From b8a3e65bb2ab80e9f094ab5b038840c57a477399 Mon Sep 17 00:00:00 2001 From: Patrick Copeland Date: Tue, 18 Feb 2020 14:55:06 -0500 Subject: [PATCH] February 2020 Release (v20.02) --- .gitignore | 131 + LICENSE.txt | 201 + README.md | 15 +- USAGE.md | 181 + ...-01051bb2-6339-4556-8363-3b94ba289ec1.json | 54 + ...-0202a028-471b-47c1-9723-0457934a50f3.json | 37 + ...-031beb01-79db-43f5-a901-1e32a4b79628.json | 45 + ...-03b4fd1e-96db-4c28-b9c7-18ef0510c129.json | 37 + ...-05dab55a-36c8-47d0-9a60-28f19fe18cdf.json | 37 + ...-05f6625b-7291-4a4b-8ec1-4044efa6cb2e.json | 41 + ...-068759bf-7db6-431f-aeeb-01f6034eae22.json | 37 + ...-0bee0786-1469-4d9d-8887-acd8fb6fe95e.json | 37 + ...-0bfe651c-26b6-49c0-9b50-51ddc7090c98.json | 49 + ...-0d36eb1b-4454-435f-9e8c-285d235341c7.json | 37 + ...-0dde3fa0-8e37-413d-bbe8-f75428801408.json | 41 + ...-101d8709-b8d4-4604-a835-b122f1ecb227.json | 41 + ...-11d90b50-17e9-45f5-84aa-05899a63714e.json | 51 + ...-131c6f15-5bc4-4583-9b8d-ea06ef139d0b.json | 37 + ...-1341c511-1ecc-489b-902a-8a80577d2758.json | 37 + ...-139411fc-5539-4254-825c-12a9d5b3973b.json | 45 + ...-1665b6e5-769a-4abb-9de1-4719ac6ce727.json | 37 + ...-17717ca4-3713-496e-87d7-13a95a6b1790.json | 99 + ...-19965f2f-3091-4611-b5da-4f5351319b63.json | 37 + ...-1a9f1c1d-2273-469c-98da-063594baa0d4.json | 67 + ...-1ab23a6a-e131-4321-be30-7f3f3861dac0.json | 36 + ...-1afb3ce1-57db-46ae-9c89-5b8f36011b7b.json | 61 + ...-1bcad6e7-bdb9-4cb1-acd2-12c3ef0d16a6.json | 37 + ...-1c4e8b61-bdb4-4ff5-bbf2-10dda4b276da.json | 41 + ...-1e98510a-2454-445e-9942-47a5686f2bbd.json | 37 + ...-21936a10-00e4-4e54-8fd7-00223e432cbf.json | 51 + ...-257eb250-d032-4eb8-a440-41fe91633738.json | 37 + ...-278e7645-17ac-4bd3-9849-56060cab2e81.json | 36 + ...-28fb8dbd-1aae-42f1-aba5-f9062e7003ee.json | 37 + ...-2f098b48-391a-4869-acba-b10ba07a4522.json | 37 + ...-309cdc6a-244e-43a6-bc1a-40ea4b8a999c.json | 37 + ...-34f875d3-da11-4112-bfd8-fe2d9deaf609.json | 37 + ...-3681ae81-1115-418d-a4f7-b6240b602852.json | 37 + ...-37e2cfce-37c2-4a5a-a98e-3bf5b4cd9db6.json | 37 + ...-3968a5bc-ed1f-4abf-a978-05f84d4cbf5c.json | 37 + ...-3b3c03d0-8e57-4e10-b3bd-ef53515afc92.json | 37 + ...-3cf9e9ac-9280-4a8d-b8b3-976abc855055.json | 37 + ...-3df182e8-9ada-4e1e-874c-8bc8d7fa7c1c.json | 41 + ...-3e66b2bf-cc28-4635-ac06-4ea0f1ad8122.json | 41 + ...-3ff14e42-f7c6-4f9f-a0e1-43afcd06778f.json | 37 + ...-422b0025-9286-4a11-812d-5494dab28d9a.json | 55 + ...-425dafb4-d71e-4c13-b900-b93c4316d07f.json | 37 + ...-43f3997b-88e5-4a2e-9b59-6af0892a89b2.json | 82 + ...-4799cdef-cff0-476b-adaa-685b8277ef7c.json | 37 + ...-484c88bd-1dac-4774-8411-63aaed416ac3.json | 41 + ...-4b89d6b6-fd08-4b39-bb01-b472ae95b93d.json | 37 + ...-4c235631-ef76-4afc-9386-e1d9be003c44.json | 55 + ...-4c4599cf-a384-46fa-83f2-f05967673158.json | 37 + ...-4dd2b47e-6753-4cbc-bfbd-336ed1dd4838.json | 37 + ...-4ea52273-1834-4df1-8bc7-6ee8738748a2.json | 50 + ...-4f74271a-79f0-4fbc-87ee-43abd69fd74e.json | 36 + ...-5010e76c-7f54-467d-8042-90ff48523dd2.json | 62 + ...-51fb196e-4be8-4b21-ba5b-fce4d7de6767.json | 49 + ...-52aeeef7-8531-4bc9-969f-274798c4cc13.json | 67 + ...-552f53bd-52e8-4c09-aa98-26ca8b9ef2da.json | 37 + ...-55d0d35e-668a-45dc-a727-c7446b3e5d08.json | 37 + ...-568d881b-70b4-4b37-97ba-045c34335b1f.json | 37 + ...-56e8ece2-1e82-4c12-9b8d-79bd23c33936.json | 37 + ...-584bb03d-6bdb-4385-a52a-e2a80d58b1e7.json | 47 + ...-587a54c2-89ae-42aa-9504-b820378e2aff.json | 37 + ...-58e6e2a9-7074-4fb6-930d-3177a4302737.json | 37 + ...-58f11920-e04f-4935-864a-c2121842bf8d.json | 37 + ...-5a7483f3-b636-4f12-8925-21be3e0f3676.json | 50 + ...-5d6f607a-b64e-4b25-ba0c-0ed3854f4557.json | 37 + ...-5e8c37e7-530d-4da6-a520-83a39fc52d7a.json | 91 + ...-5f63251a-e426-493e-9dd6-3b562c0e7157.json | 41 + ...-613f0744-5c1e-4ed1-a79e-ea132e27e085.json | 37 + ...-6246be32-1085-40b4-aa18-6ead153e84fc.json | 37 + ...-6406f5d5-3adb-4855-ba12-87b3f9e7fb28.json | 37 + ...-64098173-07b5-47f3-bd31-f3ae0f83ba93.json | 37 + ...-65a87d14-443d-48bc-8056-af041b7092be.json | 42 + ...-65fe37b4-19b9-4630-8d51-5afd6dc3234d.json | 43 + ...-670148f0-5ad0-4dff-ba2a-753933c624d9.json | 37 + ...-67291481-c3c0-4b34-86c9-fa2b7694c706.json | 46 + ...-6c58676d-57be-4bbc-a9b2-54a11098ca12.json | 32 + ...-6d80c035-3515-48dc-91cd-9c14c888fbc6.json | 37 + ...-6dd00b46-cafd-4eab-9a94-1cae503e089a.json | 37 + ...-6fcd4fe2-3997-4591-91e9-987fba8a79fa.json | 41 + ...-7178682e-9591-4ebe-a24e-25b7b2ee07a5.json | 193 + ...-71c969b3-1c87-4c02-aa1b-56d111547b1a.json | 41 + ...-731ecd6a-9782-4272-84f3-f4d5ff3732e0.json | 37 + ...-739c387d-4465-421d-9b6b-51ca77c52a0d.json | 37 + ...-748576ac-427c-460a-98fd-ab14c2b4f65a.json | 42 + ...-787fd5df-098b-4def-a02c-b840072a2962.json | 37 + ...-7917db1d-3be0-4a58-b706-00c62379a7b2.json | 37 + ...-7a0a5840-aed7-48bf-abcb-89056c1ba932.json | 37 + ...-7a79533e-479c-4272-8220-f639ca223b2e.json | 40 + ...-7aef87fb-3c58-4545-9566-c63439e68c55.json | 37 + ...-7d617afd-819d-4588-9b22-38470d5b338c.json | 41 + ...-7ea4b671-1dba-4990-9c5c-f36ae7ea1cbe.json | 41 + ...-7f7f9c9f-db90-4294-91ad-d1c9da04e9d8.json | 41 + ...-8063d2a0-1f1b-4210-a56d-4375aafda2a1.json | 45 + ...-82b3164a-89f4-423b-bc38-a6d942493658.json | 37 + ...-82db8cfb-f51f-4903-b652-cd8a2e4166fa.json | 41 + ...-82e0ca52-1f6e-475f-89cf-9817a5e4cc60.json | 37 + ...-83754954-2d7e-48d5-9f88-034dc202ed48.json | 36 + ...-8429c75f-5cf7-4057-90b7-e94a0c8f7060.json | 41 + ...-867bc93b-83c8-4bcd-876b-a8f190dd7de7.json | 37 + ...-869a8bc4-8a40-470c-8a6b-35d80635bd09.json | 37 + ...-893190c4-3228-4d10-854b-cd8469fb9172.json | 41 + ...-89685060-9bc7-48f1-aa8e-4c70f08f8935.json | 41 + ...-8bce1da7-4e1f-49f9-bafe-3fbeb32413fb.json | 37 + ...-8da9c3ba-1ff0-4390-a2e4-7d859b4f5cc8.json | 32 + ...-8ea02c43-667a-4db1-86f4-89cf99d7f6f9.json | 37 + ...-8ee90538-b608-4379-bfef-d906cb366305.json | 37 + ...-8f470860-de90-44e9-b88f-4b188918bb7c.json | 42 + ...-90087c64-921d-4aef-bbb4-8fad5ba7c812.json | 37 + ...-915a827a-d63c-46f0-ad85-0e2bf894c527.json | 37 + ...-916ef5a6-4865-4da7-bd65-664a0bdd536a.json | 37 + ...-9188ea31-fa9e-4fad-949b-f705e0fabd20.json | 174 + ...-91907ea3-beed-40bd-b4d6-1875893568a6.json | 111 + ...-91b54219-5f02-4c6d-aaec-7bfb45e22cc4.json | 41 + ...-9204fe33-1848-4be0-a1f6-0fc2841a9753.json | 32 + ...-92557c19-d2a7-4b25-b77c-34954e99d3a8.json | 100 + ...-929e0835-9197-42d0-9a00-95b7b4e13dcb.json | 37 + ...-98511ebd-51ae-451e-8d14-b73f23640191.json | 44 + ...-99960d3e-e9f8-47e9-9293-a18eb5b068af.json | 41 + ...-999d34f4-c740-497f-9074-563b8c11d8ce.json | 41 + ...-9a5d9d87-44f6-42c5-ad27-0434a97ce7d6.json | 41 + ...-9bd44017-2ca1-4370-b06d-f55fd2071b6b.json | 37 + ...-9c2ea49a-ea29-47b4-acca-087733a71b2c.json | 37 + ...-9ca32a1e-0f84-42d6-8be0-fccf0934a123.json | 50 + ...-9d154966-e9a9-444e-80cf-cd4c95e877bc.json | 41 + ...-9ea6bec1-a908-422a-9154-28448b3ae618.json | 41 + ...-9f7dd003-9dbd-4fcf-96e0-eda3246828db.json | 37 + ...-a02e6e5e-2750-4ec8-af17-90088bb8f961.json | 37 + ...-a03b6507-fed8-416a-8425-0761f5f7f754.json | 45 + ...-a1f1b921-b815-4311-93c2-6c98a333fd5d.json | 37 + ...-a370131c-c76d-49a1-ac77-c1ca7f1b3ee2.json | 37 + ...-a483c23a-a85a-4068-a570-8fc45493e2bc.json | 37 + ...-a49e3ab1-4f38-49b4-8bb2-5bf5778ae503.json | 37 + ...-a5cd65d0-eee1-463e-a003-04f3a71bb813.json | 55 + ...-a7ea0b40-a316-43db-9dcf-1ae03eda94a6.json | 41 + ...-a8037627-051d-48fe-8c03-5d78b9293f0c.json | 37 + ...-a95f6808-9551-426a-8eaa-7794164d10e7.json | 37 + ...-ab3bb771-c300-4480-87c0-0e5c55ec81d1.json | 50 + ...-af19022e-d8be-4cd2-a4b6-fb1c3a6a0f13.json | 46 + ...-af8dfa93-7114-43fc-b57a-d1a3c61c4acd.json | 54 + ...-b176779c-a4df-49a4-993e-e424a114b73a.json | 37 + ...-b24b9670-5ac7-4982-972c-0691b9a81d0c.json | 41 + ...-b255fae3-82ad-4a9d-a76a-3301e0c3caed.json | 44 + ...-b297f2d1-8322-4153-8e4c-ecc411302a79.json | 37 + ...-b2a6969f-5b08-43e4-8f8f-1cef31ff37cc.json | 41 + ...-b2c99aaa-a0e3-439d-92a3-402768d7282f.json | 46 + ...-b4df4bd2-7208-4948-b649-7a5267f27e2e.json | 37 + ...-b71f0bb4-21ef-46c1-b37c-7df65de756a4.json | 37 + ...-b7333931-5e93-46cf-ab22-c2c6ff9a8986.json | 45 + ...-b8f24e74-d267-4783-be19-13cb060aaa2d.json | 83 + ...-b8ffc69c-45d1-4420-a1de-566d88c213c6.json | 37 + ...-bfa0510e-ffed-49a3-a66a-cef073dd488e.json | 70 + ...-c12572b5-e25b-4ef9-944a-81d81050323e.json | 37 + ...-c20a6281-74cb-41fe-8575-ca053579b768.json | 37 + ...-c376d9bb-5e45-42f5-95ce-b57d6ce417b8.json | 37 + ...-c5e52bb6-425f-416a-afb7-58d67093ef9c.json | 63 + ...-c63442e8-94ac-422a-af1a-f51279f2c9ae.json | 37 + ...-c87a9a20-73bb-4dd1-8531-2f7c246a4660.json | 37 + ...-c969317c-d5ec-4886-91d5-6ed12aef2fd7.json | 41 + ...-c9e8178e-280c-4fde-9e94-44db17382b97.json | 41 + ...-ca41dedd-dddb-45bb-bbf7-ef5a17b1b4f5.json | 46 + ...-cec46ca6-08c3-46d6-b37f-92c50fe689bb.json | 59 + ...-d0bfadad-c04b-4eed-b9aa-f11d3e84bc6c.json | 37 + ...-d1db8aeb-d1f6-466c-bf30-38d6ad72ade7.json | 48 + ...-d20ad1d9-e3df-499c-b7a8-84c67eb64144.json | 37 + ...-d21cffb9-b381-47f4-9428-950873cccf21.json | 32 + ...-d410c87e-8b82-47d9-8f43-15ea0e908e52.json | 41 + ...-d6513614-2072-4aa9-b5fe-9bbb3994ab30.json | 37 + ...-d77057dc-8454-4a4c-9dd4-3da26ae009be.json | 42 + ...-db081b29-8422-45c1-a622-a5405fe78a58.json | 41 + ...-db4db0bf-8914-4cf2-b128-6fc458eceef0.json | 37 + ...-dcf577a4-f3c7-4abe-90f3-0e2cfeba0e2d.json | 37 + ...-de4972da-8a7d-4d60-96e7-0c3d7d4fc394.json | 37 + ...-df815f03-3c56-4fc7-a443-e6ce5e002664.json | 32 + ...-e7aa19e5-50c9-4a10-ab07-d774e2a38166.json | 41 + ...-e7b72976-3e0e-4957-ac09-33a204c4d4b5.json | 41 + ...-e7dcd590-8f60-4f7d-bb91-ec2863e56e2a.json | 45 + ...-e7f6dd03-80ee-4721-baed-949bd060ed48.json | 37 + ...-e9a06bb6-c6e9-4718-9434-f6b737eee9e8.json | 41 + ...-e9f0d1de-13f3-499a-a0ee-32fe37912720.json | 45 + ...-e9f915ef-38e5-4c6a-a885-c26073023fe5.json | 37 + ...-ebf911df-6135-42a8-a9f5-76676f546d4a.json | 82 + ...-ecee9e53-6ad7-4459-a02a-66bfc9e6caed.json | 37 + ...-ecef682a-60cb-46a6-a7af-c90b4d679669.json | 37 + ...-eebc4347-09b3-4871-8f16-db2e1cbfe135.json | 37 + ...-f2f10f49-dd06-4323-aedd-7806286c6529.json | 37 + ...-f42d3d87-e374-4114-bc93-a52cae45e3d0.json | 41 + ...-f48a693f-aeb3-4e68-99e3-01c56e223272.json | 41 + ...-f538e66c-fab9-4a8b-b547-a206e4ddfe1b.json | 37 + ...-f54dfa9e-e208-4695-81e8-478d887dba7c.json | 37 + ...-f7136ba2-6455-48f4-90df-63f8f43ae0f4.json | 32 + ...-f7768d3e-3a55-4876-8793-4e78d68f3a38.json | 52 + ...-f92667e4-d874-4fee-afac-f4770cf6cede.json | 38 + ...-fabff5fa-5d64-4167-9f95-6e25c35002ff.json | 41 + ...-fb4f9ec2-9c0e-4b28-9af7-b2bd4c69ff65.json | 37 + ...-fb7a6e89-4943-47a3-980f-d22c9f394d40.json | 85 + ...-fbe0f011-0dbb-4a6e-a860-32120311f74b.json | 78 + ...-fc82f55c-157b-40b6-ae7c-ade5f0fc9be2.json | 41 + ...-fe182cf0-6215-458b-9b49-7a8b23aa430c.json | 37 + ...-b73c59c1-8560-449a-b8d0-c2ce0533c5bf.json | 18 + ...-0823d7b2-2870-4bb8-9818-a31108708c93.json | 38 + ...-0cc95157-e602-407e-9225-3d595cb1a6e8.json | 34 + ...-1114f1d1-94fb-4499-b1b3-980de47dbd11.json | 45 + ...-135968d7-8b5f-492e-9423-9c98bc4d9d06.json | 38 + ...-19f41321-fc57-475f-b7d5-ef5285f4b489.json | 42 + ...-1d8cb82f-6d6c-4726-aa93-e2a84e3e644e.json | 47 + ...-2106d331-215f-45ce-8899-3c11a4c47a8c.json | 38 + ...-5412b3c6-dfe4-49fc-bd91-04db038de5ea.json | 38 + ...-682044ae-1d33-445d-80d1-d923fade2663.json | 38 + ...-6cfae3aa-e8ee-4f11-aebd-b2ea95d60c27.json | 38 + ...-7d15a1bf-98dc-4da5-9867-15cba30ed3cc.json | 38 + ...-8c3f24a7-b0ca-4934-9374-b73508cd1be1.json | 38 + ...-8d5ffd62-8943-4426-8191-f66ab5881da8.json | 42 + ...-8e60252b-1708-4809-8384-ca8937936aff.json | 46 + ...-901ac923-57ee-4d6a-b14a-ae64e3225b8c.json | 38 + ...-9168de31-46b0-4c9f-9e20-77e77e78a0ab.json | 46 + ...-92c8c384-839c-40a2-b58d-3af2ee3f1938.json | 41 + ...-a0008d7c-30f1-43f7-a798-50552e1fa282.json | 38 + ...-a8688d54-9b39-4fad-bff9-b7bf8c5c146f.json | 50 + ...-ab86ee1d-8789-4357-aff2-d6fec9434952.json | 38 + ...-b3fd453e-0c69-46ab-9138-e8eca8585173.json | 38 + ...-bf2e37d0-29cf-43ef-82d1-f970a128e6bf.json | 41 + ...-cb0b4776-cbd6-417c-b6c1-51f67f44d5b1.json | 38 + ...-d1fb45bc-676d-4f46-9bc8-9890ce9d7c10.json | 42 + ...-dc90c5ae-c90c-4733-a9c4-c3a2a6bea3e1.json | 38 + ...-e042c0eb-4540-4f41-87c4-a57510c7d4ed.json | 47 + ...-eee42dbc-18ca-4db7-9115-672245d8893d.json | 38 + ...-f79355e1-6d17-4d9a-83f7-6d3a985bddb4.json | 38 + ...-093b6375-cd45-4aa3-8f91-6a03ddd7a3d3.json | 16 + mbc.json | 10435 ++++++++++++++++ ...-00861a6a-98ef-40f5-9924-c94c7c5da687.json | 21 + ...-0271a731-326d-4b76-a995-452be084fc08.json | 20 + ...-03ea3cb9-b2c8-4b14-a2e2-eb0c0a49703b.json | 21 + ...-0838a352-fc2b-4276-b695-d1a1d0a47b75.json | 20 + ...-08df9329-0616-4d5d-a3fb-841d730e9dda.json | 21 + ...-0a294da3-8126-46ed-8d67-c8a900292db6.json | 20 + ...-0b197be9-3d5f-4637-ba41-f0e340e89c2c.json | 20 + ...-0d5cdb32-036b-4814-8d02-11f4f352a41b.json | 21 + ...-126606a9-73e6-4a96-8088-d571c892d327.json | 21 + ...-12a31d2d-43a3-4be5-8506-f33663f8779f.json | 21 + ...-1712108b-3fb2-4c60-a384-6386ba7022bb.json | 21 + ...-182afaab-258e-4066-b106-3403de92e242.json | 20 + ...-1a213e38-6637-4d70-996c-0d25fe9e265c.json | 21 + ...-1b3ebeae-0af7-4fa9-b6b3-21def04888a4.json | 20 + ...-1b4fce12-c45c-4fab-bfb7-0be41a5bf1b9.json | 21 + ...-1b7ca247-1884-4cc7-88cf-3569d401b335.json | 20 + ...-1dd10259-f49a-4d1a-b62f-6de3835552c4.json | 20 + ...-1e87f811-e730-4637-a3f8-a67371159204.json | 20 + ...-2972cdc6-b3ca-4e3e-83e4-13dd1bf87b26.json | 20 + ...-29b956ba-bbd9-4f8b-b695-52e25c9ea4cf.json | 20 + ...-2a8e2dc1-0eec-478f-b471-3dfb2c13251b.json | 21 + ...-2b7bf5d7-79d6-4ba8-a1dc-ac58cc738c90.json | 21 + ...-2bfea226-1e7f-452b-ac36-8a26d7750c44.json | 20 + ...-2d589d43-d781-43ae-853a-7a04078f4160.json | 20 + ...-31972647-852d-41bc-951c-5063826362b7.json | 20 + ...-3707f258-e5c2-4cf0-90ec-19fb4baf018c.json | 20 + ...-39372d95-3507-4917-ae07-6275ee827aba.json | 21 + ...-3c6be01e-c2de-4835-b120-59da1e07d50e.json | 21 + ...-3ccc155b-01ca-4b82-aece-60801b8c42c4.json | 20 + ...-3d70b808-f176-4620-aa53-fcc439081994.json | 21 + ...-3fea9f25-65a5-4bc3-924d-34a3f310f722.json | 21 + ...-41619001-1af7-4b97-babd-9c21c827e1d2.json | 21 + ...-416b4a88-11a1-4632-941b-ade357252d0d.json | 20 + ...-4438daa4-c88a-40ba-92e3-d80343538108.json | 21 + ...-44515a0f-4716-40ef-b5d5-177849ce6987.json | 21 + ...-461ef403-0bd0-49cd-88bc-5bfc426e6b23.json | 21 + ...-464326e8-1ec2-425b-9557-bd00281078d6.json | 20 + ...-4ced5121-d085-49b3-b6ab-311ca722b46a.json | 20 + ...-4d63f713-2d38-40c3-a744-bd12bbd8499b.json | 20 + ...-510fcbf4-e832-43d7-8628-26724bdc4539.json | 21 + ...-53a75251-5474-4d56-bc67-116adc9cf33b.json | 20 + ...-57a27587-537b-48d4-ace1-dc1d07321776.json | 20 + ...-5b129221-9159-488d-8460-c966b836328f.json | 21 + ...-5b69f0d0-62e7-4f27-acce-41d1d0ed417c.json | 20 + ...-5efcecab-ca74-4c8f-a884-68f8709b072b.json | 20 + ...-5f9c9726-82c0-4876-937d-52e66ef739db.json | 20 + ...-6108db13-e957-41b2-a22c-c1abf26df815.json | 21 + ...-643e9a29-3802-4725-8fd8-ebd05f804502.json | 21 + ...-64c5969c-f0b7-4d5e-97e5-a0ba0d9eb235.json | 21 + ...-679a082a-d6b4-4478-a4d5-1a8dc972b211.json | 21 + ...-6a361003-f6c0-430e-8db6-5f8f2ac422ee.json | 21 + ...-6b15a47c-add7-407e-866c-455b82eb5206.json | 20 + ...-6c01abcc-9ec4-4294-b39b-c3aad259c796.json | 20 + ...-6cfc5694-2afb-4727-9af1-3bdf4688947e.json | 21 + ...-6dfe86f6-1818-4108-aca9-e49c819192b4.json | 20 + ...-70293730-edee-424a-aaaf-19f18a2ebd02.json | 20 + ...-76c22659-341c-4ef5-9dd9-dee2d9f9b96a.json | 20 + ...-7c232b17-6421-4459-bbca-410f7660a760.json | 21 + ...-80a8579e-8f8a-45f1-b745-6254f77b1a8b.json | 21 + ...-80dcb928-b50d-4ee7-8c26-369660f041de.json | 21 + ...-8358a935-9460-42a9-bfbc-31653fb1a3e5.json | 20 + ...-8ce0a9c1-7392-4877-b6ed-6023f0dcacec.json | 20 + ...-8d7e7aeb-c462-4051-aff0-4f526ccfa699.json | 20 + ...-8dece164-935e-4939-9fbe-483f3baedc4a.json | 20 + ...-8fce710f-5023-4a45-ac3a-c4ace1c7d0dd.json | 20 + ...-90c677fd-2dab-4eda-9b84-d8028de953de.json | 20 + ...-913ac448-0c3d-4856-90a4-6273865eb381.json | 21 + ...-9277a5c2-8988-46dc-87d2-20359be28def.json | 20 + ...-928e6604-a7d3-436c-a7fe-97f1ca278a5d.json | 20 + ...-941e3c16-3412-46d6-86e1-55372dbc3fcd.json | 21 + ...-943fd319-6d73-41b0-a01f-b45474c5be87.json | 21 + ...-97175b7c-fb76-4aa4-bcbf-89c5ab1d44b9.json | 21 + ...-9b7fde5e-600c-4214-9714-1247c4ea5260.json | 21 + ...-9ea77314-a832-4920-9716-35381b728892.json | 20 + ...-9ff32dae-46f3-4061-82b9-e7197b4ae30d.json | 21 + ...-a3218798-6c62-458a-8f6b-0fcd127ca4e8.json | 20 + ...-a7588119-f565-4489-9512-db956975c1f5.json | 20 + ...-a867e78a-e15d-40be-9cf1-6f746531eb44.json | 21 + ...-a9c1d8df-3732-4e6e-a7bf-6be0821fae73.json | 21 + ...-abc3029d-06b2-4048-a14d-2ef0a1bf8ea3.json | 21 + ...-ac6d1a10-221a-49aa-9f6a-84a528d565d1.json | 20 + ...-ad5b898c-6553-46a7-99dc-f51dcdef9b45.json | 20 + ...-b082f098-c65c-433d-a9f1-6634c2a07f57.json | 20 + ...-b2442af2-272c-42e5-94b6-ac52bbbd1a5c.json | 20 + ...-b28c0897-acb5-4205-8210-eb7c1d420789.json | 20 + ...-b43c677a-dd98-4545-8e4e-118ae78050ff.json | 20 + ...-b53918d6-524a-408a-b79f-ccd56bd6950e.json | 20 + ...-b7947355-7dfc-4ef4-9f62-efb0c755a48f.json | 20 + ...-b7bcccb7-045a-4b97-9b07-f63afb868095.json | 21 + ...-b7c12079-a65e-4901-8849-59f138da35e6.json | 21 + ...-baaa5c93-f948-4e2c-81ca-6f33a86409c3.json | 21 + ...-bfec970e-c03a-4732-857b-e636c78d01e0.json | 21 + ...-cb13515b-a198-41ab-ac0b-8be56c0f099f.json | 21 + ...-d4df8105-8510-4675-a9c8-bbcd6bbacd53.json | 20 + ...-daaf4264-4102-4737-a69a-d68e315479ac.json | 21 + ...-dbd0c7c0-889e-4742-9f47-793d7ece67dc.json | 20 + ...-de086192-07b7-4aa9-a479-c1098d63d9ed.json | 20 + ...-e1580aaa-d87b-4528-bcd6-148cf44bdb8f.json | 20 + ...-e1f2529b-4a72-460e-b1a7-3fb7852b99e7.json | 21 + ...-e21d1d26-eade-424b-a7ac-f720826591df.json | 21 + ...-e28f5300-c580-49dd-99fb-cd32aaf69be8.json | 21 + ...-e2aff5f4-7996-4332-b538-2b936ac8f229.json | 20 + ...-ec166b67-9034-406a-9df3-cc026fa58801.json | 20 + ...-f5d16822-4a48-4d9c-944e-67ef45a59d48.json | 21 + ...-f74ca922-715f-431d-a2c8-f22d299306aa.json | 20 + ...-f758c224-450b-42b0-b54a-d0d4dcb41ac6.json | 21 + ...-fde7d5f5-6e64-469f-a3d0-5f06e337374a.json | 21 + ...-d5eae189-586e-4f87-bf4f-51fa251f0ba6.json | 42 + ...-1f99e060-c0e8-449c-8629-216ef75d7828.json | 27 + ...-225d85b5-6806-4760-a9d7-b5e38ca66153.json | 37 + ...-389367d2-9dea-4ffe-b794-cfeaba83bcf6.json | 27 + ...-4fd027ac-dddc-4744-aa72-d1b4598d9898.json | 27 + ...-5ca03153-2bfb-4540-acad-4eb54f188589.json | 27 + ...-69c52ee6-8372-40be-8efc-200896493343.json | 27 + ...-911377e6-b712-4754-a865-3e2989512b9a.json | 27 + ...-97051199-043f-4e26-b548-beeccdd7be3e.json | 26 + ...-9b3422b7-bc43-4b28-8d51-ba68782a9da2.json | 27 + ...-9f09f947-5fc6-455f-b7eb-504c2ba972aa.json | 27 + ...-d2f87328-9fe0-4f81-800e-ea1058f49906.json | 27 + ...-d896bd1c-d0e9-4281-9755-9b76a7c963d3.json | 27 + ...-eb6166b0-f3c9-4124-aeb9-662941baa19e.json | 37 + ...-f95436cf-2e09-4541-b88a-f3fb6ec3b63b.json | 27 + 354 files changed, 23484 insertions(+), 2 deletions(-) create mode 100644 .gitignore create mode 100644 LICENSE.txt create mode 100644 USAGE.md create mode 100644 attack-pattern/attack-pattern--01051bb2-6339-4556-8363-3b94ba289ec1.json create mode 100644 attack-pattern/attack-pattern--0202a028-471b-47c1-9723-0457934a50f3.json create mode 100644 attack-pattern/attack-pattern--031beb01-79db-43f5-a901-1e32a4b79628.json create mode 100644 attack-pattern/attack-pattern--03b4fd1e-96db-4c28-b9c7-18ef0510c129.json create mode 100644 attack-pattern/attack-pattern--05dab55a-36c8-47d0-9a60-28f19fe18cdf.json create mode 100644 attack-pattern/attack-pattern--05f6625b-7291-4a4b-8ec1-4044efa6cb2e.json create mode 100644 attack-pattern/attack-pattern--068759bf-7db6-431f-aeeb-01f6034eae22.json create mode 100644 attack-pattern/attack-pattern--0bee0786-1469-4d9d-8887-acd8fb6fe95e.json create mode 100644 attack-pattern/attack-pattern--0bfe651c-26b6-49c0-9b50-51ddc7090c98.json create mode 100644 attack-pattern/attack-pattern--0d36eb1b-4454-435f-9e8c-285d235341c7.json create mode 100644 attack-pattern/attack-pattern--0dde3fa0-8e37-413d-bbe8-f75428801408.json create mode 100644 attack-pattern/attack-pattern--101d8709-b8d4-4604-a835-b122f1ecb227.json create mode 100644 attack-pattern/attack-pattern--11d90b50-17e9-45f5-84aa-05899a63714e.json create mode 100644 attack-pattern/attack-pattern--131c6f15-5bc4-4583-9b8d-ea06ef139d0b.json create mode 100644 attack-pattern/attack-pattern--1341c511-1ecc-489b-902a-8a80577d2758.json create mode 100644 attack-pattern/attack-pattern--139411fc-5539-4254-825c-12a9d5b3973b.json create mode 100644 attack-pattern/attack-pattern--1665b6e5-769a-4abb-9de1-4719ac6ce727.json create mode 100644 attack-pattern/attack-pattern--17717ca4-3713-496e-87d7-13a95a6b1790.json create mode 100644 attack-pattern/attack-pattern--19965f2f-3091-4611-b5da-4f5351319b63.json create mode 100644 attack-pattern/attack-pattern--1a9f1c1d-2273-469c-98da-063594baa0d4.json create mode 100644 attack-pattern/attack-pattern--1ab23a6a-e131-4321-be30-7f3f3861dac0.json create mode 100644 attack-pattern/attack-pattern--1afb3ce1-57db-46ae-9c89-5b8f36011b7b.json create mode 100644 attack-pattern/attack-pattern--1bcad6e7-bdb9-4cb1-acd2-12c3ef0d16a6.json create mode 100644 attack-pattern/attack-pattern--1c4e8b61-bdb4-4ff5-bbf2-10dda4b276da.json create mode 100644 attack-pattern/attack-pattern--1e98510a-2454-445e-9942-47a5686f2bbd.json create mode 100644 attack-pattern/attack-pattern--21936a10-00e4-4e54-8fd7-00223e432cbf.json create mode 100644 attack-pattern/attack-pattern--257eb250-d032-4eb8-a440-41fe91633738.json create mode 100644 attack-pattern/attack-pattern--278e7645-17ac-4bd3-9849-56060cab2e81.json create mode 100644 attack-pattern/attack-pattern--28fb8dbd-1aae-42f1-aba5-f9062e7003ee.json create mode 100644 attack-pattern/attack-pattern--2f098b48-391a-4869-acba-b10ba07a4522.json create mode 100644 attack-pattern/attack-pattern--309cdc6a-244e-43a6-bc1a-40ea4b8a999c.json create mode 100644 attack-pattern/attack-pattern--34f875d3-da11-4112-bfd8-fe2d9deaf609.json create mode 100644 attack-pattern/attack-pattern--3681ae81-1115-418d-a4f7-b6240b602852.json create mode 100644 attack-pattern/attack-pattern--37e2cfce-37c2-4a5a-a98e-3bf5b4cd9db6.json create mode 100644 attack-pattern/attack-pattern--3968a5bc-ed1f-4abf-a978-05f84d4cbf5c.json create mode 100644 attack-pattern/attack-pattern--3b3c03d0-8e57-4e10-b3bd-ef53515afc92.json create mode 100644 attack-pattern/attack-pattern--3cf9e9ac-9280-4a8d-b8b3-976abc855055.json create mode 100644 attack-pattern/attack-pattern--3df182e8-9ada-4e1e-874c-8bc8d7fa7c1c.json create mode 100644 attack-pattern/attack-pattern--3e66b2bf-cc28-4635-ac06-4ea0f1ad8122.json create mode 100644 attack-pattern/attack-pattern--3ff14e42-f7c6-4f9f-a0e1-43afcd06778f.json create mode 100644 attack-pattern/attack-pattern--422b0025-9286-4a11-812d-5494dab28d9a.json create mode 100644 attack-pattern/attack-pattern--425dafb4-d71e-4c13-b900-b93c4316d07f.json create mode 100644 attack-pattern/attack-pattern--43f3997b-88e5-4a2e-9b59-6af0892a89b2.json create mode 100644 attack-pattern/attack-pattern--4799cdef-cff0-476b-adaa-685b8277ef7c.json create mode 100644 