:32.000444Z",
"modified": "2022-12-07T14:16:51.428174Z",
"name": "Verhoeff",
"description": "Malware uses the Verhoeff algorithm, often for purposes of error detection.",
"created": "2023-01-30T20:16:28.354712Z",
"modified": "2023-01-30T20:16:28.354712Z",
"name": "djb2",
"description": "Malware uses the djb2 hash function.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mbc",
Expand All @@ -20,8 +20,8 @@
"external_references": [
{
"source_name": "mitre-mbc",
"url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/checksum.md",
"external_id": "C0032.004"
"url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/data/noncryptographic-hash.md",
"external_id": "C0030.006"
}
],
"object_marking_refs": [
Expand Down
8 changes: 6 additions & 2 deletions mbc/attack-pattern/attack-pattern--27a1c173-3d93-430b-9544-8dd2db602b87.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@
"id": "attack-pattern--27a1c173-3d93-430b-9544-8dd2db602b87",
"created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
"created": "2020-08-21T20:49:59.662262Z",
"modified": "2022-12-07T14:16:51.510056Z",
"modified": "2023-01-30T20:16:28.4179Z",
"name": "Hidden Files and Directories",
"description": "Malware may hide files and folders to avoid detection and/or to persist on the system. See potential methods below.",
"description": "Malware may hide files and folders to avoid detection and/or to persist on the system. See potential methods below. \n\nSee ATT&CK: **Hide Artifacts: Hidden Files and Directories ([T1564.001](https://attack.mitre.org/techniques/T1564/001/))**.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mbc",
Expand All @@ -35,6 +35,10 @@
"source_name": "external_source",
"url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/"
},
{
"source_name": "external_source",
"url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf"
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/001/",
Expand Down
12 changes: 4 additions & 8 deletions mbc/attack-pattern/attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@
"id": "attack-pattern--295a3b88-2a7e-4bae-9c50-014fce6d5739",
"created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
"created": "2020-08-21T20:49:59.486264Z",
"modified": "2022-12-07T14:16:51.381824Z",
"modified": "2023-01-30T20:16:28.321828Z",
"name": "Sandbox Detection",
"description": "Detects whether the malware instance is being executed inside an instrumented sandbox environment (e.g., Cuckoo Sandbox). If so, conditional execution selects a benign execution path.",
"description": "Detects whether the malware instance is being executed inside an instrumented sandbox environment (e.g., Cuckoo Sandbox). If so, conditional execution selects a benign execution path.\n\nThe related **Virtualization/Sandbox Evasion ([T1497](https://attack.mitre.org/techniques/T1497/), [T1633](https://attack.mitre.org/techniques/T1633/))** ATT&CK techniques were defined subsequent to this MBC behavior.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mbc",
Expand All @@ -37,19 +37,15 @@
},
{
"source_name": "external_source",
"url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf"
"url": "https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/"
},
{
"source_name": "external_source",
"url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/"
},
{
"source_name": "external_source",
"url": "https://blogs.cisco.com/security/talos/rombertik"
},
{
"source_name": "external_source",
"url": "https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/"
"url": "https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaign-sandbox-evasion-techniques"
},
{
"source_name": "mitre-attack",
Expand Down
Loading

0 comments on commit 8b59260

Please sign in to comment.