attack-pattern/attack-pattern--484c88bd-1dac-4774-8411-63aaed416ac3.json create mode 100644 attack-pattern/attack-pattern--4b89d6b6-fd08-4b39-bb01-b472ae95b93d.json create mode 100644 attack-pattern/attack-pattern--4c235631-ef76-4afc-9386-e1d9be003c44.json create mode 100644 attack-pattern/attack-pattern--4c4599cf-a384-46fa-83f2-f05967673158.json create mode 100644 attack-pattern/attack-pattern--4dd2b47e-6753-4cbc-bfbd-336ed1dd4838.json create mode 100644 attack-pattern/attack-pattern--4ea52273-1834-4df1-8bc7-6ee8738748a2.json create mode 100644 attack-pattern/attack-pattern--4f74271a-79f0-4fbc-87ee-43abd69fd74e.json create mode 100644 attack-pattern/attack-pattern--5010e76c-7f54-467d-8042-90ff48523dd2.json create mode 100644 attack-pattern/attack-pattern--51fb196e-4be8-4b21-ba5b-fce4d7de6767.json create mode 100644 attack-pattern/attack-pattern--52aeeef7-8531-4bc9-969f-274798c4cc13.json create mode 100644 attack-pattern/attack-pattern--552f53bd-52e8-4c09-aa98-26ca8b9ef2da.json create mode 100644 attack-pattern/attack-pattern--55d0d35e-668a-45dc-a727-c7446b3e5d08.json create mode 100644 attack-pattern/attack-pattern--568d881b-70b4-4b37-97ba-045c34335b1f.json create mode 100644 attack-pattern/attack-pattern--56e8ece2-1e82-4c12-9b8d-79bd23c33936.json create mode 100644 attack-pattern/attack-pattern--584bb03d-6bdb-4385-a52a-e2a80d58b1e7.json create mode 100644 attack-pattern/attack-pattern--587a54c2-89ae-42aa-9504-b820378e2aff.json create mode 100644 attack-pattern/attack-pattern--58e6e2a9-7074-4fb6-930d-3177a4302737.json create mode 100644 attack-pattern/attack-pattern--58f11920-e04f-4935-864a-c2121842bf8d.json create mode 100644 attack-pattern/attack-pattern--5a7483f3-b636-4f12-8925-21be3e0f3676.json create mode 100644 attack-pattern/attack-pattern--5d6f607a-b64e-4b25-ba0c-0ed3854f4557.json create mode 100644 attack-pattern/attack-pattern--5e8c37e7-530d-4da6-a520-83a39fc52d7a.json create mode 100644 attack-pattern/attack-pattern--5f63251a-e426-493e-9dd6-3b562c0e7157.json create mode 100644 attack-pattern/attack-pattern--613f0744-5c1e-4ed1-a79e-ea132e27e085.json create mode 100644 attack-pattern/attack-pattern--6246be32-1085-40b4-aa18-6ead153e84fc.json create mode 100644 attack-pattern/attack-pattern--6406f5d5-3adb-4855-ba12-87b3f9e7fb28.json create mode 100644 attack-pattern/attack-pattern--64098173-07b5-47f3-bd31-f3ae0f83ba93.json create mode 100644 attack-pattern/attack-pattern--65a87d14-443d-48bc-8056-af041b7092be.json create mode 100644 attack-pattern/attack-pattern--65fe37b4-19b9-4630-8d51-5afd6dc3234d.json create mode 100644 attack-pattern/attack-pattern--670148f0-5ad0-4dff-ba2a-753933c624d9.json create mode 100644 attack-pattern/attack-pattern--67291481-c3c0-4b34-86c9-fa2b7694c706.json create mode 100644 attack-pattern/attack-pattern--6c58676d-57be-4bbc-a9b2-54a11098ca12.json create mode 100644 attack-pattern/attack-pattern--6d80c035-3515-48dc-91cd-9c14c888fbc6.json create mode 100644 attack-pattern/attack-pattern--6dd00b46-cafd-4eab-9a94-1cae503e089a.json create mode 100644 attack-pattern/attack-pattern--6fcd4fe2-3997-4591-91e9-987fba8a79fa.json create mode 100644 attack-pattern/attack-pattern--7178682e-9591-4ebe-a24e-25b7b2ee07a5.json create mode 100644 attack-pattern/attack-pattern--71c969b3-1c87-4c02-aa1b-56d111547b1a.json create mode 100644 attack-pattern/attack-pattern--731ecd6a-9782-4272-84f3-f4d5ff3732e0.json create mode 100644 attack-pattern/attack-pattern--739c387d-4465-421d-9b6b-51ca77c52a0d.json create mode 100644 attack-pattern/attack-pattern--748576ac-427c-460a-98fd-ab14c2b4f65a.json create mode 100644 attack-pattern/attack-pattern--787fd5df-098b-4def-a02c-b840072a2962.json create mode 100644 attack-pattern/attack-pattern--7917db1d-3be0-4a58-b706-00c62379a7b2.json create mode 100644 attack-pattern/attack-pattern--7a0a5840-aed7-48bf-abcb-89056c1ba932.json create mode 100644 attack-pattern/attack-pattern--7a79533e-479c-4272-8220-f639ca223b2e.json create mode 100644 attack-pattern/attack-pattern--7aef87fb-3c58-4545-9566-c63439e68c55.json create mode 100644 attack-pattern/attack-pattern--7d617afd-819d-4588-9b22-38470d5b338c.json create mode 100644 attack-pattern/attack-pattern--7ea4b671-1dba-4990-9c5c-f36ae7ea1cbe.json create mode 100644 attack-pattern/attack-pattern--7f7f9c9f-db90-4294-91ad-d1c9da04e9d8.json create mode 100644 attack-pattern/attack-pattern--8063d2a0-1f1b-4210-a56d-4375aafda2a1.json create mode 100644 attack-pattern/attack-pattern--82b3164a-89f4-423b-bc38-a6d942493658.json create mode 100644 attack-pattern/attack-pattern--82db8cfb-f51f-4903-b652-cd8a2e4166fa.json create mode 100644 attack-pattern/attack-pattern--82e0ca52-1f6e-475f-89cf-9817a5e4cc60.json create mode 100644 attack-pattern/attack-pattern--83754954-2d7e-48d5-9f88-034dc202ed48.json create mode 100644 attack-pattern/attack-pattern--8429c75f-5cf7-4057-90b7-e94a0c8f7060.json create mode 100644 attack-pattern/attack-pattern--867bc93b-83c8-4bcd-876b-a8f190dd7de7.json create mode 100644 attack-pattern/attack-pattern--869a8bc4-8a40-470c-8a6b-35d80635bd09.json create mode 100644 attack-pattern/attack-pattern--893190c4-3228-4d10-854b-cd8469fb9172.json create mode 100644 attack-pattern/attack-pattern--89685060-9bc7-48f1-aa8e-4c70f08f8935.json create mode 100644 attack-pattern/attack-pattern--8bce1da7-4e1f-49f9-bafe-3fbeb32413fb.json create mode 100644 attack-pattern/attack-pattern--8da9c3ba-1ff0-4390-a2e4-7d859b4f5cc8.json create mode 100644 attack-pattern/attack-pattern--8ea02c43-667a-4db1-86f4-89cf99d7f6f9.json create mode 100644 attack-pattern/attack-pattern--8ee90538-b608-4379-bfef-d906cb366305.json create mode 100644 attack-pattern/attack-pattern--8f470860-de90-44e9-b88f-4b188918bb7c.json create mode 100644 attack-pattern/attack-pattern--90087c64-921d-4aef-bbb4-8fad5ba7c812.json create mode 100644 attack-pattern/attack-pattern--915a827a-d63c-46f0-ad85-0e2bf894c527.json create mode 100644 attack-pattern/attack-pattern--916ef5a6-4865-4da7-bd65-664a0bdd536a.json create mode 100644 attack-pattern/attack-pattern--9188ea31-fa9e-4fad-949b-f705e0fabd20.json create mode 100644 attack-pattern/attack-pattern--91907ea3-beed-40bd-b4d6-1875893568a6.json create mode 100644 attack-pattern/attack-pattern--91b54219-5f02-4c6d-aaec-7bfb45e22cc4.json create mode 100644 attack-pattern/attack-pattern--9204fe33-1848-4be0-a1f6-0fc2841a9753.json create mode 100644 attack-pattern/attack-pattern--92557c19-d2a7-4b25-b77c-34954e99d3a8.json create mode 100644 attack-pattern/attack-pattern--929e0835-9197-42d0-9a00-95b7b4e13dcb.json create mode 100644 attack-pattern/attack-pattern--98511ebd-51ae-451e-8d14-b73f23640191.json create mode 100644 attack-pattern/attack-pattern--99960d3e-e9f8-47e9-9293-a18eb5b068af.json create mode 100644 attack-pattern/attack-pattern--999d34f4-c740-497f-9074-563b8c11d8ce.json create mode 100644 attack-pattern/attack-pattern--9a5d9d87-44f6-42c5-ad27-0434a97ce7d6.json create mode 100644 attack-pattern/attack-pattern--9bd44017-2ca1-4370-b06d-f55fd2071b6b.json create mode 100644 attack-pattern/attack-pattern--9c2ea49a-ea29-47b4-acca-087733a71b2c.json create mode 100644 attack-pattern/attack-pattern--9ca32a1e-0f84-42d6-8be0-fccf0934a123.json create mode 100644 attack-pattern/attack-pattern--9d154966-e9a9-444e-80cf-cd4c95e877bc.json create mode 100644 attack-pattern/attack-pattern--9ea6bec1-a908-422a-9154-28448b3ae618.json create mode 100644 attack-pattern/attack-pattern--9f7dd003-9dbd-4fcf-96e0-eda3246828db.json create mode 100644 attack-pattern/attack-pattern--a02e6e5e-2750-4ec8-af17-90088bb8f961.json create mode 100644 attack-pattern/attack-pattern--a03b6507-fed8-416a-8425-0761f5f7f754.json create mode 100644 attack-pattern/attack-pattern--a1f1b921-b815-4311-93c2-6c98a333fd5d.json create mode 100644 attack-pattern/attack-pattern--a370131c-c76d-49a1-ac77-c1ca7f1b3ee2.json create mode 100644 attack-pattern/attack-pattern--a483c23a-a85a-4068-a570-8fc45493e2bc.json create mode 100644 attack-pattern/attack-pattern--a49e3ab1-4f38-49b4-8bb2-5bf5778ae503.json create mode 100644 attack-pattern/attack-pattern--a5cd65d0-eee1-463e-a003-04f3a71bb813.json create mode 100644 attack-pattern/attack-pattern--a7ea0b40-a316-43db-9dcf-1ae03eda94a6.json create mode 100644 attack-pattern/attack-pattern--a8037627-051d-48fe-8c03-5d78b9293f0c.json create mode 100644 attack-pattern/attack-pattern--a95f6808-9551-426a-8eaa-7794164d10e7.json create mode 100644 attack-pattern/attack-pattern--ab3bb771-c300-4480-87c0-0e5c55ec81d1.json create mode 100644 attack-pattern/attack-pattern--af19022e-d8be-4cd2-a4b6-fb1c3a6a0f13.json create mode 100644 attack-pattern/attack-pattern--af8dfa93-7114-43fc-b57a-d1a3c61c4acd.json create mode 100644 attack-pattern/attack-pattern--b176779c-a4df-49a4-993e-e424a114b73a.json create mode 100644 attack-pattern/attack-pattern--b24b9670-5ac7-4982-972c-0691b9a81d0c.json create mode 100644 attack-pattern/attack-pattern--b255fae3-82ad-4a9d-a76a-3301e0c3caed.json create mode 100644 attack-pattern/attack-pattern--b297f2d1-8322-4153-8e4c-ecc411302a79.json create mode 100644 attack-pattern/attack-pattern--b2a6969f-5b08-43e4-8f8f-1cef31ff37cc.json create mode 100644 attack-pattern/attack-pattern--b2c99aaa-a0e3-439d-92a3-402768d7282f.json create mode 100644 attack-pattern/attack-pattern--b4df4bd2-7208-4948-b649-7a5267f27e2e.json create mode 100644 attack-pattern/attack-pattern--b71f0bb4-21ef-46c1-b37c-7df65de756a4.json create mode 100644 attack-pattern/attack-pattern--b7333931-5e93-46cf-ab22-c2c6ff9a8986.json create mode 100644 attack-pattern/attack-pattern--b8f24e74-d267-4783-be19-13cb060aaa2d.json create mode 100644 attack-pattern/attack-pattern--b8ffc69c-45d1-4420-a1de-566d88c213c6.json create mode 100644 attack-pattern/attack-pattern--bfa0510e-ffed-49a3-a66a-cef073dd488e.json create mode 100644 attack-pattern/attack-pattern--c12572b5-e25b-4ef9-944a-81d81050323e.json create mode 100644 attack-pattern/attack-pattern--c20a6281-74cb-41fe-8575-ca053579b768.json create mode 100644 attack-pattern/attack-pattern--c376d9bb-5e45-42f5-95ce-b57d6ce417b8.json create mode 100644 attack-pattern/attack-pattern--c5e52bb6-425f-416a-afb7-58d67093ef9c.json create mode 100644 attack-pattern/attack-pattern--c63442e8-94ac-422a-af1a-f51279f2c9ae.json create mode 100644 attack-pattern/attack-pattern--c87a9a20-73bb-4dd1-8531-2f7c246a4660.json create mode 100644 attack-pattern/attack-pattern--c969317c-d5ec-4886-91d5-6ed12aef2fd7.json create mode 100644 attack-pattern/attack-pattern--c9e8178e-280c-4fde-9e94-44db17382b97.json create mode 100644 attack-pattern/attack-pattern--ca41dedd-dddb-45bb-bbf7-ef5a17b1b4f5.json create mode 100644 attack-pattern/attack-pattern--cec46ca6-08c3-46d6-b37f-92c50fe689bb.json create mode 100644 attack-pattern/attack-pattern--d0bfadad-c04b-4eed-b9aa-f11d3e84bc6c.json create mode 100644 attack-pattern/attack-pattern--d1db8aeb-d1f6-466c-bf30-38d6ad72ade7.json create mode 100644 attack-pattern/attack-pattern--d20ad1d9-e3df-499c-b7a8-84c67eb64144.json create mode 100644 attack-pattern/attack-pattern--d21cffb9-b381-47f4-9428-950873cccf21.json create mode 100644 attack-pattern/attack-pattern--d410c87e-8b82-47d9-8f43-15ea0e908e52.json create mode 100644 attack-pattern/attack-pattern--d6513614-2072-4aa9-b5fe-9bbb3994ab30.json create mode 100644 attack-pattern/attack-pattern--d77057dc-8454-4a4c-9dd4-3da26ae009be.json create mode 100644 attack-pattern/attack-pattern--db081b29-8422-45c1-a622-a5405fe78a58.json create mode 100644 attack-pattern/attack-pattern--db4db0bf-8914-4cf2-b128-6fc458eceef0.json create mode 100644 attack-pattern/attack-pattern--dcf577a4-f3c7-4abe-90f3-0e2cfeba0e2d.json create mode 100644 attack-pattern/attack-pattern--de4972da-8a7d-4d60-96e7-0c3d7d4fc394.json create mode 100644 attack-pattern/attack-pattern--df815f03-3c56-4fc7-a443-e6ce5e002664.json create mode 100644 attack-pattern/attack-pattern--e7aa19e5-50c9-4a10-ab07-d774e2a38166.json create mode 100644 attack-pattern/attack-pattern--e7b72976-3e0e-4957-ac09-33a204c4d4b5.json create mode 100644 attack-pattern/attack-pattern--e7dcd590-8f60-4f7d-bb91-ec2863e56e2a.json create mode 100644 attack-pattern/attack-pattern--e7f6dd03-80ee-4721-baed-949bd060ed48.json create mode 100644 attack-pattern/attack-pattern--e9a06bb6-c6e9-4718-9434-f6b737eee9e8.json create mode 100644 attack-pattern/attack-pattern--e9f0d1de-13f3-499a-a0ee-32fe37912720.json create mode 100644 attack-pattern/attack-pattern--e9f915ef-38e5-4c6a-a885-c26073023fe5.json create mode 100644 attack-pattern/attack-pattern--ebf911df-6135-42a8-a9f5-76676f546d4a.json create mode 100644 attack-pattern/attack-pattern--ecee9e53-6ad7-4459-a02a-66bfc9e6caed.json create mode 100644 attack-pattern/attack-pattern--ecef682a-60cb-46a6-a7af-c90b4d679669.json create mode 100644 attack-pattern/attack-pattern--eebc4347-09b3-4871-8f16-db2e1cbfe135.json create mode 100644 attack-pattern/attack-pattern--f2f10f49-dd06-4323-aedd-7806286c6529.json create mode 100644 attack-pattern/attack-pattern--f42d3d87-e374-4114-bc93-a52cae45e3d0.json create mode 100644 attack-pattern/attack-pattern--f48a693f-aeb3-4e68-99e3-01c56e223272.json create mode 100644 attack-pattern/attack-pattern--f538e66c-fab9-4a8b-b547-a206e4ddfe1b.json create mode 100644 attack-pattern/attack-pattern--f54dfa9e-e208-4695-81e8-478d887dba7c.json create mode 100644 attack-pattern/attack-pattern--f7136ba2-6455-48f4-90df-63f8f43ae0f4.json create mode 100644 attack-pattern/attack-pattern--f7768d3e-3a55-4876-8793-4e78d68f3a38.json create mode 100644 attack-pattern/attack-pattern--f92667e4-d874-4fee-afac-f4770cf6cede.json create mode 100644 attack-pattern/attack-pattern--fabff5fa-5d64-4167-9f95-6e25c35002ff.json create mode 100644 attack-pattern/attack-pattern--fb4f9ec2-9c0e-4b28-9af7-b2bd4c69ff65.json create mode 100644 attack-pattern/attack-pattern--fb7a6e89-4943-47a3-980f-d22c9f394d40.json create mode 100644 attack-pattern/attack-pattern--fbe0f011-0dbb-4a6e-a860-32120311f74b.json create mode 100644 attack-pattern/attack-pattern--fc82f55c-157b-40b6-ae7c-ade5f0fc9be2.json create mode 100644 attack-pattern/attack-pattern--fe182cf0-6215-458b-9b49-7a8b23aa430c.json create mode 100644 identity/identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf.json create mode 100644 malware/malware--0823d7b2-2870-4bb8-9818-a31108708c93.json create mode 100644 malware/malware--0cc95157-e602-407e-9225-3d595cb1a6e8.json create mode 100644 malware/malware--1114f1d1-94fb-4499-b1b3-980de47dbd11.json create mode 100644 malware/malware--135968d7-8b5f-492e-9423-9c98bc4d9d06.json create mode 100644 malware/malware--19f41321-fc57-475f-b7d5-ef5285f4b489.json create mode 100644 malware/malware--1d8cb82f-6d6c-4726-aa93-e2a84e3e644e.json create mode 100644 malware/malware--2106d331-215f-45ce-8899-3c11a4c47a8c.json create mode 100644 malware/malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea.json create mode 100644 malware/malware--682044ae-1d33-445d-80d1-d923fade2663.json create mode 100644 malware/malware--6cfae3aa-e8ee-4f11-aebd-b2ea95d60c27.json create mode 100644 malware/malware--7d15a1bf-98dc-4da5-9867-15cba30ed3cc.json create mode 100644 malware/malware--8c3f24a7-b0ca-4934-9374-b73508cd1be1.json create mode 100644 malware/malware--8d5ffd62-8943-4426-8191-f66ab5881da8.json create mode 100644 malware/malware--8e60252b-1708-4809-8384-ca8937936aff.json create mode 100644 malware/malware--901ac923-57ee-4d6a-b14a-ae64e3225b8c.json create mode 100644 malware/malware--9168de31-46b0-4c9f-9e20-77e77e78a0ab.json create mode 100644 malware/malware--92c8c384-839c-40a2-b58d-3af2ee3f1938.json create mode 100644 malware/malware--a0008d7c-30f1-43f7-a798-50552e1fa282.json create mode 100644 malware/malware--a8688d54-9b39-4fad-bff9-b7bf8c5c146f.json create mode 100644 malware/malware--ab86ee1d-8789-4357-aff2-d6fec9434952.json create mode 100644 malware/malware--b3fd453e-0c69-46ab-9138-e8eca8585173.json create mode 100644 malware/malware--bf2e37d0-29cf-43ef-82d1-f970a128e6bf.json create mode 100644 malware/malware--cb0b4776-cbd6-417c-b6c1-51f67f44d5b1.json create mode 100644 malware/malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10.json create mode 100644 malware/malware--dc90c5ae-c90c-4733-a9c4-c3a2a6bea3e1.json create mode 100644 malware/malware--e042c0eb-4540-4f41-87c4-a57510c7d4ed.json create mode 100644 malware/malware--eee42dbc-18ca-4db7-9115-672245d8893d.json create mode 100644 malware/malware--f79355e1-6d17-4d9a-83f7-6d3a985bddb4.json create mode 100644 marking-definition/marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3.json create mode 100644 mbc.json create mode 100644 relationship/relationship--00861a6a-98ef-40f5-9924-c94c7c5da687.json create mode 100644 relationship/relationship--0271a731-326d-4b76-a995-452be084fc08.json create mode 100644 relationship/relationship--03ea3cb9-b2c8-4b14-a2e2-eb0c0a49703b.json create mode 100644 relationship/relationship--0838a352-fc2b-4276-b695-d1a1d0a47b75.json create mode 100644 relationship/relationship--08df9329-0616-4d5d-a3fb-841d730e9dda.json create mode 100644 relationship/relationship--0a294da3-8126-46ed-8d67-c8a900292db6.json create mode 100644 relationship/relationship--0b197be9-3d5f-4637-ba41-f0e340e89c2c.json create mode 100644 relationship/relationship--0d5cdb32-036b-4814-8d02-11f4f352a41b.json create mode 100644 relationship/relationship--126606a9-73e6-4a96-8088-d571c892d327.json create mode 100644 relationship/relationship--12a31d2d-43a3-4be5-8506-f33663f8779f.json create mode 100644 relationship/relationship--1712108b-3fb2-4c60-a384-6386ba7022bb.json create mode 100644 relationship/relationship--182afaab-258e-4066-b106-3403de92e242.json create mode 100644 relationship/relationship--1a213e38-6637-4d70-996c-0d25fe9e265c.json create mode 100644 relationship/relationship--1b3ebeae-0af7-4fa9-b6b3-21def04888a4.json create mode 100644 relationship/relationship--1b4fce12-c45c-4fab-bfb7-0be41a5bf1b9.json create mode 100644 relationship/relationship--1b7ca247-1884-4cc7-88cf-3569d401b335.json create mode 100644 relationship/relationship--1dd10259-f49a-4d1a-b62f-6de3835552c4.json create mode 100644 relationship/relationship--1e87f811-e730-4637-a3f8-a67371159204.json create mode 100644 relationship/relationship--2972cdc6-b3ca-4e3e-83e4-13dd1bf87b26.json create mode 100644 relationship/relationship--29b956ba-bbd9-4f8b-b695-52e25c9ea4cf.json create mode 100644 relationship/relationship--2a8e2dc1-0eec-478f-b471-3dfb2c13251b.json create mode 100644 relationship/relationship--2b7bf5d7-79d6-4ba8-a1dc-ac58cc738c90.json create mode 100644 relationship/relationship--2bfea226-1e7f-452b-ac36-8a26d7750c44.json create mode 100644 relationship/relationship--2d589d43-d781-43ae-853a-7a04078f4160.json create mode 100644 relationship/relationship--31972647-852d-41bc-951c-5063826362b7.json create mode 100644 relationship/relationship--3707f258-e5c2-4cf0-90ec-19fb4baf018c.json create mode 100644 relationship/relationship--39372d95-3507-4917-ae07-6275ee827aba.json create mode 100644 relationship/relationship--3c6be01e-c2de-4835-b120-59da1e07d50e.json create mode 100644 relationship/relationship--3ccc155b-01ca-4b82-aece-60801b8c42c4.json create mode 100644 relationship/relationship--3d70b808-f176-4620-aa53-fcc439081994.json create mode 100644 relationship/relationship--3fea9f25-65a5-4bc3-924d-34a3f310f722.json create mode 100644 relationship/relationship--41619001-1af7-4b97-babd-9c21c827e1d2.json create mode 100644 relationship/relationship--416b4a88-11a1-4632-941b-ade357252d0d.json create mode 100644 relationship/relationship--4438daa4-c88a-40ba-92e3-d80343538108.json create mode 100644 relationship/relationship--44515a0f-4716-40ef-b5d5-177849ce6987.json create mode 100644 relationship/relationship--461ef403-0bd0-49cd-88bc-5bfc426e6b23.json create mode 100644 relationship/relationship--464326e8-1ec2-425b-9557-bd00281078d6.json create mode 100644 relationship/relationship--4ced5121-d085-49b3-b6ab-311ca722b46a.json create mode 100644 relationship/relationship--4d63f713-2d38-40c3-a744-bd12bbd8499b.json create mode 100644 relationship/relationship--510fcbf4-e832-43d7-8628-26724bdc4539.json create mode 100644 relationship/relationship--53a75251-5474-4d56-bc67-116adc9cf33b.json create mode 100644 relationship/relationship--57a27587-537b-48d4-ace1-dc1d07321776.json create mode 100644 relationship/relationship--5b129221-9159-488d-8460-c966b836328f.json create mode 100644 relationship/relationship--5b69f0d0-62e7-4f27-acce-41d1d0ed417c.json create mode 100644 relationship/relationship--5efcecab-ca74-4c8f-a884-68f8709b072b.json create mode 100644 relationship/relationship--5f9c9726-82c0-4876-937d-52e66ef739db.json create mode 100644 relationship/relationship--6108db13-e957-41b2-a22c-c1abf26df815.json create mode 100644 relationship/relationship--643e9a29-3802-4725-8fd8-ebd05f804502.json create mode 100644 relationship/relationship--64c5969c-f0b7-4d5e-97e5-a0ba0d9eb235.json create mode 100644 relationship/relationship--679a082a-d6b4-4478-a4d5-1a8dc972b211.json create mode 100644 relationship/relationship--6a361003-f6c0-430e-8db6-5f8f2ac422ee.json create mode 100644 relationship/relationship--6b15a47c-add7-407e-866c-455b82eb5206.json create mode 100644 relationship/relationship--6c01abcc-9ec4-4294-b39b-c3aad259c796.json create mode 100644 relationship/relationship--6cfc5694-2afb-4727-9af1-3bdf4688947e.json create mode 100644 relationship/relationship--6dfe86f6-1818-4108-aca9-e49c819192b4.json create mode 100644 relationship/relationship--70293730-edee-424a-aaaf-19f18a2ebd02.json create mode 100644 relationship/relationship--76c22659-341c-4ef5-9dd9-dee2d9f9b96a.json create mode 100644 relationship/relationship--7c232b17-6421-4459-bbca-410f7660a760.json create mode 100644 relationship/relationship--80a8579e-8f8a-45f1-b745-6254f77b1a8b.json create mode 100644 relationship/relationship--80dcb928-b50d-4ee7-8c26-369660f041de.json create mode 100644 relationship/relationship--8358a935-9460-42a9-bfbc-31653fb1a3e5.json create mode 100644 relationship/relationship--8ce0a9c1-7392-4877-b6ed-6023f0dcacec.json create mode 100644 relationship/relationship--8d7e7aeb-c462-4051-aff0-4f526ccfa699.json create mode 100644 relationship/relationship--8dece164-935e-4939-9fbe-483f3baedc4a.json create mode 100644 relationship/relationship--8fce710f-5023-4a45-ac3a-c4ace1c7d0dd.json create mode 100644 relationship/relationship--90c677fd-2dab-4eda-9b84-d8028de953de.json create mode 100644 relationship/relationship--913ac448-0c3d-4856-90a4-6273865eb381.json create mode 100644 relationship/relationship--9277a5c2-8988-46dc-87d2-20359be28def.json create mode 100644 relationship/relationship--928e6604-a7d3-436c-a7fe-97f1ca278a5d.json create mode 100644 relationship/relationship--941e3c16-3412-46d6-86e1-55372dbc3fcd.json create mode 100644 relationship/relationship--943fd319-6d73-41b0-a01f-b45474c5be87.json create mode 100644 relationship/relationship--97175b7c-fb76-4aa4-bcbf-89c5ab1d44b9.json create mode 100644 relationship/relationship--9b7fde5e-600c-4214-9714-1247c4ea5260.json create mode 100644 relationship/relationship--9ea77314-a832-4920-9716-35381b728892.json create mode 100644 relationship/relationship--9ff32dae-46f3-4061-82b9-e7197b4ae30d.json create mode 100644 relationship/relationship--a3218798-6c62-458a-8f6b-0fcd127ca4e8.json create mode 100644 relationship/relationship--a7588119-f565-4489-9512-db956975c1f5.json create mode 100644 relationship/relationship--a867e78a-e15d-40be-9cf1-6f746531eb44.json create mode 100644 relationship/relationship--a9c1d8df-3732-4e6e-a7bf-6be0821fae73.json create mode 100644 relationship/relationship--abc3029d-06b2-4048-a14d-2ef0a1bf8ea3.json create mode 100644 relationship/relationship--ac6d1a10-221a-49aa-9f6a-84a528d565d1.json create mode 100644 relationship/relationship--ad5b898c-6553-46a7-99dc-f51dcdef9b45.json create mode 100644 relationship/relationship--b082f098-c65c-433d-a9f1-6634c2a07f57.json create mode 100644 relationship/relationship--b2442af2-272c-42e5-94b6-ac52bbbd1a5c.json create mode 100644 relationship/relationship--b28c0897-acb5-4205-8210-eb7c1d420789.json create mode 100644 relationship/relationship--b43c677a-dd98-4545-8e4e-118ae78050ff.json create mode 100644 relationship/relationship--b53918d6-524a-408a-b79f-ccd56bd6950e.json create mode 100644 relationship/relationship--b7947355-7dfc-4ef4-9f62-efb0c755a48f.json create mode 100644 relationship/relationship--b7bcccb7-045a-4b97-9b07-f63afb868095.json create mode 100644 relationship/relationship--b7c12079-a65e-4901-8849-59f138da35e6.json create mode 100644 relationship/relationship--baaa5c93-f948-4e2c-81ca-6f33a86409c3.json create mode 100644 relationship/relationship--bfec970e-c03a-4732-857b-e636c78d01e0.json create mode 100644 relationship/relationship--cb13515b-a198-41ab-ac0b-8be56c0f099f.json create mode 100644 relationship/relationship--d4df8105-8510-4675-a9c8-bbcd6bbacd53.json create mode 100644 relationship/relationship--daaf4264-4102-4737-a69a-d68e315479ac.json create mode 100644 relationship/relationship--dbd0c7c0-889e-4742-9f47-793d7ece67dc.json create mode 100644 relationship/relationship--de086192-07b7-4aa9-a479-c1098d63d9ed.json create mode 100644 relationship/relationship--e1580aaa-d87b-4528-bcd6-148cf44bdb8f.json create mode 100644 relationship/relationship--e1f2529b-4a72-460e-b1a7-3fb7852b99e7.json create mode 100644 relationship/relationship--e21d1d26-eade-424b-a7ac-f720826591df.json create mode 100644 relationship/relationship--e28f5300-c580-49dd-99fb-cd32aaf69be8.json create mode 100644 relationship/relationship--e2aff5f4-7996-4332-b538-2b936ac8f229.json create mode 100644 relationship/relationship--ec166b67-9034-406a-9df3-cc026fa58801.json create mode 100644 relationship/relationship--f5d16822-4a48-4d9c-944e-67ef45a59d48.json create mode 100644 relationship/relationship--f74ca922-715f-431d-a2c8-f22d299306aa.json create mode 100644 relationship/relationship--f758c224-450b-42b0-b54a-d0d4dcb41ac6.json create mode 100644 relationship/relationship--fde7d5f5-6e64-469f-a3d0-5f06e337374a.json create mode 100644 x-mitre-matrix/x-mitre-matrix--d5eae189-586e-4f87-bf4f-51fa251f0ba6.json create mode 100644 x-mitre-tactic/x-mitre-tactic--1f99e060-c0e8-449c-8629-216ef75d7828.json create mode 100644 x-mitre-tactic/x-mitre-tactic--225d85b5-6806-4760-a9d7-b5e38ca66153.json create mode 100644 x-mitre-tactic/x-mitre-tactic--389367d2-9dea-4ffe-b794-cfeaba83bcf6.json create mode 100644 x-mitre-tactic/x-mitre-tactic--4fd027ac-dddc-4744-aa72-d1b4598d9898.json create mode 100644 x-mitre-tactic/x-mitre-tactic--5ca03153-2bfb-4540-acad-4eb54f188589.json create mode 100644 x-mitre-tactic/x-mitre-tactic--69c52ee6-8372-40be-8efc-200896493343.json create mode 100644 x-mitre-tactic/x-mitre-tactic--911377e6-b712-4754-a865-3e2989512b9a.json create mode 100644 x-mitre-tactic/x-mitre-tactic--97051199-043f-4e26-b548-beeccdd7be3e.json create mode 100644 x-mitre-tactic/x-mitre-tactic--9b3422b7-bc43-4b28-8d51-ba68782a9da2.json create mode 100644 x-mitre-tactic/x-mitre-tactic--9f09f947-5fc6-455f-b7eb-504c2ba972aa.json create mode 100644 x-mitre-tactic/x-mitre-tactic--d2f87328-9fe0-4f81-800e-ea1058f49906.json create mode 100644 x-mitre-tactic/x-mitre-tactic--d896bd1c-d0e9-4281-9755-9b76a7c963d3.json create mode 100644 x-mitre-tactic/x-mitre-tactic--eb6166b0-f3c9-4124-aeb9-662941baa19e.json create mode 100644 x-mitre-tactic/x-mitre-tactic--f95436cf-2e09-4541-b88a-f3fb6ec3b63b.json diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..480d70c5 --- /dev/null +++ b/.gitignore @@ -0,0 +1,131 @@ +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +pip-wheel-metadata/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +.python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# celery beat schedule file +celerybeat-schedule + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# IDEs +.vscode + +*.tar.gz + diff --git a/LICENSE.txt b/LICENSE.txt new file mode 100644 index 00000000..261eeb9e --- /dev/null +++ b/LICENSE.txt @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md index c55b7a6c..af4cd733 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,13 @@ -# mbc-stix2 -MBC expressed in STIX 2.0 JSON +# Malware Behavior Catalog Expressed in STIX 2.1 # + +*The Malware Behavior Catalog has been expressed in STIX 2.1 JSON using the STIX 2.1 Committee Specification Draft 03 (CSD03). After STIX 2.1 is established as a Committee Specification (CS), this content will be updated as needed.* + +## Malware Behavior Catalog ## + +The Malware Behavior Catalog (MBC) is a catalog of malware objectives and behaviors, created to support malware analysis-oriented use cases, such as labeling, similarity analysis, and standardized reporting. Please see the [FAQ](https://github.com/MBCProject/mbc-markdown/blob/master/yfaq/README.md) page for answers to common questions. + +## STIX ## +[Structured Threat Information Expression](https://oasis-open.github.io/cti-documentation/) (STIX) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX enables organizations to share CTI with one another, including malware analysis information, in a consistent and machine readable manner. + +## MBC and STIX ## +Details on how MBC data maps to STIX 2.1, as well as information on how to query and manipulate MBC data, is given in [USAGE.md](https://github.com/MBCProject/mbc-stix2/blob/master/USAGE.md). \ No newline at end of file diff --git a/USAGE.md b/USAGE.md new file mode 100644 index 00000000..3d08fa28 --- /dev/null +++ b/USAGE.md @@ -0,0 +1,181 @@ +# Introduction +Machine-readable Malware Behavior Catalog (MBC) data is available via a JSON-based [STIX 2.1](https://oasis-open.github.io/cti-documentation/stix/intro) format. *MBC has been expressed in STIX 2.1 JSON using the STIX 2.1 Committee Specification Draft 03 (CSD03). After STIX 2.1 is established as a Committee Specification (CS), the content will be updated as needed.* + +The sections below describes how MBC objects and properties map to STIX 2.1 objects and properties. It is assumed that the reader is familiar with STIX. + +## MBC Concepts +The following table maps MBC high-level concepts to STIX 2.1 objects. The STIX object types shown are literal strings captured in the **type** property of the STIX object. + +**MBC Concept** | **STIX Object Type** | **Notes** +----------------|----------------------|------------ +Objective | `x-mitre-tactic` | MBC objectives (similar to ATT&CK tactics) are captured using a custom object of type `x-mitre-tactic`, which was defined to capture ATT&CK tactics. Using it instead of defining a new "x-mitre-objective" object enables ATT&CK users to more easily use MBC. +Behavior | `attack-pattern` | MBC behaviors (similar to ATT&CK techniques) are captured using the STIX Attack Pattern object. +Malware | `malware` | MBC malware examples (aligns with ATT&CK's malware concept) are captured using the STIX Malware object. + +## MBC Content + +The following tables map MBC content to STIX 2.1 properties within each of the STIX object types. + +Properties required by all STIX objects are included in the examples but are not included in the property tables (e.g., **id**, **created**, etc.). Properties required by the STIX object are included in the property table with no corresponding MBC property. + +### Objectives +An MBC Objective is captured in a custom object of type `x-mitre-tactic` via the following properties. + +**MBC Property** | **STIX Property** +---------------- | ----------------- +Name | **name** + -- | **x_mitre_shortname** (referenced by Attack Pattern objects (MBC behaviors)) +ID | **external_references.external_id** where *external_references.source_name* == "mitre-mbc" +Description | **description** +References - description | **external_references.description** where *external_references.source_name* == "external_source" +References - url | **external_references.url** where *external_references.source_name* == "external_source" + +**Example:** + +```json + { + "type": "x-mitre-tactic", + "spec_version": "2.1", + "id": "x-mitre-tactic--746a2a9f-d463-43da-87b1-2eada9a458a6", + "created": "2020-01-28T21:09:20.220Z", + "modified": "2020-01-28T21:09:20.220Z", + "name": "Anti-Behavioral Analysis", + "x_mitre_shortname": "anti-behavioral-analysis", + "description": "Behaviors that prevent, obstruct, or evade behavioral analysis (sandbox, debugger, etc)...", + "external_references": [ + { + "source_name": "external_source", + "description": "Unprotect Project, a database about malware self-defense and protection.", + "url": "http://unprotect.tdgt.org/index.php/Unprotect_Project" + }, + { + "source_name": "mitre-mbc", + "external_id": "M9001", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/README.md" + } + ], + } +``` + +### Behaviors +An MBC behavior is captured in a STIX Attack Pattern object (`attack-pattern`) via the following properties: + +**MBC Property** | **STIX Property** +---------------- | ----------------- +Behavior Name | **name** +ID | **external_references.external_id** where *external_references.source_name* == "mitre-mbc" +Description | **description** +Associated MBC Objective(s) | **kill_chain_phases.kill_chain_phase.phase_name** where *kill_chain_phases.kill_chain_name* == "mitre-mbc" +Related ATT&CK Technique(s) - ID | **external_references.external_id** where *external_references.source_name* == "mitre-attack" +Related ATT&CK Technique(s) - url | **external_references.url** where *external_references.source_name* == "mitre-attack" +Method(s) - name | **x_mitre_methods.name** where *x_mitre_methods* is a custom property defined to capture MBC methods +Method(s) - description | **x_mitre_methods.definition** +Reference(s) - url | **external_references.url** where *external_references.source_name* == "external_source" + +**Example:** + +```json + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--c2b0f8ba-c26a-4590-a19f-82ea28f5ed1d", + "created": "2020-01-28T21:09:20.322Z", + "modified": "2020-01-28T21:09:20.322Z", + "name": "Sandbox Detection", + "description": "Detects whether the malware instance is being executed inside an instrumented sandbox environment...", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/detect-sandbox.md", + "external_id": "M0007" + }, + { + "source_name": "external_source", + "url": "https://github.com/LordNoteworthy/al-khaser" + } + ], + "x_mitre_methods": [ + { + "definition": "Checks clipboard data which can be used to detect whether execution is inside a sandbox.", + "name": "Check Clipboard Data" + }, + { + "definition": "Sandboxes create files on the file system. Malware can check the different folders to find sandbox artifacts.", + "name": "Check Files" + } + ] + } +``` + +### Malware +Malware is captured with a STIX Malware object (`malware`) via the following properties: + +MBC Property | STIX Property +--------------- | --------------- +Name | **name** +ID | **external_references.external_id** where *external_references.source_name* == "mitre-mbc" +Alias(es) | **x_mitre_aliases** +Platform(s) | **x_mitre_platform** +Year | **x_mitre_year** +Description | **description** +Reference(s) - url | **external_references.url** where *external_references.source_name* == "external_source" +-- | **malware_types** where value == "unknown" (required in STIX 2.1) +-- | **is_family** where value == "true" (required in STIX 2.1) + +**Example:** + +```json + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--b559872a-a3c4-4adf-92c7-d4e79d02a24a", + "created": "2020-01-28T21:09:21.242Z", + "modified": "2020-01-28T21:09:21.242Z", + "name": "Kraken", + "description": "Kraken is a family of bots.", + "malware_types": ["unknown"], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/kraken.md", + "external_id": "X0010" + }, + { + "source_name": "external_source", + "url": "http://blog.threatexpert.com/2008/04/kraken-changes-tactics.html" + } + ], + "x_mitre_aliases": ["Bobax"], + "x_mitre_platform": ["Windows"], + "x_mitre_year": "2008" + } +``` + +## Malware and Behavior Relationships +MBC captures relationships between malware and the behaviors the malware exhibits. These relationships are captured as STIX Relationship Objects (SRO) where the source of the SRO is the malware object and the target of the SRO is the attack pattern object (behavior). + +**Example:** + +```json + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--5a75909d-89f5-4d86-93be-758fab713af3", + "created": "2020-01-28T21:09:21.331Z", + "modified": "2020-01-28T21:09:21.331Z", + "relationship_type": "uses", + "source_ref": "malware--1a1054d0-616f-4968-9384-70c77293ca83", + "target_ref": "attack-pattern--af6955dd-e692-467b-804b-fe160306f2ac", +} +``` + +# Accessing MBC Data Using Python + +MBC data stored in a STIX 2.1 repository can be queried and manipulated similarly to how ATT&CK data is queried and manipulated. Please see the Section entitled, "Using Python and STIX 2.0" in the [STIX usage document](https://github.com/mitre/cti/blob/master/USAGE.md) for details. \ No newline at end of file diff --git a/attack-pattern/attack-pattern--01051bb2-6339-4556-8363-3b94ba289ec1.json b/attack-pattern/attack-pattern--01051bb2-6339-4556-8363-3b94ba289ec1.json new file mode 100644 index 00000000..d9f1412b --- /dev/null +++ b/attack-pattern/attack-pattern--01051bb2-6339-4556-8363-3b94ba289ec1.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--eae70dbc-d234-4de2-bc48-319259a2d979", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--01051bb2-6339-4556-8363-3b94ba289ec1", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.298Z", + "modified": "2020-02-05T20:28:15.298Z", + "name": "Send Email", + "description": "Sends an email message from the system on which the malware is executing to one or more recipients, mostly commonly for the purpose of spamming or for distributing a malicious attachment or URL (malspamming).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/send-email.md", + "external_id": "M0020" + }, + { + "source_name": "external_source", + "url": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Gamut-Spambot-Analysis/" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Bagle_(computer_worm)" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1193", + "external_id": "T1193" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1192", + "external_id": "T1192" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--0202a028-471b-47c1-9723-0457934a50f3.json b/attack-pattern/attack-pattern--0202a028-471b-47c1-9723-0457934a50f3.json new file mode 100644 index 00000000..61e29475 --- /dev/null +++ b/attack-pattern/attack-pattern--0202a028-471b-47c1-9723-0457934a50f3.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--b3fb55e9-3c81-4b9e-bbd3-302f6120dae3", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--0202a028-471b-47c1-9723-0457934a50f3", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.498Z", + "modified": "2020-02-05T20:28:15.498Z", + "name": "Compromise Data Integrity", + "description": "Data stored on the file system of a compromised system is manipulated to compromise its integrity.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/compromise-data.md", + "external_id": "M0016" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1492/", + "external_id": "T1492" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--031beb01-79db-43f5-a901-1e32a4b79628.json b/attack-pattern/attack-pattern--031beb01-79db-43f5-a901-1e32a4b79628.json new file mode 100644 index 00000000..363fd871 --- /dev/null +++ b/attack-pattern/attack-pattern--031beb01-79db-43f5-a901-1e32a4b79628.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--f486b676-af65-4f0b-8006-217ee3e59ae5", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--031beb01-79db-43f5-a901-1e32a4b79628", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.368Z", + "modified": "2020-02-05T20:28:15.368Z", + "name": "Modify Registry", + "description": "Malware may make changes to the Windows Registry to hide execution or to persist on the system (note that ATT&CK does not extend this behavior to the Persistence objective).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/modify-reg.md", + "external_id": "E1112" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1112", + "external_id": "T1112" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--03b4fd1e-96db-4c28-b9c7-18ef0510c129.json b/attack-pattern/attack-pattern--03b4fd1e-96db-4c28-b9c7-18ef0510c129.json new file mode 100644 index 00000000..c2458d7b --- /dev/null +++ b/attack-pattern/attack-pattern--03b4fd1e-96db-4c28-b9c7-18ef0510c129.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--40de1350-6816-494a-8a7a-0e5b722ddab2", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--03b4fd1e-96db-4c28-b9c7-18ef0510c129", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.216Z", + "modified": "2020-02-05T20:28:15.216Z", + "name": "Security Software Discovery", + "description": "Malware may try to get a listing of security software or defensive tools installed on the system. Note that security software aims to *detect/mitigate* malware on a system whereas analysis tools (see [Analysis Tool Discovery](https://github.com/MBCProject/mbc-markdown/blob/master/discovery/analysis-tool-discover.md)) are used to *analyze* malware.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/security-sw-discover.md", + "external_id": "T1063" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1063", + "external_id": "T1063" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--05dab55a-36c8-47d0-9a60-28f19fe18cdf.json b/attack-pattern/attack-pattern--05dab55a-36c8-47d0-9a60-28f19fe18cdf.json new file mode 100644 index 00000000..ceef0dea --- /dev/null +++ b/attack-pattern/attack-pattern--05dab55a-36c8-47d0-9a60-28f19fe18cdf.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--a6723aa6-b956-4e0c-a341-2085f12893ea", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--05dab55a-36c8-47d0-9a60-28f19fe18cdf", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.335Z", + "modified": "2020-02-05T20:28:15.335Z", + "name": "Data Encrypted", + "description": "Malware may obfuscate data via encryption or encoding before exfiltration.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/exfiltration/data-encrypted.md", + "external_id": "E1022" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1022/", + "external_id": "T1022" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--05f6625b-7291-4a4b-8ec1-4044efa6cb2e.json b/attack-pattern/attack-pattern--05f6625b-7291-4a4b-8ec1-4044efa6cb2e.json new file mode 100644 index 00000000..569db196 --- /dev/null +++ b/attack-pattern/attack-pattern--05f6625b-7291-4a4b-8ec1-4044efa6cb2e.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--45ca5e31-7fde-4a9c-a3d8-00594df32885", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--05f6625b-7291-4a4b-8ec1-4044efa6cb2e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.416Z", + "modified": "2020-02-05T20:28:15.416Z", + "name": "Deobfuscate/Decode Files or Information", + "description": "This behavior is the counterpart to [Obfuscated Files or Information](https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/obfuscate-files.md), which is used to hide artifacts of an intrusion.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/deobfuscate-files.md", + "external_id": "T1140" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1140", + "external_id": "T1140" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--068759bf-7db6-431f-aeeb-01f6034eae22.json b/attack-pattern/attack-pattern--068759bf-7db6-431f-aeeb-01f6034eae22.json new file mode 100644 index 00000000..07711eba --- /dev/null +++ b/attack-pattern/attack-pattern--068759bf-7db6-431f-aeeb-01f6034eae22.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--2c94c3ed-c99b-4563-8f14-9b976c0664b9", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--068759bf-7db6-431f-aeeb-01f6034eae22", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.349Z", + "modified": "2020-02-05T20:28:15.349Z", + "name": "Indirect Command Execution", + "description": "Malware may may use Windows utilities to execute commands.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/indirect-command.md", + "external_id": "T1202" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1202", + "external_id": "T1202" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--0bee0786-1469-4d9d-8887-acd8fb6fe95e.json b/attack-pattern/attack-pattern--0bee0786-1469-4d9d-8887-acd8fb6fe95e.json new file mode 100644 index 00000000..ae2152e1 --- /dev/null +++ b/attack-pattern/attack-pattern--0bee0786-1469-4d9d-8887-acd8fb6fe95e.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--c591d577-33da-429b-a67e-7ef62568f9b6", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--0bee0786-1469-4d9d-8887-acd8fb6fe95e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.248Z", + "modified": "2020-02-05T20:28:15.248Z", + "name": "Connection Proxy", + "description": "Malware may use a connection proxy to manage command and control communications.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/connect-proxy.md", + "external_id": "T1090" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1090/", + "external_id": "T1090" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--0bfe651c-26b6-49c0-9b50-51ddc7090c98.json b/attack-pattern/attack-pattern--0bfe651c-26b6-49c0-9b50-51ddc7090c98.json new file mode 100644 index 00000000..87ce3723 --- /dev/null +++ b/attack-pattern/attack-pattern--0bfe651c-26b6-49c0-9b50-51ddc7090c98.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--097bf354-1216-456c-b288-812189d0036f", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--0bfe651c-26b6-49c0-9b50-51ddc7090c98", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.245Z", + "modified": "2020-02-05T20:28:15.245Z", + "name": "Remote File Copy", + "description": "Malware may copy files from one system to another.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/remote-file-copy.md", + "external_id": "E1105" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1105/", + "external_id": "T1105" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--0d36eb1b-4454-435f-9e8c-285d235341c7.json b/attack-pattern/attack-pattern--0d36eb1b-4454-435f-9e8c-285d235341c7.json new file mode 100644 index 00000000..0a12b49d --- /dev/null +++ b/attack-pattern/attack-pattern--0d36eb1b-4454-435f-9e8c-285d235341c7.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--9d650ac4-a6dd-4231-bd22-6f05d3047280", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--0d36eb1b-4454-435f-9e8c-285d235341c7", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.122Z", + "modified": "2020-02-05T20:28:15.122Z", + "name": "Data from Removable Media", + "description": "Malware collects from removable media connected to the compromised system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/data-removable-media.md", + "external_id": "T1025" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1025/", + "external_id": "T1025" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--0dde3fa0-8e37-413d-bbe8-f75428801408.json b/attack-pattern/attack-pattern--0dde3fa0-8e37-413d-bbe8-f75428801408.json new file mode 100644 index 00000000..795b85c8 --- /dev/null +++ b/attack-pattern/attack-pattern--0dde3fa0-8e37-413d-bbe8-f75428801408.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--78e8210f-bed2-4234-ab76-17c8ac26ebde", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--0dde3fa0-8e37-413d-bbe8-f75428801408", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.142Z", + "modified": "2020-02-05T20:28:15.142Z", + "name": "Capture SMS Messages", + "description": "Malware captures data sent via SMS (e.g., authentication credentials).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/capture-sms.md", + "external_id": "T1412" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1412/", + "external_id": "T1412" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--101d8709-b8d4-4604-a835-b122f1ecb227.json b/attack-pattern/attack-pattern--101d8709-b8d4-4604-a835-b122f1ecb227.json new file mode 100644 index 00000000..f972837b --- /dev/null +++ b/attack-pattern/attack-pattern--101d8709-b8d4-4604-a835-b122f1ecb227.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--9311d4cf-17ae-425c-b988-86f7965ee8d6", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--101d8709-b8d4-4604-a835-b122f1ecb227", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.319Z", + "modified": "2020-02-05T20:28:15.319Z", + "name": "New Service", + "description": "Malware may install a new service to gain persistence or to escalate privileges (from administrator to SYSTEM).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/new-service.md", + "external_id": "T1050" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1050", + "external_id": "T1050" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--11d90b50-17e9-45f5-84aa-05899a63714e.json b/attack-pattern/attack-pattern--11d90b50-17e9-45f5-84aa-05899a63714e.json new file mode 100644 index 00000000..853ee9a1 --- /dev/null +++ b/attack-pattern/attack-pattern--11d90b50-17e9-45f5-84aa-05899a63714e.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--0362ab78-a116-4314-a790-3b65b6e3a835", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--11d90b50-17e9-45f5-84aa-05899a63714e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.354Z", + "modified": "2020-02-05T20:28:15.354Z", + "name": "Obfuscated Files or Information", + "description": "Malware may make files or information difficult to discover or analyze by encoding, encrypting, or otherwise obfuscating the content. In addition, a malware sample itself can be encoded or encrypted (i.e., encoding/encryption is a code characteristic).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/obfuscate-files.md", + "external_id": "E1027" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1027", + "external_id": "T1027" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "", + "name": "Encoding" + }, + { + "definition": "* *Standard Encryption*: A standard algorithm, such as Rijndael/AES, DES, RC4, is used to encrypt an executable file. Encryption hinders static analysis of malware code. Also known as **Code Encryption in File**.\n * *Standard Encryption of Code*: A standard encryption algorithm is used to encrypt a file's executable code, but not necessarily the file's data. \n * *Standard Encryption of Data*: A standard encryption algorithm is used to encrypt a file's data, but not necessarily the file's code. \n * *Custom Encryption*: A custom algorithm is used to encrypt an executable file. Encryption hinders static analysis of malware code. Also known as **Code Encryption in File**.\n * *Custom Encryption of Code*: A custom encryption algorithm is used to encrypt a file's executable code, but not necessarily the file's data.\n * *Custom Encryption of Data*: A custom encryption algorithm is used to encrypt a file's data, but not necessarily the file's code.", + "name": "Encryption" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--131c6f15-5bc4-4583-9b8d-ea06ef139d0b.json b/attack-pattern/attack-pattern--131c6f15-5bc4-4583-9b8d-ea06ef139d0b.json new file mode 100644 index 00000000..656c915f --- /dev/null +++ b/attack-pattern/attack-pattern--131c6f15-5bc4-4583-9b8d-ea06ef139d0b.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--49a495fb-1074-449d-88ac-8d12b4b0a6eb", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--131c6f15-5bc4-4583-9b8d-ea06ef139d0b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.481Z", + "modified": "2020-02-05T20:28:15.481Z", + "name": "Inhibit System Recovery", + "description": "Malware may delete OS data and turn off services designed to provide system recovery.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/inhibit-system-recovery.md", + "external_id": "T1490" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1490/", + "external_id": "T1490" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--1341c511-1ecc-489b-902a-8a80577d2758.json b/attack-pattern/attack-pattern--1341c511-1ecc-489b-902a-8a80577d2758.json new file mode 100644 index 00000000..aa9ba024 --- /dev/null +++ b/attack-pattern/attack-pattern--1341c511-1ecc-489b-902a-8a80577d2758.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--b872de14-bffd-4690-884b-e529104ff82d", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--1341c511-1ecc-489b-902a-8a80577d2758", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.312Z", + "modified": "2020-02-05T20:28:15.312Z", + "name": "Change Default File Association", + "description": "Malware may change the file association selections (stored in the Windows Registry) to execute arbitrary commands.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/change-default-file-assoc.md", + "external_id": "T1042" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1042", + "external_id": "T1042" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--139411fc-5539-4254-825c-12a9d5b3973b.json b/attack-pattern/attack-pattern--139411fc-5539-4254-825c-12a9d5b3973b.json new file mode 100644 index 00000000..76270b6a --- /dev/null +++ b/attack-pattern/attack-pattern--139411fc-5539-4254-825c-12a9d5b3973b.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--fd79c9e2-d2a0-4d8b-80af-2d18c828b4ac", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--139411fc-5539-4254-825c-12a9d5b3973b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.378Z", + "modified": "2020-02-05T20:28:15.378Z", + "name": "Image File Execution Options Injection", + "description": "Malware may use Image File Execution Options to launch a process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/image-file-exe-opt-inj.md", + "external_id": "T1183" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1183", + "external_id": "T1183" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--1665b6e5-769a-4abb-9de1-4719ac6ce727.json b/attack-pattern/attack-pattern--1665b6e5-769a-4abb-9de1-4719ac6ce727.json new file mode 100644 index 00000000..6cc3a4c7 --- /dev/null +++ b/attack-pattern/attack-pattern--1665b6e5-769a-4abb-9de1-4719ac6ce727.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--5c6b797e-a04a-455a-b55b-e079f97df906", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--1665b6e5-769a-4abb-9de1-4719ac6ce727", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.369Z", + "modified": "2020-02-05T20:28:15.369Z", + "name": "File Deletion", + "description": "Malware may remove dropped files or tools to avoid detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/file-deletion.md", + "external_id": "E1107" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1107", + "external_id": "T1107" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--17717ca4-3713-496e-87d7-13a95a6b1790.json b/attack-pattern/attack-pattern--17717ca4-3713-496e-87d7-13a95a6b1790.json new file mode 100644 index 00000000..74eb837e --- /dev/null +++ b/attack-pattern/attack-pattern--17717ca4-3713-496e-87d7-13a95a6b1790.json @@ -0,0 +1,99 @@ +{ + "type": "bundle", + "id": "bundle--748f027a-f18a-4fbd-bd66-55a8acf5bc30", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--17717ca4-3713-496e-87d7-13a95a6b1790", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.150Z", + "modified": "2020-02-05T20:28:15.150Z", + "name": "Executable Code Obfuscation", + "description": "Executable code can be obfuscated to hinder disassembly and static code analysis. This behavior is specific to a malware sample's executable code (data and text sections).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-static-analysis/exe-code-obfuscate.md", + "external_id": "M0032" + }, + { + "source_name": "external_source", + "url": "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html" + }, + { + "source_name": "external_source", + "url": "https://cofense.com/recent-geodo-malware-campaigns-feature-heavily-obfuscated-macros/" + }, + { + "source_name": "external_source", + "description": "Rob Simmons, \"Comparing Malicious Files,\" BSides, 2019.", + "url": "http://www.irongeek.com/i.php?page=videos/bsidescharm2019/2-04-comparing-malicious-files-robert-simmons" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Instead of storing function names in the Import Address Table (IAT) and calling GetProcAddress, a DLL is loaded and the name of each of its exports is hashed until it matches a specific hash. Manual symbol resolution is then used to access and execute the exported function. This method is often used by shellcode because it reduces the size of each import from a human-readable string to a sequence of four bytes. The Method is also known as \"Imports by Hash\" and \"GET_APIS_WITH_CRC.\" [[1]](#1)", + "name": "API Hashing" + }, + { + "definition": "Insert code to impede disassembly.\n * *Dead Code Insertion*: Include \"dead\" code with no real functionality.\n * *Fake Code Insertion*: Add fake code similar to known packers or known goods to fool identification. Can confuse some automated unpackers.\n * *Jump Insertion*: Insert jumps to make analysis visually harder.\n * *Thunk Code Insertion*: Variation on Jump Insertion. Used by some compilers for user-generated functions.\n * *Junk Code Insertion*: Insert dummy code between relevant opcodes. Can make signature writing more complex.", + "name": "Code Insertion" + }, + { + "definition": "Obfuscate data values through indirection of local or global variables. For example, the instruction *if (a == 0) do x* can be obfuscated by setting a global variable, *Z*, to zero and using it in the instruction: *if (a==Z) do x*. [NEEDS REVIEW]", + "name": "Data Value Obfuscation" + }, + { + "definition": "Obfuscate the entry point of the malware executable.", + "name": "Entry Point Obfuscation" + }, + { + "definition": "Encrypt blocks of code individually and decrypt temporarily only upon execution.", + "name": "Guard Pages" + }, + { + "definition": "Obfuscate the import address table.", + "name": "Import Address Table Obfuscation" + }, + { + "definition": "Store and load imports with a compact import table format. Each DLL needed by the executable is mentioned in the IAT, but only one function from each/most is imported; the rest are imported via GetProcAddress calls.", + "name": "Import Compression" + }, + { + "definition": "Jump after the first byte of an instruction to confuse disassembler.", + "name": "Instruction Overlap" + }, + { + "definition": "Split code into sections that may be rearranged and are connected by unconditional jumps.", + "name": "Interleaving Code" + }, + { + "definition": "Merge all sections resulting in just one entry in the sections table to make readability more difficult. May affect some detection signatures if written to be section dependent.", + "name": "Merged Code Sections" + }, + { + "definition": "", + "name": "Structured Exception Handling (SEH)" + }, + { + "definition": "Build and decrypt strings on the stack at each use, then discard to avoid obvious references.", + "name": "Stack Strings" + }, + { + "definition": "Remove or rename symbolic information commonly inserted by compilers for debugging purposes.", + "name": "Symbol Obfuscation" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--19965f2f-3091-4611-b5da-4f5351319b63.json b/attack-pattern/attack-pattern--19965f2f-3091-4611-b5da-4f5351319b63.json new file mode 100644 index 00000000..7cdb2af7 --- /dev/null +++ b/attack-pattern/attack-pattern--19965f2f-3091-4611-b5da-4f5351319b63.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--82690b49-fb5d-401c-9347-44f3fbfb01e6", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--19965f2f-3091-4611-b5da-4f5351319b63", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.130Z", + "modified": "2020-02-05T20:28:15.130Z", + "name": "Man in the Browser", + "description": "Malware leverages vulnerabilities and functionality in browser software to change content, modify behavior, and intercept information.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/man-in-browser.md", + "external_id": "T1185" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1185/", + "external_id": "T1185" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--1a9f1c1d-2273-469c-98da-063594baa0d4.json b/attack-pattern/attack-pattern--1a9f1c1d-2273-469c-98da-063594baa0d4.json new file mode 100644 index 00000000..1f0ac57b --- /dev/null +++ b/attack-pattern/attack-pattern--1a9f1c1d-2273-469c-98da-063594baa0d4.json @@ -0,0 +1,67 @@ +{ + "type": "bundle", + "id": "bundle--25a779a9-9f84-4326-9a39-ed34e379809a", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--1a9f1c1d-2273-469c-98da-063594baa0d4", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.178Z", + "modified": "2020-02-05T20:28:15.178Z", + "name": "Execution Guardrails", + "description": "Malware may use execution guardrails (environmental conditions) to constrain execution. This behavior is related to the [Evade Dynamic Analysis](https://github.com/MBCProject/mbc-markdown/tree/master/anti-behavioral-analysis/evade-dynamic-analysis.md) behavior that obstructs dynamic analysis in a sandbox, emulator, or virtual machine.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/execution-guardrails.md", + "external_id": "E1480" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1480/", + "external_id": "T1480" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Parts of the code and/or data is encrypted or otherwise relies on data external to the file itself. For example, malware that contains code that is encrypted with a key that is downloaded from a server; malware that only runs if certain other software is installed on the system. Also see Environmental Keys Method.", + "name": "Deposited Keys" + }, + { + "definition": "Malware reads certain attributes of the system (BIOS version string, hostname, MAC address, etc.) and encrypts/decrypts portions of its code or data using those attributes as input, thus preventing itself from being run on an unintended system (e.g., sandbox, emulator, etc.). Also see Deposited Keys Method.", + "name": "Environmental Keys" + }, + { + "definition": "This Windows API call is used to get the GUID on a system drive. Malware compares it to a previous (targeted) GUID value and only executes maliciously if they match. This behavior can be mitigated in non-automated analysis environments.", + "name": "GetVolumeInformation" + }, + { + "definition": "Compare a previously computed host fingerprint(e.g., based on installed applications) to the current system's to determine if the malware instance is still executing on the same system. If not, execution stops, making debugging or sandbox analysis more difficult.", + "name": "Host Fingerprint Check" + }, + { + "definition": "Code and/or data is encrypted until the underlying system satisfies a preselected condition unknown to the analyst (this is a form of Deposited Keys).", + "name": "Secure Triggers" + }, + { + "definition": "Presence check to allow the program to run (ex: dongle, CD/DVD, key, file, network, etc.). If the token is specific to a hardware element (ex: disk, OS, CPU, NIC MAC, etc.), it is considered fingerprinting.", + "name": "Token Check" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--1ab23a6a-e131-4321-be30-7f3f3861dac0.json b/attack-pattern/attack-pattern--1ab23a6a-e131-4321-be30-7f3f3861dac0.json new file mode 100644 index 00000000..7c0f7ded --- /dev/null +++ b/attack-pattern/attack-pattern--1ab23a6a-e131-4321-be30-7f3f3861dac0.json @@ -0,0 +1,36 @@ +{ + "type": "bundle", + "id": "bundle--949d828c-14ea-4258-b849-4337103b6735", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--1ab23a6a-e131-4321-be30-7f3f3861dac0", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.275Z", + "modified": "2020-02-05T20:28:15.275Z", + "name": "Prevent Concurrent Execution", + "description": "To avoid running multiple instances of itself, malware may check a system to see if it is already running.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/prevent-concurrent-exe.md", + "external_id": "M0024" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/malware/worm_bagle.u" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--1afb3ce1-57db-46ae-9c89-5b8f36011b7b.json b/attack-pattern/attack-pattern--1afb3ce1-57db-46ae-9c89-5b8f36011b7b.json new file mode 100644 index 00000000..b39adf7f --- /dev/null +++ b/attack-pattern/attack-pattern--1afb3ce1-57db-46ae-9c89-5b8f36011b7b.json @@ -0,0 +1,61 @@ +{ + "type": "bundle", + "id": "bundle--e4d5f4f2-0955-4a5d-b8cf-80530a3adf59", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--1afb3ce1-57db-46ae-9c89-5b8f36011b7b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.159Z", + "modified": "2020-02-05T20:28:15.159Z", + "name": "Call Graph Generation Evasion", + "description": "Malware code evades accurate call graph generation during disassembly. Call graphs are used by malware similarity tools and algorithms ([[1]](#1), [[4]](#4)), as well as for malware detection [[2]](#2).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-static-analysis/evade-call-graph.md", + "external_id": "M0010" + }, + { + "source_name": "external_source", + "description": "K. Blokhin, D. Mentis, J. Saxe, \"Malware Similarity Identification Using Call Graph Based System Call Subsequence Features,\" 2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops, July 2013.", + "url": "https://www.researchgate.net/publication/269326967_Malware_Similarity_Identification_Using_Call_Graph_Based_System_Call_Subsequence_Features" + }, + { + "source_name": "external_source", + "description": "P. Deshpande, M. Stamp, \"Metamorphic Malware Detection Using Function Call Graph Analysis,\" MIS Review Vol. 21, Nos. 1/2, September(2015)/March(2016).", + "url": "https://pdfs.semanticscholar.org/8db2/69106ea6e1f59e4dac0889665dd3336ee9b1.pdf" + }, + { + "source_name": "external_source", + "url": "http://fumalwareanalysis.blogspot.com/2012/01/malware-analysis-tutorial-10-tricks-for.html" + }, + { + "source_name": "external_source", + "description": "S. Shang, N. Zheng, J. Xu, M. Xu, H. Zhang, \"Detecting Malware Variants via Function-call Graph Similarity,\" IEEE 2010 5th International Conference on Malicious and Unwanted Software, 2010.", + "url": "http://seclab.hdu.edu.cn/static/uploads/paper/10-05.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "two layer jumping confuses tools plotting call graphs. [[3]](#3)", + "name": "Two-layer Function Return" + }, + { + "definition": "invokes ntdll.dll functions without using an export table; an encoded translation table on the stack is used instead. [[3]](#3)", + "name": "Invoke NTDLL System Calls via Encoded Table" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--1bcad6e7-bdb9-4cb1-acd2-12c3ef0d16a6.json b/attack-pattern/attack-pattern--1bcad6e7-bdb9-4cb1-acd2-12c3ef0d16a6.json new file mode 100644 index 00000000..3be1e439 --- /dev/null +++ b/attack-pattern/attack-pattern--1bcad6e7-bdb9-4cb1-acd2-12c3ef0d16a6.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--42e088f7-8792-4a01-9ab4-1ae3cbb06fc3", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--1bcad6e7-bdb9-4cb1-acd2-12c3ef0d16a6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.399Z", + "modified": "2020-02-05T20:28:15.399Z", + "name": "TimeStomp", + "description": "Malware may modify the timestamps of a file to mimic files in the same folder and avoid detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/timestomp.md", + "external_id": "T1099" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1099", + "external_id": "T1099" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--1c4e8b61-bdb4-4ff5-bbf2-10dda4b276da.json b/attack-pattern/attack-pattern--1c4e8b61-bdb4-4ff5-bbf2-10dda4b276da.json new file mode 100644 index 00000000..c27d635e --- /dev/null +++ b/attack-pattern/attack-pattern--1c4e8b61-bdb4-4ff5-bbf2-10dda4b276da.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--f4b56438-184b-4ee8-9905-dbc14b2a3961", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--1c4e8b61-bdb4-4ff5-bbf2-10dda4b276da", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.304Z", + "modified": "2020-02-05T20:28:15.304Z", + "name": "Scripting", + "description": "Malware may use scripts to bypass process monitoring mechanisms (e.g., VBScript). Malicious scripts can be embedded in Microsoft Office documents, which will execute when the document is opened or when the user enables and runs the macro.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/scripting.md", + "external_id": "T1064" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1064", + "external_id": "T1064" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--1e98510a-2454-445e-9942-47a5686f2bbd.json b/attack-pattern/attack-pattern--1e98510a-2454-445e-9942-47a5686f2bbd.json new file mode 100644 index 00000000..2aea34fc --- /dev/null +++ b/attack-pattern/attack-pattern--1e98510a-2454-445e-9942-47a5686f2bbd.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--bf5d6551-e0e3-4471-84d3-0502ace2e0f5", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--1e98510a-2454-445e-9942-47a5686f2bbd", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.279Z", + "modified": "2020-02-05T20:28:15.279Z", + "name": "Dynamic Data Exchange", + "description": "Malware may use Windows Dynamic Data Exchange (DDE) to execute commands.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/dynamic-data-ex.md", + "external_id": "T1173" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1173", + "external_id": "T1173" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--21936a10-00e4-4e54-8fd7-00223e432cbf.json b/attack-pattern/attack-pattern--21936a10-00e4-4e54-8fd7-00223e432cbf.json new file mode 100644 index 00000000..3e544b82 --- /dev/null +++ b/attack-pattern/attack-pattern--21936a10-00e4-4e54-8fd7-00223e432cbf.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--95009b1c-3cb0-4d4d-b8ef-becd4ae3db54", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--21936a10-00e4-4e54-8fd7-00223e432cbf", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.114Z", + "modified": "2020-02-05T20:28:15.114Z", + "name": "Supply Chain Compromise", + "description": "The supply chain may be compromised to enable initial malware infection. Malware-related methods are listed below to supplement the information available defined in ATT&CK: [**Supply Chain Compromise**](https://attack.mitre.org/techniques/T1195/).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/lateral-movement/supply-chain-compromise.md", + "external_id": "E1195" + }, + { + "source_name": "external_source", + "url": "http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1195/", + "external_id": "T1195" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Abusing enterprise certificates enables malware to exploit private APIs and infect a wide range of users (see *Exploit Private APIs* below).", + "name": "Abuse Enterprise Certificates" + }, + { + "definition": "Malware can exploit private APIs to infect jailbroken and non-jailbroken iOS devices. Research shows that over 100 apps in the App Store have abused private APIs and bypassed Apple’s strict code review.", + "name": "Exploit Private APIs" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--257eb250-d032-4eb8-a440-41fe91633738.json b/attack-pattern/attack-pattern--257eb250-d032-4eb8-a440-41fe91633738.json new file mode 100644 index 00000000..913d8c4d --- /dev/null +++ b/attack-pattern/attack-pattern--257eb250-d032-4eb8-a440-41fe91633738.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--01a9a8de-77ea-43e4-be22-7cdba72cd47d", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--257eb250-d032-4eb8-a440-41fe91633738", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.221Z", + "modified": "2020-02-05T20:28:15.221Z", + "name": "Peripheral Device Discovery", + "description": "Malware may try to get information about peripheral devices.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/peripheral-device-discover.md", + "external_id": "T1120" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1120", + "external_id": "T1120" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--278e7645-17ac-4bd3-9849-56060cab2e81.json b/attack-pattern/attack-pattern--278e7645-17ac-4bd3-9849-56060cab2e81.json new file mode 100644 index 00000000..47d47295 --- /dev/null +++ b/attack-pattern/attack-pattern--278e7645-17ac-4bd3-9849-56060cab2e81.json @@ -0,0 +1,36 @@ +{ + "type": "bundle", + "id": "bundle--4c9628fa-45b8-408d-bde9-339f86cee9d0", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--278e7645-17ac-4bd3-9849-56060cab2e81", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.486Z", + "modified": "2020-02-05T20:28:15.486Z", + "name": "Destroy Hardware", + "description": "Destroys a physical piece of hardware. For example, malware may cause hardware to overheat.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/destroy-hardware.md", + "external_id": "M0017" + }, + { + "source_name": "external_source", + "url": "https://www.bbc.com/timelines/zc6fbk7" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--28fb8dbd-1aae-42f1-aba5-f9062e7003ee.json b/attack-pattern/attack-pattern--28fb8dbd-1aae-42f1-aba5-f9062e7003ee.json new file mode 100644 index 00000000..d6670b50 --- /dev/null +++ b/attack-pattern/attack-pattern--28fb8dbd-1aae-42f1-aba5-f9062e7003ee.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--e26f3fa4-fb38-45c6-b6ca-062b0099f827", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--28fb8dbd-1aae-42f1-aba5-f9062e7003ee", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.269Z", + "modified": "2020-02-05T20:28:15.269Z", + "name": "Multi-hop Proxy", + "description": "Malware may chain together multiple proxies to disguise the source of malicious C2 traffic.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/multihop-proxy.md", + "external_id": "T1188" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1188/", + "external_id": "T1188" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--2f098b48-391a-4869-acba-b10ba07a4522.json b/attack-pattern/attack-pattern--2f098b48-391a-4869-acba-b10ba07a4522.json new file mode 100644 index 00000000..a6a428ba --- /dev/null +++ b/attack-pattern/attack-pattern--2f098b48-391a-4869-acba-b10ba07a4522.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--e2b8af14-3cd2-4b6c-9b4a-05a9a3b0a950", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--2f098b48-391a-4869-acba-b10ba07a4522", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.209Z", + "modified": "2020-02-05T20:28:15.209Z", + "name": "System Service Discovery", + "description": "Malware may try to get information about registered services.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/system-service-discover.md", + "external_id": "T1007" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1007", + "external_id": "T1007" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--309cdc6a-244e-43a6-bc1a-40ea4b8a999c.json b/attack-pattern/attack-pattern--309cdc6a-244e-43a6-bc1a-40ea4b8a999c.json new file mode 100644 index 00000000..eeb5e77b --- /dev/null +++ b/attack-pattern/attack-pattern--309cdc6a-244e-43a6-bc1a-40ea4b8a999c.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--02eb5e8b-8753-4bf6-a9a2-907f5edbdb46", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--309cdc6a-244e-43a6-bc1a-40ea4b8a999c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.220Z", + "modified": "2020-02-05T20:28:15.220Z", + "name": "System Owner/User Discovery", + "description": "Malware may try to identify the users of the system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/system-owner-discover.md", + "external_id": "T1033" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1033", + "external_id": "T1033" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--34f875d3-da11-4112-bfd8-fe2d9deaf609.json b/attack-pattern/attack-pattern--34f875d3-da11-4112-bfd8-fe2d9deaf609.json new file mode 100644 index 00000000..a6fdbd8e --- /dev/null +++ b/attack-pattern/attack-pattern--34f875d3-da11-4112-bfd8-fe2d9deaf609.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--122bfc2e-38d3-4123-b52f-28121f6a119a", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--34f875d3-da11-4112-bfd8-fe2d9deaf609", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.342Z", + "modified": "2020-02-05T20:28:15.342Z", + "name": "Automated Exfiltration", + "description": "Malware may exfiltrate data via automated processing or scripting.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/exfiltration/auto-exfiltrate.md", + "external_id": "E1020" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1020/", + "external_id": "T1020" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--3681ae81-1115-418d-a4f7-b6240b602852.json b/attack-pattern/attack-pattern--3681ae81-1115-418d-a4f7-b6240b602852.json new file mode 100644 index 00000000..1c55edf5 --- /dev/null +++ b/attack-pattern/attack-pattern--3681ae81-1115-418d-a4f7-b6240b602852.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--499aa088-be4d-45e5-b4b4-99941a7234d3", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--3681ae81-1115-418d-a4f7-b6240b602852", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.257Z", + "modified": "2020-02-05T20:28:15.257Z", + "name": "Standard Application Layer Protocol", + "description": "Malware may use a standard application layer protocol (e.g., HTTP) to blend with usual traffic.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/std-app-protocol.md", + "external_id": "T1071" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1071/", + "external_id": "T1071" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--37e2cfce-37c2-4a5a-a98e-3bf5b4cd9db6.json b/attack-pattern/attack-pattern--37e2cfce-37c2-4a5a-a98e-3bf5b4cd9db6.json new file mode 100644 index 00000000..23849851 --- /dev/null +++ b/attack-pattern/attack-pattern--37e2cfce-37c2-4a5a-a98e-3bf5b4cd9db6.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--4f0ef3de-5efd-4b1d-b1ad-32ae162534f1", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--37e2cfce-37c2-4a5a-a98e-3bf5b4cd9db6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.280Z", + "modified": "2020-02-05T20:28:15.280Z", + "name": "Execution through API", + "description": "Malware may execute via the Windows application programming interface (API).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/execution-via-api.md", + "external_id": "T1106" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1106", + "external_id": "T1106" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--3968a5bc-ed1f-4abf-a978-05f84d4cbf5c.json b/attack-pattern/attack-pattern--3968a5bc-ed1f-4abf-a978-05f84d4cbf5c.json new file mode 100644 index 00000000..53dc9a58 --- /dev/null +++ b/attack-pattern/attack-pattern--3968a5bc-ed1f-4abf-a978-05f84d4cbf5c.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--251ae01c-72fa-455b-830e-9665d6db42ce", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--3968a5bc-ed1f-4abf-a978-05f84d4cbf5c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.398Z", + "modified": "2020-02-05T20:28:15.398Z", + "name": "Exploitation for Defense Evasion", + "description": "Malware may exploit a software vulnerability in defensive security software to avoid detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/exploit-for-defense.md", + "external_id": "T1211" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1211", + "external_id": "T1211" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--3b3c03d0-8e57-4e10-b3bd-ef53515afc92.json b/attack-pattern/attack-pattern--3b3c03d0-8e57-4e10-b3bd-ef53515afc92.json new file mode 100644 index 00000000..186c8fba --- /dev/null +++ b/attack-pattern/attack-pattern--3b3c03d0-8e57-4e10-b3bd-ef53515afc92.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--61029f63-b565-445e-b283-58070b4861a7", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--3b3c03d0-8e57-4e10-b3bd-ef53515afc92", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.405Z", + "modified": "2020-02-05T20:28:15.405Z", + "name": "Virtualization/Sandbox Evasion", + "description": "Malware may check for the presence or a virtual machine or sandbox to avoid detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/virtualization-sandbox-evade.md", + "external_id": "T1497" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1497", + "external_id": "T1497" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--3cf9e9ac-9280-4a8d-b8b3-976abc855055.json b/attack-pattern/attack-pattern--3cf9e9ac-9280-4a8d-b8b3-976abc855055.json new file mode 100644 index 00000000..71b14183 --- /dev/null +++ b/attack-pattern/attack-pattern--3cf9e9ac-9280-4a8d-b8b3-976abc855055.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--4281b056-1add-4a3e-8f4c-0987fed06cb2", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--3cf9e9ac-9280-4a8d-b8b3-976abc855055", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.337Z", + "modified": "2020-02-05T20:28:15.337Z", + "name": "Data Compressed", + "description": "Malware may compress data prior to exfiltration.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/exfiltration/data-compress.md", + "external_id": "T1002" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1002/", + "external_id": "T1002" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--3df182e8-9ada-4e1e-874c-8bc8d7fa7c1c.json b/attack-pattern/attack-pattern--3df182e8-9ada-4e1e-874c-8bc8d7fa7c1c.json new file mode 100644 index 00000000..c64e6bd2 --- /dev/null +++ b/attack-pattern/attack-pattern--3df182e8-9ada-4e1e-874c-8bc8d7fa7c1c.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--52489429-8bc8-42f6-bac0-76ade733d47d", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--3df182e8-9ada-4e1e-874c-8bc8d7fa7c1c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.125Z", + "modified": "2020-02-05T20:28:15.125Z", + "name": "Access Sensitive Data or Credentials in Files", + "description": "Malware accesses files that contain sensitive data or credentials (e.g., passwords). Access of Bitcoin and other cryptocurrency wallets also fall under this behavior.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/access-sensitive-data.md", + "external_id": "E1409" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1409/", + "external_id": "T1409" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--3e66b2bf-cc28-4635-ac06-4ea0f1ad8122.json b/attack-pattern/attack-pattern--3e66b2bf-cc28-4635-ac06-4ea0f1ad8122.json new file mode 100644 index 00000000..0f1c1535 --- /dev/null +++ b/attack-pattern/attack-pattern--3e66b2bf-cc28-4635-ac06-4ea0f1ad8122.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--e7f68bf1-a388-4def-9392-fc56cc523c39", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--3e66b2bf-cc28-4635-ac06-4ea0f1ad8122", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.292Z", + "modified": "2020-02-05T20:28:15.292Z", + "name": "AppleScript", + "description": "Malware may use AppleScript for execution or lateral movement.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/applescript.md", + "external_id": "T1155" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1155", + "external_id": "T1155" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--3ff14e42-f7c6-4f9f-a0e1-43afcd06778f.json b/attack-pattern/attack-pattern--3ff14e42-f7c6-4f9f-a0e1-43afcd06778f.json new file mode 100644 index 00000000..3a7f03d3 --- /dev/null +++ b/attack-pattern/attack-pattern--3ff14e42-f7c6-4f9f-a0e1-43afcd06778f.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--b725064e-9475-4b92-bc67-cc43882a3718", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--3ff14e42-f7c6-4f9f-a0e1-43afcd06778f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.111Z", + "modified": "2020-02-05T20:28:15.111Z", + "name": "Replication Through Removable Media", + "description": "Malware may move onto systems, including air-gapped systems, by copying themselves to removable media.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/lateral-movement/replicate-remove-media.md", + "external_id": "T1091" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1091", + "external_id": "T1091" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--422b0025-9286-4a11-812d-5494dab28d9a.json b/attack-pattern/attack-pattern--422b0025-9286-4a11-812d-5494dab28d9a.json new file mode 100644 index 00000000..6ce1d00d --- /dev/null +++ b/attack-pattern/attack-pattern--422b0025-9286-4a11-812d-5494dab28d9a.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--a3f3242d-945e-465a-bab1-c5d9afc26a16", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--422b0025-9286-4a11-812d-5494dab28d9a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.477Z", + "modified": "2020-02-05T20:28:15.477Z", + "name": "Resource Hijacking", + "description": "Uses system resources for other purposes; as a result, the system may not be available for intended uses.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/hijack-sys-resources.md", + "external_id": "M0018" + }, + { + "source_name": "external_source", + "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" + }, + { + "source_name": "external_source", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/wannacry-uiwix-ransomware-monero-mining-malware-follow-suit/" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1496/", + "external_id": "T1496" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Consume system resources for the purpose of password cracking.", + "name": "Password Cracking" + }, + { + "definition": "Consume system resources to mine for cryptocurrency (e.g., Bitcoin, Litecoin, etc.).", + "name": "Cryptojacking" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--425dafb4-d71e-4c13-b900-b93c4316d07f.json b/attack-pattern/attack-pattern--425dafb4-d71e-4c13-b900-b93c4316d07f.json new file mode 100644 index 00000000..f2dfcd69 --- /dev/null +++ b/attack-pattern/attack-pattern--425dafb4-d71e-4c13-b900-b93c4316d07f.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--415215f3-19bc-42d2-884c-b721ac0eaefb", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--425dafb4-d71e-4c13-b900-b93c4316d07f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.461Z", + "modified": "2020-02-05T20:28:15.461Z", + "name": "Private Keys", + "description": "Malware may gather private keys from compromised systems.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/credential-access/private-keys.md", + "external_id": "T1145" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1145/", + "external_id": "T1145" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--43f3997b-88e5-4a2e-9b59-6af0892a89b2.json b/attack-pattern/attack-pattern--43f3997b-88e5-4a2e-9b59-6af0892a89b2.json new file mode 100644 index 00000000..e11d0089 --- /dev/null +++ b/attack-pattern/attack-pattern--43f3997b-88e5-4a2e-9b59-6af0892a89b2.json @@ -0,0 +1,82 @@ +{ + "type": "bundle", + "id": "bundle--34eefcbc-a58e-46f5-8d3d-1cee31282f0f", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--43f3997b-88e5-4a2e-9b59-6af0892a89b2", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.192Z", + "modified": "2020-02-05T20:28:15.192Z", + "name": "Sandbox Detection", + "description": "Detects whether the malware instance is being executed inside an instrumented sandbox environment (e.g., Cuckoo Sandbox). If so, conditional execution selects a benign execution path.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/detect-sandbox.md", + "external_id": "M0007" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" + }, + { + "source_name": "external_source", + "url": "http://labs.lastline.com/exposing-rombertik-turning-the-tables-on-evasive-malware" + }, + { + "source_name": "external_source", + "url": "https://github.com/LordNoteworthy/al-khaser" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Checks clipboard data which can be used to detect whether execution is inside a sandbox.", + "name": "Check Clipboard Data" + }, + { + "definition": "Sandboxes create files on the file system. Malware can check the different folders to find sandbox artifacts.", + "name": "Check Files" + }, + { + "definition": "Detects whether there is any \"user\" activity on the machine, such as the movement of the mouse cursor, non-default wallpaper, or recently opened Office files. If there is no human activity, the machine is suspected to be a virtualized machine and/or sandbox. Other items used to detect a user: mouse clicks (single/double), DialogBox, scrolling, color of background pixel [[3]](#3).", + "name": "Human User Check" + }, + { + "definition": "Testing for the name of a particular DLL that is known to be injected by a sandbox for API hooking is a common way of detecting sandbox environments. This can be achieved through the kernel32!GetModuleHandle API call and other means.", + "name": "Injected DLL Testing" + }, + { + "definition": "Checking for a particular product key/ID associated with a sandbox environment (commonly associated with the Windows host OS used in the environment) can be used to detect whether a malware instance is being executed in a particular sandbox. This can be achieved through several means, including testing for the Key/ID in the Windows registry.", + "name": "Product Key/ID Testing" + }, + { + "definition": "Sandboxes aren't used in the same manner as a typical user environment, so most of the time the screen resolution stays at the minimum 800x600 or lower. No one is actually working on a such small screen. Malware could potentially detect the screen resolution to determine if it's a user machine or a sandbox.", + "name": "Screen Resolution Testing" + }, + { + "definition": "Malware may check its own characteristics to determine whether it's running in a sandbox. For example, a malicious Office document might check its file name or VB project name.", + "name": "Self Check" + }, + { + "definition": "Calling GetSystemTime or equiv and only executing code if the current date/hour/minute/second passes some check. Often this is for running only after or only until a specific date. This behavior can be mitigated in non-automated analysis environments.", + "name": "Timing/Date Checks" + }, + { + "definition": "Comparing single GetTickCount with some value to see if system has been started at least *X* amount ago. This behavior can be mitigated in non-automated analysis environments.", + "name": "Timing/Uptime Check" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--4799cdef-cff0-476b-adaa-685b8277ef7c.json b/attack-pattern/attack-pattern--4799cdef-cff0-476b-adaa-685b8277ef7c.json new file mode 100644 index 00000000..fba60aa3 --- /dev/null +++ b/attack-pattern/attack-pattern--4799cdef-cff0-476b-adaa-685b8277ef7c.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--ef2889bb-1bfb-4ce4-afdf-402fbbc8b9bc", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--4799cdef-cff0-476b-adaa-685b8277ef7c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.451Z", + "modified": "2020-02-05T20:28:15.451Z", + "name": "Credentials in Files", + "description": "Malware may search local file system and remote file shares for files containing passwords.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/credential-access/credentials-in-files.md", + "external_id": "T1081" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1081/", + "external_id": "T1081" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--484c88bd-1dac-4774-8411-63aaed416ac3.json b/attack-pattern/attack-pattern--484c88bd-1dac-4774-8411-63aaed416ac3.json new file mode 100644 index 00000000..903253c7 --- /dev/null +++ b/attack-pattern/attack-pattern--484c88bd-1dac-4774-8411-63aaed416ac3.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--1674b7a2-b010-4d56-bff2-7e830fe70e23", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--484c88bd-1dac-4774-8411-63aaed416ac3", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.357Z", + "modified": "2020-02-05T20:28:15.357Z", + "name": "Component Object Model Hijacking", + "description": "Malware hijacks a component object model (COM) object to execute itself or other malicious code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/component-hijack.md", + "external_id": "T1122" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1122", + "external_id": "T1122" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--4b89d6b6-fd08-4b39-bb01-b472ae95b93d.json b/attack-pattern/attack-pattern--4b89d6b6-fd08-4b39-bb01-b472ae95b93d.json new file mode 100644 index 00000000..9c1cd3bf --- /dev/null +++ b/attack-pattern/attack-pattern--4b89d6b6-fd08-4b39-bb01-b472ae95b93d.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--3aca35ca-7ac9-463f-ba88-953dbae04581", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--4b89d6b6-fd08-4b39-bb01-b472ae95b93d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.121Z", + "modified": "2020-02-05T20:28:15.121Z", + "name": "Email Collection", + "description": "Malware targets user email for collection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/email-collect.md", + "external_id": "T1114" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1114/", + "external_id": "T1114" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--4c235631-ef76-4afc-9386-e1d9be003c44.json b/attack-pattern/attack-pattern--4c235631-ef76-4afc-9386-e1d9be003c44.json new file mode 100644 index 00000000..e1d2f217 --- /dev/null +++ b/attack-pattern/attack-pattern--4c235631-ef76-4afc-9386-e1d9be003c44.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--f65bb697-5269-482a-9383-7aecddd4ad0d", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--4c235631-ef76-4afc-9386-e1d9be003c44", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.140Z", + "modified": "2020-02-05T20:28:15.140Z", + "name": "Input Capture", + "description": "Malware captures user input.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/input-capture.md", + "external_id": "E1056" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1056/", + "external_id": "T1056" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Mouse events are captured.", + "name": "Mouse Events" + }, + { + "definition": "Keyboard events are captured.", + "name": "Keyboard Events" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--4c4599cf-a384-46fa-83f2-f05967673158.json b/attack-pattern/attack-pattern--4c4599cf-a384-46fa-83f2-f05967673158.json new file mode 100644 index 00000000..345d3da8 --- /dev/null +++ b/attack-pattern/attack-pattern--4c4599cf-a384-46fa-83f2-f05967673158.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--e785cff8-adb2-46f6-905b-f8230b7851f1", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--4c4599cf-a384-46fa-83f2-f05967673158", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.273Z", + "modified": "2020-02-05T20:28:15.273Z", + "name": "PowerShell", + "description": "Malware may use PowerShell to execute code on a system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/power-shell.md", + "external_id": "T1086" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1086", + "external_id": "T1086" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--4dd2b47e-6753-4cbc-bfbd-336ed1dd4838.json b/attack-pattern/attack-pattern--4dd2b47e-6753-4cbc-bfbd-336ed1dd4838.json new file mode 100644 index 00000000..32fe8697 --- /dev/null +++ b/attack-pattern/attack-pattern--4dd2b47e-6753-4cbc-bfbd-336ed1dd4838.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--4443eabd-f5c7-4f5b-8271-1ee534073021", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--4dd2b47e-6753-4cbc-bfbd-336ed1dd4838", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.436Z", + "modified": "2020-02-05T20:28:15.436Z", + "name": "Exploitation for Privilege Escalation", + "description": "Malware may exploit a software vulnerability to escalate privileges.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/privilege-escalation/exploit-priv-escalate.md", + "external_id": "T1068" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1068", + "external_id": "T1068" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--4ea52273-1834-4df1-8bc7-6ee8738748a2.json b/attack-pattern/attack-pattern--4ea52273-1834-4df1-8bc7-6ee8738748a2.json new file mode 100644 index 00000000..516e54d6 --- /dev/null +++ b/attack-pattern/attack-pattern--4ea52273-1834-4df1-8bc7-6ee8738748a2.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--f4680e89-f002-4b3e-aa65-c7cbb355e2c3", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--4ea52273-1834-4df1-8bc7-6ee8738748a2", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.467Z", + "modified": "2020-02-05T20:28:15.467Z", + "name": "Data Encrypted for Impact", + "description": "Malware may encrypt files stored on the system to prevent user access until a ransom is paid and/or to interrupt system availability. The encryption process usually iterates over all letter drives in the system (except for CD drives) and then recursively encrypts all files with specific suffixes.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/encrypt-impact.md", + "external_id": "E1486" + }, + { + "source_name": "external_source", + "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/" + }, + { + "source_name": "external_source", + "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1486/", + "external_id": "T1486" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1471/", + "external_id": "T1471" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--4f74271a-79f0-4fbc-87ee-43abd69fd74e.json b/attack-pattern/attack-pattern--4f74271a-79f0-4fbc-87ee-43abd69fd74e.json new file mode 100644 index 00000000..2f29d8e8 --- /dev/null +++ b/attack-pattern/attack-pattern--4f74271a-79f0-4fbc-87ee-43abd69fd74e.json @@ -0,0 +1,36 @@ +{ + "type": "bundle", + "id": "bundle--165b7d79-9cf8-49f0-980a-3ab21cf0fdf7", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--4f74271a-79f0-4fbc-87ee-43abd69fd74e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.328Z", + "modified": "2020-02-05T20:28:15.328Z", + "name": "Shutdown Event", + "description": "Malware can register the shutdown event triggered by WinLogon to allow a malicious DLL to execute every time the machine shuts down: when the machine is shutdown the malware will be loaded into memory; then it will download the primary malware and reinfect the machine. The malware will also lie dormant during incident reporting processes. To check whether malware has registered for login events, check the registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify. If a subkey with any name exists and it has a \"shutdown\" value then the dll in the \"DLLName\" key will be launched during the shutdown process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/shutdown-event.md", + "external_id": "M0035" + }, + { + "source_name": "external_source", + "url": "https://isc.sans.edu/diary/Wipe+the+drive!++Stealthy+Malware+Persistence+-+Part+4/15460" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--5010e76c-7f54-467d-8042-90ff48523dd2.json b/attack-pattern/attack-pattern--5010e76c-7f54-467d-8042-90ff48523dd2.json new file mode 100644 index 00000000..a80f9bbe --- /dev/null +++ b/attack-pattern/attack-pattern--5010e76c-7f54-467d-8042-90ff48523dd2.json @@ -0,0 +1,62 @@ +{ + "type": "bundle", + "id": "bundle--3e5928b6-1a1e-47b3-a31b-74f45f892e63", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--5010e76c-7f54-467d-8042-90ff48523dd2", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.278Z", + "modified": "2020-02-05T20:28:15.278Z", + "name": "Remote Commands", + "description": "Malware may provide an attacker with explicit commands. This behavior differs from the [Remote Access](https://github.com/MBCProject/mbc-markdown/blob/master/impact/remote-access.md) behavior under the [Impact](https://github.com/MBCProject/mbc-markdown/tree/master/impact) objective in that *Impact: Remote Access* is potentially much broader and may include full remote access.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/remote-commands.md", + "external_id": "M0011" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "", + "name": "Delete File" + }, + { + "definition": "", + "name": "Download File" + }, + { + "definition": "", + "name": "Execute" + }, + { + "definition": "", + "name": "Shutdown" + }, + { + "definition": "", + "name": "Sleep" + }, + { + "definition": "", + "name": "Uninstall" + }, + { + "definition": "", + "name": "Upload File" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--51fb196e-4be8-4b21-ba5b-fce4d7de6767.json b/attack-pattern/attack-pattern--51fb196e-4be8-4b21-ba5b-fce4d7de6767.json new file mode 100644 index 00000000..cdc69062 --- /dev/null +++ b/attack-pattern/attack-pattern--51fb196e-4be8-4b21-ba5b-fce4d7de6767.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--e504c8c2-b7cf-4381-86a5-ca50cb3fd241", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--51fb196e-4be8-4b21-ba5b-fce4d7de6767", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.256Z", + "modified": "2020-02-05T20:28:15.256Z", + "name": "Domain Name Generation", + "description": "Malware generates the domain name of the command and control server to which it connects. Access to on the fly domains enables C2 to operate as domains and IP addresses are blocked. The algorithm can be complicated in more advanced bots; understanding the details so that names can be predicted can be useful in mitigation and response.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/domain-name-generate.md", + "external_id": "M0031" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/security-world/2016/12/explained-domain-generating-algorithm/" + }, + { + "source_name": "external_source", + "url": "http://blog.threatexpert.com/2008/04/kraken-changes-tactics.html" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Conficker" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1483/", + "external_id": "T1483" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--52aeeef7-8531-4bc9-969f-274798c4cc13.json b/attack-pattern/attack-pattern--52aeeef7-8531-4bc9-969f-274798c4cc13.json new file mode 100644 index 00000000..dad67f2a --- /dev/null +++ b/attack-pattern/attack-pattern--52aeeef7-8531-4bc9-969f-274798c4cc13.json @@ -0,0 +1,67 @@ +{ + "type": "bundle", + "id": "bundle--17d2e8a0-abf4-440c-b3ec-a633144bafad", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--52aeeef7-8531-4bc9-969f-274798c4cc13", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.286Z", + "modified": "2020-02-05T20:28:15.286Z", + "name": "Exploit Software", + "description": "Software is exploited - either because of a vulnerability or through its designed features - to gain access for malware. In general, exploitation may be done by a human attacker, but MBC focuses on software exploits implemented in code. Malware-specific details are below.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/exploit-software.md", + "external_id": "E1203" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/cybercrime/2018/05/samsam-ransomware-need-know/" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1203", + "external_id": "T1203" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "", + "name": "Remote Desktop Protocols (RDP)" + }, + { + "definition": "", + "name": "Java-based Web Servers" + }, + { + "definition": "", + "name": "File Transfer Protocol (FTP) Servers" + }, + { + "definition": "", + "name": "Red Hat JBoss Enterprise Products" + }, + { + "definition": "Use Sysinternals tools for additional command line functionality.", + "name": "Sysinternals" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--552f53bd-52e8-4c09-aa98-26ca8b9ef2da.json b/attack-pattern/attack-pattern--552f53bd-52e8-4c09-aa98-26ca8b9ef2da.json new file mode 100644 index 00000000..0225129f --- /dev/null +++ b/attack-pattern/attack-pattern--552f53bd-52e8-4c09-aa98-26ca8b9ef2da.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--f8323e5c-d6cb-44e2-8b5f-cc008735b7e5", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--552f53bd-52e8-4c09-aa98-26ca8b9ef2da", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.392Z", + "modified": "2020-02-05T20:28:15.392Z", + "name": "HISTCONTROL", + "description": "Malware may configure this environment variable to hide its activity.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/histcontrol.md", + "external_id": "T1148" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1148", + "external_id": "T1148" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--55d0d35e-668a-45dc-a727-c7446b3e5d08.json b/attack-pattern/attack-pattern--55d0d35e-668a-45dc-a727-c7446b3e5d08.json new file mode 100644 index 00000000..ef9b0011 --- /dev/null +++ b/attack-pattern/attack-pattern--55d0d35e-668a-45dc-a727-c7446b3e5d08.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--3819e29b-6cff-4307-8d8e-6bcbbae0b158", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--55d0d35e-668a-45dc-a727-c7446b3e5d08", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.340Z", + "modified": "2020-02-05T20:28:15.340Z", + "name": "Exfiltration Over Other Network Medium", + "description": "Malware may exfiltrate data via a different network medium than the command and control channel.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/exfiltration/exfil-over-other-network-medium.md", + "external_id": "T1011" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1011/", + "external_id": "T1011" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--568d881b-70b4-4b37-97ba-045c34335b1f.json b/attack-pattern/attack-pattern--568d881b-70b4-4b37-97ba-045c34335b1f.json new file mode 100644 index 00000000..614f0440 --- /dev/null +++ b/attack-pattern/attack-pattern--568d881b-70b4-4b37-97ba-045c34335b1f.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--c0e753f1-6827-4e5d-8bf5-a2736b0dfe6f", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--568d881b-70b4-4b37-97ba-045c34335b1f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.373Z", + "modified": "2020-02-05T20:28:15.373Z", + "name": "Install Root Certificate", + "description": "Malware may install a root certificate to avoid warning prompts during certificate-enabled connections.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/install-root-cert.md", + "external_id": "T1130" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1130", + "external_id": "T1130" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--56e8ece2-1e82-4c12-9b8d-79bd23c33936.json b/attack-pattern/attack-pattern--56e8ece2-1e82-4c12-9b8d-79bd23c33936.json new file mode 100644 index 00000000..1cb7976e --- /dev/null +++ b/attack-pattern/attack-pattern--56e8ece2-1e82-4c12-9b8d-79bd23c33936.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--dd5af8b1-550f-4445-85cb-675d3b75cb25", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--56e8ece2-1e82-4c12-9b8d-79bd23c33936", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.472Z", + "modified": "2020-02-05T20:28:15.472Z", + "name": "Firmware Corruption", + "description": "Malware may corrupt the flash memory contents of system BIOS or other system device firmware to render them inoperable or unable to boot.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/firmware-corruption.md", + "external_id": "T1495" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1495/", + "external_id": "T1495" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--584bb03d-6bdb-4385-a52a-e2a80d58b1e7.json b/attack-pattern/attack-pattern--584bb03d-6bdb-4385-a52a-e2a80d58b1e7.json new file mode 100644 index 00000000..c6644237 --- /dev/null +++ b/attack-pattern/attack-pattern--584bb03d-6bdb-4385-a52a-e2a80d58b1e7.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--316bb51b-ff03-4edb-a48a-fb75b96732d1", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--584bb03d-6bdb-4385-a52a-e2a80d58b1e7", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.133Z", + "modified": "2020-02-05T20:28:15.133Z", + "name": "Microphone or Camera Capture", + "description": "Malware records activities using the device microphone and/or camera.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/micro-cam-capture.md", + "external_id": "T1429" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1429/", + "external_id": "T1429" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1512/", + "external_id": "T1512" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1429/", + "external_id": "T1429" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--587a54c2-89ae-42aa-9504-b820378e2aff.json b/attack-pattern/attack-pattern--587a54c2-89ae-42aa-9504-b820378e2aff.json new file mode 100644 index 00000000..e4081e61 --- /dev/null +++ b/attack-pattern/attack-pattern--587a54c2-89ae-42aa-9504-b820378e2aff.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--871ac9f6-fe8e-4ed4-8b9f-57f48b60c181", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--587a54c2-89ae-42aa-9504-b820378e2aff", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.110Z", + "modified": "2020-02-05T20:28:15.110Z", + "name": "Remote Desktop Protocol", + "description": "Malware may connect to a remote system over Remote Desktop Protocol.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/lateral-movement/remote-desktop-protocol.md", + "external_id": "T1076" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1076", + "external_id": "T1076" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--58e6e2a9-7074-4fb6-930d-3177a4302737.json b/attack-pattern/attack-pattern--58e6e2a9-7074-4fb6-930d-3177a4302737.json new file mode 100644 index 00000000..e90f133f --- /dev/null +++ b/attack-pattern/attack-pattern--58e6e2a9-7074-4fb6-930d-3177a4302737.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--4332a52e-99ed-4cb7-aee1-eb5ee55ab32c", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--58e6e2a9-7074-4fb6-930d-3177a4302737", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.375Z", + "modified": "2020-02-05T20:28:15.375Z", + "name": "Binary Padding", + "description": "Malware is padded to increase its size beyond what security tools can handle or to change its hash.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/binary-pad.md", + "external_id": "T1009" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1009", + "external_id": "T1009" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--58f11920-e04f-4935-864a-c2121842bf8d.json b/attack-pattern/attack-pattern--58f11920-e04f-4935-864a-c2121842bf8d.json new file mode 100644 index 00000000..574997b3 --- /dev/null +++ b/attack-pattern/attack-pattern--58f11920-e04f-4935-864a-c2121842bf8d.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--0a3536c6-e6c7-43a5-bb18-5c8f19b1b794", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--58f11920-e04f-4935-864a-c2121842bf8d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.326Z", + "modified": "2020-02-05T20:28:15.326Z", + "name": "Browser Extensions", + "description": "Malware may add functionality to browsers or customize them with extensions or plugins.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/browser-extend.md", + "external_id": "T1176" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1176", + "external_id": "T1176" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--5a7483f3-b636-4f12-8925-21be3e0f3676.json b/attack-pattern/attack-pattern--5a7483f3-b636-4f12-8925-21be3e0f3676.json new file mode 100644 index 00000000..8faa1a7d --- /dev/null +++ b/attack-pattern/attack-pattern--5a7483f3-b636-4f12-8925-21be3e0f3676.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--d96f3f25-6879-4f8e-b733-ff1ab22c5915", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--5a7483f3-b636-4f12-8925-21be3e0f3676", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.152Z", + "modified": "2020-02-05T20:28:15.152Z", + "name": "Executable Code Virtualization", + "description": "Original executable code is virtualized by translating the code into a special format that only a special virtual machine (VM) can run; the VM uses a customized virtual instruction set. A \"stub\" function calls the VM when the code is run. Virtualized code makes static analysis and reverse engineering more difficult; dumped code won’t run without the VM.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-static-analysis/exe-code-virtualize.md", + "external_id": "M0008" + }, + { + "source_name": "external_source", + "url": "https://github.com/xiaoweime/WProtect" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "multiple virtual machines with different architectures (CISC, RISC, etc.) can be used inside of a single executable in order to make reverse engineering even more difficult.", + "name": "Multiple VMs" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--5d6f607a-b64e-4b25-ba0c-0ed3854f4557.json b/attack-pattern/attack-pattern--5d6f607a-b64e-4b25-ba0c-0ed3854f4557.json new file mode 100644 index 00000000..22f82306 --- /dev/null +++ b/attack-pattern/attack-pattern--5d6f607a-b64e-4b25-ba0c-0ed3854f4557.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--a5862bbb-c623-4f39-b9c2-bc9d648fe584", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--5d6f607a-b64e-4b25-ba0c-0ed3854f4557", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.218Z", + "modified": "2020-02-05T20:28:15.218Z", + "name": "System Network Connections Discovery", + "description": "Malware may try to get a listing of network connections to/from the compromised system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/system-network-conn-discover.md", + "external_id": "T1049" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1049", + "external_id": "T1049" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--5e8c37e7-530d-4da6-a520-83a39fc52d7a.json b/attack-pattern/attack-pattern--5e8c37e7-530d-4da6-a520-83a39fc52d7a.json new file mode 100644 index 00000000..112d908c --- /dev/null +++ b/attack-pattern/attack-pattern--5e8c37e7-530d-4da6-a520-83a39fc52d7a.json @@ -0,0 +1,91 @@ +{ + "type": "bundle", + "id": "bundle--13f9a9a0-a066-434c-8287-1dcbee02b000", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--5e8c37e7-530d-4da6-a520-83a39fc52d7a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.361Z", + "modified": "2020-02-05T20:28:15.361Z", + "name": "Rootkit Behavior", + "description": "Behaviors of a rootkit: \"A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that is not otherwise allowed and often masks its existence or the existence of other software.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/rootkit-behavior.md", + "external_id": "E1014" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Rootkit" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1014", + "external_id": "T1014" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Hides the usage of any kernel modules by the malware instance.", + "name": "Hide Kernel Modules" + }, + { + "definition": "Hides any system services that the malware instance creates or injects itself into.", + "name": "Hide Services" + }, + { + "definition": "Hides one or more threads that belong to the malware instance.", + "name": "Hide Threads" + }, + { + "definition": "Hides the usage of userspace libraries by the malware instance.", + "name": "Hide Userspace Libraries" + }, + { + "definition": "Prevents the API hooks installed by the malware instance from being removed.", + "name": "Prevent API Unhooking" + }, + { + "definition": "Prevents access to the Windows registry, including to the entire registry and/or to particular registry keys/values.", + "name": "Prevent Registry Access" + }, + { + "definition": "Prevent Windows registry keys and/or values associated with the malware instance from being deleted from a system.", + "name": "Prevent Registry Deletion" + }, + { + "definition": "Prevents access to the file system, including to specific files and/or directories associated with the malware instance.", + "name": "Prevent File Access" + }, + { + "definition": "Prevents files and/or directories associated with the malware instance from being deleted from a system.", + "name": "Prevent File Deletion" + }, + { + "definition": "Prevents access to system memory where the malware instance may be storing code or data.", + "name": "Prevent Memory Access" + }, + { + "definition": "Prevents other software from hooking native system APIs.", + "name": "Prevent Native API Hooking" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--5f63251a-e426-493e-9dd6-3b562c0e7157.json b/attack-pattern/attack-pattern--5f63251a-e426-493e-9dd6-3b562c0e7157.json new file mode 100644 index 00000000..21db93d8 --- /dev/null +++ b/attack-pattern/attack-pattern--5f63251a-e426-493e-9dd6-3b562c0e7157.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--22627be1-7473-45cd-a982-a90ae61df6e4", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--5f63251a-e426-493e-9dd6-3b562c0e7157", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.223Z", + "modified": "2020-02-05T20:28:15.223Z", + "name": "Application Window Discovery", + "description": "Malware may try to get a list of open application windows.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/app-window-discover.md", + "external_id": "T1010" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1010", + "external_id": "T1010" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--613f0744-5c1e-4ed1-a79e-ea132e27e085.json b/attack-pattern/attack-pattern--613f0744-5c1e-4ed1-a79e-ea132e27e085.json new file mode 100644 index 00000000..cb7f7e0d --- /dev/null +++ b/attack-pattern/attack-pattern--613f0744-5c1e-4ed1-a79e-ea132e27e085.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--6115362d-d393-4c25-afeb-238d04e243a8", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--613f0744-5c1e-4ed1-a79e-ea132e27e085", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.115Z", + "modified": "2020-02-05T20:28:15.115Z", + "name": "Distributed Component Object Model", + "description": "Malware may use Windows Distributed Component Object Model (DCOM) for lateral movement.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/lateral-movement/distributed-comp-obj-model.md", + "external_id": "T1175" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1175", + "external_id": "T1175" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--6246be32-1085-40b4-aa18-6ead153e84fc.json b/attack-pattern/attack-pattern--6246be32-1085-40b4-aa18-6ead153e84fc.json new file mode 100644 index 00000000..6ccfa424 --- /dev/null +++ b/attack-pattern/attack-pattern--6246be32-1085-40b4-aa18-6ead153e84fc.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--094283df-831f-44f2-bc3c-a3629897b9ab", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--6246be32-1085-40b4-aa18-6ead153e84fc", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.318Z", + "modified": "2020-02-05T20:28:15.318Z", + "name": "Kernel Modules and Extensions", + "description": "Malware may use loadable kernel modules to persist on a system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/kernel-modules-ext.md", + "external_id": "T1215" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1215", + "external_id": "T1215" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--6406f5d5-3adb-4855-ba12-87b3f9e7fb28.json b/attack-pattern/attack-pattern--6406f5d5-3adb-4855-ba12-87b3f9e7fb28.json new file mode 100644 index 00000000..fae6a574 --- /dev/null +++ b/attack-pattern/attack-pattern--6406f5d5-3adb-4855-ba12-87b3f9e7fb28.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--452e2cd1-bb6b-41e6-b384-a5e25396eb47", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--6406f5d5-3adb-4855-ba12-87b3f9e7fb28", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.267Z", + "modified": "2020-02-05T20:28:15.267Z", + "name": "Data Obfuscation", + "description": "Malware hides its command and control information.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/data-obfuscate.md", + "external_id": "T1001" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1001/", + "external_id": "T1001" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--64098173-07b5-47f3-bd31-f3ae0f83ba93.json b/attack-pattern/attack-pattern--64098173-07b5-47f3-bd31-f3ae0f83ba93.json new file mode 100644 index 00000000..6d8dc5d2 --- /dev/null +++ b/attack-pattern/attack-pattern--64098173-07b5-47f3-bd31-f3ae0f83ba93.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--8e6e9618-f277-4ffc-8c3b-b1bf83d2bcba", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--64098173-07b5-47f3-bd31-f3ae0f83ba93", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.247Z", + "modified": "2020-02-05T20:28:15.247Z", + "name": "Custom Command and Control Protocol", + "description": "Malware may use a custom command and control protocol instead of encapsulating commands and data in a [Standard Application Layer Protocol](https://github.com/MBCProject/mbc-markdown/tree/master/command-and-control/std-protocol.md).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/custom-c2-protocol.md", + "external_id": "T1094" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1094/", + "external_id": "T1094" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--65a87d14-443d-48bc-8056-af041b7092be.json b/attack-pattern/attack-pattern--65a87d14-443d-48bc-8056-af041b7092be.json new file mode 100644 index 00000000..a78bab2f --- /dev/null +++ b/attack-pattern/attack-pattern--65a87d14-443d-48bc-8056-af041b7092be.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--a823ea80-25d9-4ac4-a7f9-31e3b556d7b5", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--65a87d14-443d-48bc-8056-af041b7092be", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.496Z", + "modified": "2020-02-05T20:28:15.496Z", + "name": "Disk Content Wipe", + "description": "The contents of a storage device are partially or completely wiped. Rather than selecting individual files (see [Data Destruction](https://github.com/MBCProject/mbc-markdown/tree/master/impact/data-destruction.md)), arbitrary data is destroyed.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/disk-content-wipe.md", + "external_id": "T1488" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1488/", + "external_id": "T1488" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1447/", + "external_id": "T1447" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--65fe37b4-19b9-4630-8d51-5afd6dc3234d.json b/attack-pattern/attack-pattern--65fe37b4-19b9-4630-8d51-5afd6dc3234d.json new file mode 100644 index 00000000..3212cc4d --- /dev/null +++ b/attack-pattern/attack-pattern--65fe37b4-19b9-4630-8d51-5afd6dc3234d.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--26f1db99-97e0-4b48-a85d-d39ef50a9761", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--65fe37b4-19b9-4630-8d51-5afd6dc3234d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.403Z", + "modified": "2020-02-05T20:28:15.403Z", + "name": "Indicator Blocking", + "description": "Malware blocks indicators or events that would indicate malicious activity. Methods relevant to the malware domain are below.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/indicator-blocking.md", + "external_id": "E1054" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1054/", + "external_id": "T1054" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Malware captures the message body of incoming SMS messages and aborts displaying messages that meets a certain criteria.", + "name": "Remove SMS Warning Messages" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--670148f0-5ad0-4dff-ba2a-753933c624d9.json b/attack-pattern/attack-pattern--670148f0-5ad0-4dff-ba2a-753933c624d9.json new file mode 100644 index 00000000..c9d87ab6 --- /dev/null +++ b/attack-pattern/attack-pattern--670148f0-5ad0-4dff-ba2a-753933c624d9.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--b93856bc-71e0-49a0-8378-d10b6c33b565", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--670148f0-5ad0-4dff-ba2a-753933c624d9", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.252Z", + "modified": "2020-02-05T20:28:15.252Z", + "name": "Standard Non-Application Layer Protocol", + "description": "Malware may use a standard non-application layer protocol (e.g., ICMP) because such protocols may be less commonly monitored, enabling communication to be hidden.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/std-non-app-protocol.md", + "external_id": "T1095" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1095/", + "external_id": "T1095" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--67291481-c3c0-4b34-86c9-fa2b7694c706.json b/attack-pattern/attack-pattern--67291481-c3c0-4b34-86c9-fa2b7694c706.json new file mode 100644 index 00000000..2f33a2a7 --- /dev/null +++ b/attack-pattern/attack-pattern--67291481-c3c0-4b34-86c9-fa2b7694c706.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--fcb01348-15a2-4573-a72e-a08e72eef42f", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--67291481-c3c0-4b34-86c9-fa2b7694c706", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.164Z", + "modified": "2020-02-05T20:28:15.164Z", + "name": "Executable Code Optimization", + "description": "Code is optimized, making it harder to statically analyze.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-static-analysis/exe-code-optimize.md", + "external_id": "M0034" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Minification_(programming)" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Relative operands of jumps and calls into are made absolute (better compression). May confuse some basic block detection algorithms.", + "name": "Jump/Call Absolute Address" + }, + { + "definition": "Minification is 'the process of removing all unnecessary characters from source code without changing its functionality.' [[1]](#1) A simple example is when all the unnecessary whitespace and comments are removed. Minification is distinguished from compression in that it neither adds to nor changes the code seen by the interpreter. Minification is often used for malware written in interpreted languages, such as JavaScript, PHP, or Python. Legitimate code that is transmitted many times a second, such as JavaScript on websites, often uses minification to simply reduce the number of bytes transmitted.", + "name": "Minification" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--6c58676d-57be-4bbc-a9b2-54a11098ca12.json b/attack-pattern/attack-pattern--6c58676d-57be-4bbc-a9b2-54a11098ca12.json new file mode 100644 index 00000000..3d8accf1 --- /dev/null +++ b/attack-pattern/attack-pattern--6c58676d-57be-4bbc-a9b2-54a11098ca12.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--55ad551b-c880-4793-8f1e-df3689b7e80c", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--6c58676d-57be-4bbc-a9b2-54a11098ca12", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.193Z", + "modified": "2020-02-05T20:28:15.193Z", + "name": "Emulator Evasion", + "description": "Behaviors that obstruct analysis in an emulator.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/evade-emulator.md", + "external_id": "M0005" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--6d80c035-3515-48dc-91cd-9c14c888fbc6.json b/attack-pattern/attack-pattern--6d80c035-3515-48dc-91cd-9c14c888fbc6.json new file mode 100644 index 00000000..2a2c3a33 --- /dev/null +++ b/attack-pattern/attack-pattern--6d80c035-3515-48dc-91cd-9c14c888fbc6.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--708bcf68-2cc8-4389-a6f2-c481d66b2ff6", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--6d80c035-3515-48dc-91cd-9c14c888fbc6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.490Z", + "modified": "2020-02-05T20:28:15.490Z", + "name": "Service Stop", + "description": "Malware may stop or disable services on a system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/service-stop.md", + "external_id": "T1489" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1489/", + "external_id": "T1489" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--6dd00b46-cafd-4eab-9a94-1cae503e089a.json b/attack-pattern/attack-pattern--6dd00b46-cafd-4eab-9a94-1cae503e089a.json new file mode 100644 index 00000000..d7a155ef --- /dev/null +++ b/attack-pattern/attack-pattern--6dd00b46-cafd-4eab-9a94-1cae503e089a.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--ef861c79-ac07-4431-a550-d166df58c422", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--6dd00b46-cafd-4eab-9a94-1cae503e089a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.135Z", + "modified": "2020-02-05T20:28:15.135Z", + "name": "Location Tracking", + "description": "Malware tracks a system's physical location.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/location-track.md", + "external_id": "T1430" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1430/", + "external_id": "T1430" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--6fcd4fe2-3997-4591-91e9-987fba8a79fa.json b/attack-pattern/attack-pattern--6fcd4fe2-3997-4591-91e9-987fba8a79fa.json new file mode 100644 index 00000000..e0fb9f8d --- /dev/null +++ b/attack-pattern/attack-pattern--6fcd4fe2-3997-4591-91e9-987fba8a79fa.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--d50ea090-e13c-43e3-b742-339fd8c5129c", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--6fcd4fe2-3997-4591-91e9-987fba8a79fa", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.424Z", + "modified": "2020-02-05T20:28:15.424Z", + "name": "Regsvr32", + "description": "Malware may use the Regsvr32.exe command-line program to execute binary code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/regsvr32.md", + "external_id": "T1117" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1117", + "external_id": "T1117" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--7178682e-9591-4ebe-a24e-25b7b2ee07a5.json b/attack-pattern/attack-pattern--7178682e-9591-4ebe-a24e-25b7b2ee07a5.json new file mode 100644 index 00000000..c28d5f52 --- /dev/null +++ b/attack-pattern/attack-pattern--7178682e-9591-4ebe-a24e-25b7b2ee07a5.json @@ -0,0 +1,193 @@ +{ + "type": "bundle", + "id": "bundle--e13a7b9b-1a1a-43d2-9244-9f0e298d9f72", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7178682e-9591-4ebe-a24e-25b7b2ee07a5", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.188Z", + "modified": "2020-02-05T20:28:15.188Z", + "name": "Debugger Detection", + "description": "Malware detects whether it's being executed inside a debugger. If so, conditional execution selects a benign execution path.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/detect-debugger.md", + "external_id": "M0001" + }, + { + "source_name": "external_source", + "description": "Alexander Antukh, \"Anti-debugging Techniques Cheat Sheet,\" 19 January 2015.", + "url": "http://antukh.com/blog/2015/01/19/malware-techniques-cheat-sheet." + }, + { + "source_name": "external_source", + "description": "Joshua Cannell, Malwarebytes Labs, \"Five Anti-Analysis Tricks that sometimes Fool Analysts,\" 31 March 2016.", + "url": "https://blog.malwarebytes.com/threat-analysis/2014/09/five-anti-debugging-tricks-that-sometimes-fool-analysts." + }, + { + "source_name": "external_source", + "description": "Peter Ferrie, \"The 'Ultimate' Anti-Debugging Reference,\" 4 May 2011.", + "url": "https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf." + }, + { + "source_name": "external_source", + "description": "Atif Mushtaq, FireEye, \"The Dead Giveaways of VM-Aware Malware,\" 27 January 2011.", + "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html." + }, + { + "source_name": "external_source", + "description": "Ayoub Faouzi (LordNoteworthy), Al-Khaser v0.79.", + "url": "https://github.com/LordNoteworthy/al-khaser" + }, + { + "source_name": "external_source", + "description": "Nicolas Falliere, Symantec, \"Windows Anti-Debug Reference,\" 11 September 2007.", + "url": "https://www.symantec.com/connect/articles/windows-anti-debug-reference." + }, + { + "source_name": "external_source", + "description": "Anti Debugging Tricks, Al-Khaser.", + "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "module bounds based [[7]](#7)", + "name": "API Hook Detection" + }, + { + "definition": "The kernel32!CheckRemoteDebuggerPresent function calls NtQueryInformationProcess with ProcessInformationClass parameter set to 7 (ProcessDebugPort constant).", + "name": "CheckRemoteDebuggerPresent" + }, + { + "definition": "(NtClose); If an invalid handle is passed to the CloseHandle function and a debugger is present, then an EXCEPTION_INVALID_HANDLE (0xC0000008) exception will be raised. [[7]](#7)", + "name": "CloseHandle" + }, + { + "definition": "Malware may detect a debugger by its artifact (window title, device driver, exports, etc.).", + "name": "Debugger Artifacts" + }, + { + "definition": "(SEH/GetThreadContext); Debug registers will indicate the presence of a debugger. See [[7]](#7) for details.", + "name": "Hardware Breakpoints" + }, + { + "definition": "If int 0x2d is mishandled by the debugger, it can cause a single-byte instruction to be inadvertently skipped, which can be detected by malware.", + "name": "Interrupt 0x2d" + }, + { + "definition": "[[7]](#7)", + "name": "Interrupt 1" + }, + { + "definition": "The kernel32!IsDebuggerPresent API function call checks the PEB BeingDebugged flag to see if the calling process is being debugged. It returns 1 if the process is being debugged, 0 otherwise. This is one of the most common ways of debugger detection.", + "name": "IsDebuggerPresent" + }, + { + "definition": "(PAGE_GUARD); Guard pages trigger an exception the first time they are accessed and can be used to detect a debugger. See [[7]](#7) for details.", + "name": "Memory Breakpoints" + }, + { + "definition": "[[7]](#7)", + "name": "Memory Write Watching" + }, + { + "definition": "Malware may spawn a monitoring thread to detect tampering, breakpoints, etc.", + "name": "Monitoring Thread" + }, + { + "definition": "Calling NtQueryInformationProcess with its ProcessInformationClass parameter set to 0x07 (ProcessDebugPort constant) will cause the system to set ProcessInformation to -1 if the process is being debugged. Calling with ProcessInformationClass set to 0x0E (ProcessDebugFlags) or 0x11 (ProcessDebugObject) are used similarly. Testing \"ProcessDebugPort\" is equivalent to using the kernel32!CheckRemoteDebuggerPresent API call (see next method).", + "name": "NtQueryInformationProcess" + }, + { + "definition": "The ObjectTypeInformation and ObjectAllTypesInformation flags are checked for debugger detection.", + "name": "NtQueryObject" + }, + { + "definition": "Calling this API with a fake class length or thread handle can indicate whether it is hooked. After calling NtSetInformationThread properly, the HideThreadFromDebugger flag is checked with the NtQueryInformationThread API. [[7]](#7)", + "name": "NtSetInformationThread" + }, + { + "definition": "[[7]](#7)", + "name": "NtYieldExecution/SwitchToThread" + }, + { + "definition": "(GetLastError); The OutputDebugString function will demonstrate different behavior depending whether or not a debugger is present. See [[7]](#7) for details.", + "name": "OutputDebugString" + }, + { + "definition": "[[7]](#7)", + "name": "Page Exception Breakpoint Detection" + }, + { + "definition": "(Explorer.exe); Executing an application by a debugger will result in the parent process being the debugger process rather than the shell process (Explorer.exe) or the command line. Malware checks its parent process; if it's not explorer.exe, it's assumed to be a debugger. [[7]](#7)", + "name": "Parent Process" + }, + { + "definition": "The Process Environment Block (PEB) is a Windows data structure associated with each process that contains several fields, such as \"BeingDebugged,\" \"NtGlobalFlag,\" and \"IsDebugged\". Testing the value of this PEB field of a particular process can indicate whether the process is being debugged. Testing \"BeingDebugged\" is equivalent to using the kernel32!IsDebuggerPresent API call (see next method).", + "name": "Process Environment Block" + }, + { + "definition": "[[7]](#7)", + "name": "Process Jobs" + }, + { + "definition": "Process heaps are affected by debuggers. Malware can detect a debugger by checking heap header fields such as Flags (debugger present if value greater than 2) or ForceFlags (debugger present if value greater than 0).", + "name": "ProcessHeap" + }, + { + "definition": "Malware may call RtlAdjustPrivilege to detect if a debugger is attached (or to prevent a debugger from attaching).", + "name": "RtlAdjustPrivilege" + }, + { + "definition": "(Csrss.exe); Using the OpenProcess function on the csrss.exe process can detect a debugger. [[7]](#7)", + "name": "SeDebugPrivilege" + }, + { + "definition": "(Protected Handle);", + "name": "SetHandleInformation" + }, + { + "definition": "(INT3/0xCC)", + "name": "Software Breakpoints" + }, + { + "definition": "Similar to the anti-exploitation method of the same name, malware may try to detect mucking with values on the stack.", + "name": "Stack Canary" + }, + { + "definition": "Malware may access information in the Thread Information Block (TIB) for debug detection or process obfuscation detection. The TIB can be accessed as an offset of the segment register (e.g., fs:[20h]).", + "name": "TIB Aware" + }, + { + "definition": "Malware may compare time between two points to detect unusual execution, such as the (relative) massive delays introduced by debugging.", + "name": "Timing/Delay Checks" + }, + { + "definition": "[[7]](#7)", + "name": "TLS Callbacks" + }, + { + "definition": "The UnhandledExceptionFilter function is called if no registered exception handlers exist, but it will not be reached if a debugger is present. See [[7]](#7) for details.", + "name": "UnhandledExceptionFilter" + }, + { + "definition": "WudfIsAnyDebuggerPresent, WudfIsKernelDebuggerPresent, WudfIsUserDebuggerPresent", + "name": "WudfIsAnyDebuggerPresent" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--71c969b3-1c87-4c02-aa1b-56d111547b1a.json b/attack-pattern/attack-pattern--71c969b3-1c87-4c02-aa1b-56d111547b1a.json new file mode 100644 index 00000000..ff3ffe91 --- /dev/null +++ b/attack-pattern/attack-pattern--71c969b3-1c87-4c02-aa1b-56d111547b1a.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--97a12144-8272-40bf-b815-7cc5752346aa", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--71c969b3-1c87-4c02-aa1b-56d111547b1a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.227Z", + "modified": "2020-02-05T20:28:15.227Z", + "name": "Network Sniffing", + "description": "Malware captures information sent over a wired or wireless connection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/network-sniff.md", + "external_id": "T1040" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1040/", + "external_id": "T1040" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--731ecd6a-9782-4272-84f3-f4d5ff3732e0.json b/attack-pattern/attack-pattern--731ecd6a-9782-4272-84f3-f4d5ff3732e0.json new file mode 100644 index 00000000..87ceb2d1 --- /dev/null +++ b/attack-pattern/attack-pattern--731ecd6a-9782-4272-84f3-f4d5ff3732e0.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--9082fc94-e0ac-4fbe-9f98-c8eb4bb1e8ce", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--731ecd6a-9782-4272-84f3-f4d5ff3732e0", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.446Z", + "modified": "2020-02-05T20:28:15.446Z", + "name": "Credentials in Web Browsers", + "description": "Malware may acquire credentials from web browsers by reading files specific to the target browser.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/credential-access/credentials-in-web-browsers.md", + "external_id": "T1503" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1503/", + "external_id": "T1503" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--739c387d-4465-421d-9b6b-51ca77c52a0d.json b/attack-pattern/attack-pattern--739c387d-4465-421d-9b6b-51ca77c52a0d.json new file mode 100644 index 00000000..6b5475d5 --- /dev/null +++ b/attack-pattern/attack-pattern--739c387d-4465-421d-9b6b-51ca77c52a0d.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--4da48746-f286-43c9-ad67-0c1a42022754", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--739c387d-4465-421d-9b6b-51ca77c52a0d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.406Z", + "modified": "2020-02-05T20:28:15.406Z", + "name": "Code Signing", + "description": "Malware code is digitally signed to appear as legitimate software.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/code-signing.md", + "external_id": "T1116" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1116", + "external_id": "T1116" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--748576ac-427c-460a-98fd-ab14c2b4f65a.json b/attack-pattern/attack-pattern--748576ac-427c-460a-98fd-ab14c2b4f65a.json new file mode 100644 index 00000000..635c0e19 --- /dev/null +++ b/attack-pattern/attack-pattern--748576ac-427c-460a-98fd-ab14c2b4f65a.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--42ad3771-a242-416a-94d8-cdc48cd162be", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--748576ac-427c-460a-98fd-ab14c2b4f65a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.484Z", + "modified": "2020-02-05T20:28:15.484Z", + "name": "Data Destruction", + "description": "Data, system files, or other files are destroyed. Individual files are selected, as opposed to wiping an entire sector.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/data-destruction.md", + "external_id": "E1485" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1485/", + "external_id": "T1485" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1447/", + "external_id": "T1447" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--787fd5df-098b-4def-a02c-b840072a2962.json b/attack-pattern/attack-pattern--787fd5df-098b-4def-a02c-b840072a2962.json new file mode 100644 index 00000000..c0388e0d --- /dev/null +++ b/attack-pattern/attack-pattern--787fd5df-098b-4def-a02c-b840072a2962.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--9e70c569-233f-40c3-b0db-b00a31e5850d", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--787fd5df-098b-4def-a02c-b840072a2962", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.296Z", + "modified": "2020-02-05T20:28:15.296Z", + "name": "Service Execution", + "description": "Malware may execute code via interaction with Windows services (e.g., Service Control Manager).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/service-exe.md", + "external_id": "T1035" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1035", + "external_id": "T1035" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--7917db1d-3be0-4a58-b706-00c62379a7b2.json b/attack-pattern/attack-pattern--7917db1d-3be0-4a58-b706-00c62379a7b2.json new file mode 100644 index 00000000..5a84a94f --- /dev/null +++ b/attack-pattern/attack-pattern--7917db1d-3be0-4a58-b706-00c62379a7b2.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--46b53f29-e816-4e1e-b1c6-86fddeb7a4f6", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7917db1d-3be0-4a58-b706-00c62379a7b2", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.219Z", + "modified": "2020-02-05T20:28:15.219Z", + "name": "File and Directory Discovery", + "description": "Malware may enumerate files and/or directories.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/file-and-directory-discover.md", + "external_id": "T1083" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1083", + "external_id": "T1083" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--7a0a5840-aed7-48bf-abcb-89056c1ba932.json b/attack-pattern/attack-pattern--7a0a5840-aed7-48bf-abcb-89056c1ba932.json new file mode 100644 index 00000000..c58c3ede --- /dev/null +++ b/attack-pattern/attack-pattern--7a0a5840-aed7-48bf-abcb-89056c1ba932.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--edcf4867-16e6-4f26-ae57-b0ee7d44c0c1", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7a0a5840-aed7-48bf-abcb-89056c1ba932", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.239Z", + "modified": "2020-02-05T20:28:15.239Z", + "name": "System Time Discovery", + "description": "Malware may try to get the system time or time zone for a system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/system-time-discover.md", + "external_id": "T1087" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1124", + "external_id": "T1124" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--7a79533e-479c-4272-8220-f639ca223b2e.json b/attack-pattern/attack-pattern--7a79533e-479c-4272-8220-f639ca223b2e.json new file mode 100644 index 00000000..5eb509d0 --- /dev/null +++ b/attack-pattern/attack-pattern--7a79533e-479c-4272-8220-f639ca223b2e.json @@ -0,0 +1,40 @@ +{ + "type": "bundle", + "id": "bundle--6eabe0a2-b241-4bc3-92b5-c33d0e32e060", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7a79533e-479c-4272-8220-f639ca223b2e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.332Z", + "modified": "2020-02-05T20:28:15.332Z", + "name": "Malicious Network Driver", + "description": "Malicious network drivers can be installed on several machines on a network via an exploited server with high uptime. Once the drivers are installed on the host machines, they can re-infect the server if it is restarted (persistence), can infect other machines on the network (lateral movement), and can redirect traffic on the network.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/malicious-network-drv.md", + "external_id": "M0026" + }, + { + "source_name": "external_source", + "url": "https://www.zdnet.com/article/luckymouse-targets-govt-entities-through-malicious-ndisproxy-driver/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--7aef87fb-3c58-4545-9566-c63439e68c55.json b/attack-pattern/attack-pattern--7aef87fb-3c58-4545-9566-c63439e68c55.json new file mode 100644 index 00000000..da2b5c68 --- /dev/null +++ b/attack-pattern/attack-pattern--7aef87fb-3c58-4545-9566-c63439e68c55.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--158fe970-71b7-4bbb-8669-8e9a021188c6", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7aef87fb-3c58-4545-9566-c63439e68c55", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.333Z", + "modified": "2020-02-05T20:28:15.333Z", + "name": ".bash_profile and .bashrc", + "description": "Malware may insert code into these Linux and macOS files to gain persistence.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/bash.md", + "external_id": "T1156" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1156", + "external_id": "T1156" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--7d617afd-819d-4588-9b22-38470d5b338c.json b/attack-pattern/attack-pattern--7d617afd-819d-4588-9b22-38470d5b338c.json new file mode 100644 index 00000000..e394b5a4 --- /dev/null +++ b/attack-pattern/attack-pattern--7d617afd-819d-4588-9b22-38470d5b338c.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--3adbafd6-e92e-424a-bae1-a42edc0feb4e", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7d617afd-819d-4588-9b22-38470d5b338c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.480Z", + "modified": "2020-02-05T20:28:15.480Z", + "name": "Denial of Service", + "description": "Malware may make a network unavailable, for example, by launching a network-based denial of service (DoS) attack.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/denial-of-service.md", + "external_id": "M0033" + }, + { + "source_name": "external_source", + "url": "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1498/", + "external_id": "T1498" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--7ea4b671-1dba-4990-9c5c-f36ae7ea1cbe.json b/attack-pattern/attack-pattern--7ea4b671-1dba-4990-9c5c-f36ae7ea1cbe.json new file mode 100644 index 00000000..4bd97f20 --- /dev/null +++ b/attack-pattern/attack-pattern--7ea4b671-1dba-4990-9c5c-f36ae7ea1cbe.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--4a357871-cf92-43ca-9029-21c7c717e060", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7ea4b671-1dba-4990-9c5c-f36ae7ea1cbe", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.265Z", + "modified": "2020-02-05T20:28:15.265Z", + "name": "Web Service", + "description": "Malware may use existing external Web services for relaying C2 commands.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/web-service.md", + "external_id": "T1102" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1102/", + "external_id": "T1102" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--7f7f9c9f-db90-4294-91ad-d1c9da04e9d8.json b/attack-pattern/attack-pattern--7f7f9c9f-db90-4294-91ad-d1c9da04e9d8.json new file mode 100644 index 00000000..7015a5da --- /dev/null +++ b/attack-pattern/attack-pattern--7f7f9c9f-db90-4294-91ad-d1c9da04e9d8.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--87af2c9e-4504-4345-90f9-45d1292f2ce7", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7f7f9c9f-db90-4294-91ad-d1c9da04e9d8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.118Z", + "modified": "2020-02-05T20:28:15.118Z", + "name": "Data from Local System", + "description": "Malware collects sensitive data from local system sources.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/data-local-system.md", + "external_id": "T1005" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1005/", + "external_id": "T1005" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--8063d2a0-1f1b-4210-a56d-4375aafda2a1.json b/attack-pattern/attack-pattern--8063d2a0-1f1b-4210-a56d-4375aafda2a1.json new file mode 100644 index 00000000..3173cb9e --- /dev/null +++ b/attack-pattern/attack-pattern--8063d2a0-1f1b-4210-a56d-4375aafda2a1.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--20f79a10-db62-4976-b199-b46bf6198795", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--8063d2a0-1f1b-4210-a56d-4375aafda2a1", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.439Z", + "modified": "2020-02-05T20:28:15.439Z", + "name": "DLL Search Order Hijacking", + "description": "Malware may place a malicious DLL with the same name as a legitimate, but ambiguously specified, DLL in a location that Windows searches before the legitimate DLL (called a binary planting attack).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/privilege-escalation/dll-search-order-hijack.md", + "external_id": "T1038" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1038", + "external_id": "T1038" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--82b3164a-89f4-423b-bc38-a6d942493658.json b/attack-pattern/attack-pattern--82b3164a-89f4-423b-bc38-a6d942493658.json new file mode 100644 index 00000000..a8f1ee9d --- /dev/null +++ b/attack-pattern/attack-pattern--82b3164a-89f4-423b-bc38-a6d942493658.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--35d3537e-684c-420e-afdc-27034fdd5f7a", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--82b3164a-89f4-423b-bc38-a6d942493658", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.108Z", + "modified": "2020-02-05T20:28:15.108Z", + "name": "Pass the Hash", + "description": "Malware may capture valid password hashes, which are then used for authentication, enabling lateral movement.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/lateral-movement/pass-the-hash.md", + "external_id": "T1075" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1075", + "external_id": "T1075" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--82db8cfb-f51f-4903-b652-cd8a2e4166fa.json b/attack-pattern/attack-pattern--82db8cfb-f51f-4903-b652-cd8a2e4166fa.json new file mode 100644 index 00000000..a71eb622 --- /dev/null +++ b/attack-pattern/attack-pattern--82db8cfb-f51f-4903-b652-cd8a2e4166fa.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--d5dd12e2-7308-46ae-8210-476e7455e8b2", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--82db8cfb-f51f-4903-b652-cd8a2e4166fa", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.492Z", + "modified": "2020-02-05T20:28:15.492Z", + "name": "Exploit Kit Behavior", + "description": "An Exploit Kit is a toolkit that exploits vulnerabilities in software to deliver malicious payloads (malware).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/exploit-kit-behavior.md", + "external_id": "E1190" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1190", + "external_id": "T1190" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--82e0ca52-1f6e-475f-89cf-9817a5e4cc60.json b/attack-pattern/attack-pattern--82e0ca52-1f6e-475f-89cf-9817a5e4cc60.json new file mode 100644 index 00000000..77bf49d1 --- /dev/null +++ b/attack-pattern/attack-pattern--82e0ca52-1f6e-475f-89cf-9817a5e4cc60.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--d1dd1c71-125e-4d99-90e0-65c28b0d3782", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--82e0ca52-1f6e-475f-89cf-9817a5e4cc60", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.127Z", + "modified": "2020-02-05T20:28:15.127Z", + "name": "Video Capture", + "description": "Malware captures video recordings.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/video-capture.md", + "external_id": "T1125" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1125/", + "external_id": "T1125" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--83754954-2d7e-48d5-9f88-034dc202ed48.json b/attack-pattern/attack-pattern--83754954-2d7e-48d5-9f88-034dc202ed48.json new file mode 100644 index 00000000..18613503 --- /dev/null +++ b/attack-pattern/attack-pattern--83754954-2d7e-48d5-9f88-034dc202ed48.json @@ -0,0 +1,36 @@ +{ + "type": "bundle", + "id": "bundle--6433b830-0b8e-4adf-97ac-67ba2077c95d", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--83754954-2d7e-48d5-9f88-034dc202ed48", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.494Z", + "modified": "2020-02-05T20:28:15.494Z", + "name": "Spamming", + "description": "Malware may use a victim machine to create and send spam.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/spamming.md", + "external_id": "M0039" + }, + { + "source_name": "external_source", + "url": "https://techcrunch.com/2019/07/12/trickbot-spam-millions-emails/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--8429c75f-5cf7-4057-90b7-e94a0c8f7060.json b/attack-pattern/attack-pattern--8429c75f-5cf7-4057-90b7-e94a0c8f7060.json new file mode 100644 index 00000000..140fd7cb --- /dev/null +++ b/attack-pattern/attack-pattern--8429c75f-5cf7-4057-90b7-e94a0c8f7060.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--ec01dc40-69b8-4fed-b4b2-0d17e436ed4a", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--8429c75f-5cf7-4057-90b7-e94a0c8f7060", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.365Z", + "modified": "2020-02-05T20:28:15.365Z", + "name": "Hidden Files and Directories", + "description": "Malware may hide files and folders to avoid detection and/or to persist on the system. See potential methods below.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/hidden-files.md", + "external_id": "E1158" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1158", + "external_id": "T1158" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--867bc93b-83c8-4bcd-876b-a8f190dd7de7.json b/attack-pattern/attack-pattern--867bc93b-83c8-4bcd-876b-a8f190dd7de7.json new file mode 100644 index 00000000..0b9dd8b4 --- /dev/null +++ b/attack-pattern/attack-pattern--867bc93b-83c8-4bcd-876b-a8f190dd7de7.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--b7799c71-5e7d-4eff-987f-2a3a1200724c", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--867bc93b-83c8-4bcd-876b-a8f190dd7de7", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.310Z", + "modified": "2020-02-05T20:28:15.310Z", + "name": "System Firmware", + "description": "Malware may overwrite the system firmware with malicious firmware that is difficult to detect and/or enables persistence.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/system-firmware.md", + "external_id": "T1019" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1109/", + "external_id": "T1109" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--869a8bc4-8a40-470c-8a6b-35d80635bd09.json b/attack-pattern/attack-pattern--869a8bc4-8a40-470c-8a6b-35d80635bd09.json new file mode 100644 index 00000000..bfd96aa7 --- /dev/null +++ b/attack-pattern/attack-pattern--869a8bc4-8a40-470c-8a6b-35d80635bd09.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--83dea63a-55f8-47ee-a64c-1bfa7a62633c", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--869a8bc4-8a40-470c-8a6b-35d80635bd09", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.210Z", + "modified": "2020-02-05T20:28:15.210Z", + "name": "Device Type Discovery", + "description": "Android malware may get device type information through the android.os.Build class.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/device-type-discover.md", + "external_id": "T1419" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1419", + "external_id": "T1419" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--893190c4-3228-4d10-854b-cd8469fb9172.json b/attack-pattern/attack-pattern--893190c4-3228-4d10-854b-cd8469fb9172.json new file mode 100644 index 00000000..81bdc6cf --- /dev/null +++ b/attack-pattern/attack-pattern--893190c4-3228-4d10-854b-cd8469fb9172.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--75f4f12e-0a56-4ff9-a469-85a0cc85158f", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--893190c4-3228-4d10-854b-cd8469fb9172", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.128Z", + "modified": "2020-02-05T20:28:15.128Z", + "name": "Data Staged", + "description": "Malware stages collected data prior to [Exfiltration](https://github.com/MBCProject/mbc-markdown/tree/master/exfiltration).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/data-staged.md", + "external_id": "T1074" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1074/", + "external_id": "T1074" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--89685060-9bc7-48f1-aa8e-4c70f08f8935.json b/attack-pattern/attack-pattern--89685060-9bc7-48f1-aa8e-4c70f08f8935.json new file mode 100644 index 00000000..41f3623d --- /dev/null +++ b/attack-pattern/attack-pattern--89685060-9bc7-48f1-aa8e-4c70f08f8935.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--1fe1cb69-b96c-448b-b846-590c5aab8378", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--89685060-9bc7-48f1-aa8e-4c70f08f8935", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.396Z", + "modified": "2020-02-05T20:28:15.396Z", + "name": "Rundll32", + "description": "Malware may use the Rundll32.exe program to execute binary code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/rundll32.md", + "external_id": "T1085" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1085", + "external_id": "T1085" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--8bce1da7-4e1f-49f9-bafe-3fbeb32413fb.json b/attack-pattern/attack-pattern--8bce1da7-4e1f-49f9-bafe-3fbeb32413fb.json new file mode 100644 index 00000000..9d5f520d --- /dev/null +++ b/attack-pattern/attack-pattern--8bce1da7-4e1f-49f9-bafe-3fbeb32413fb.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--f4e45ad8-2b8a-4e42-b800-d45052704757", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--8bce1da7-4e1f-49f9-bafe-3fbeb32413fb", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.241Z", + "modified": "2020-02-05T20:28:15.241Z", + "name": "Multi-Stage Channels", + "description": "Malware may create multiple stages for command and control, making detection more difficult.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/multi-stage-channels.md", + "external_id": "T1104" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1104/", + "external_id": "T1104" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--8da9c3ba-1ff0-4390-a2e4-7d859b4f5cc8.json b/attack-pattern/attack-pattern--8da9c3ba-1ff0-4390-a2e4-7d859b4f5cc8.json new file mode 100644 index 00000000..d874dee7 --- /dev/null +++ b/attack-pattern/attack-pattern--8da9c3ba-1ff0-4390-a2e4-7d859b4f5cc8.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--d86758b5-0a58-4e66-912c-d36b8a9c9f6f", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--8da9c3ba-1ff0-4390-a2e4-7d859b4f5cc8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.237Z", + "modified": "2020-02-05T20:28:15.237Z", + "name": "SMTP Connection Discovery", + "description": "Malware may test whether an outgoing SMTP connection can be made from the system on which the malware instance is executing to some SMTP server, by sending a test SMTP transaction.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/smtp-connect-discover.md", + "external_id": "M0014" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--8ea02c43-667a-4db1-86f4-89cf99d7f6f9.json b/attack-pattern/attack-pattern--8ea02c43-667a-4db1-86f4-89cf99d7f6f9.json new file mode 100644 index 00000000..b5182c3f --- /dev/null +++ b/attack-pattern/attack-pattern--8ea02c43-667a-4db1-86f4-89cf99d7f6f9.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--1d3e204f-21dd-4e7c-a314-8b44828cfb8c", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--8ea02c43-667a-4db1-86f4-89cf99d7f6f9", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.230Z", + "modified": "2020-02-05T20:28:15.230Z", + "name": "Network Service Scanning", + "description": "Malware may try to a listing of services running on remotes hosts.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/network-service-scan.md", + "external_id": "T1046" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1046", + "external_id": "T1046" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--8ee90538-b608-4379-bfef-d906cb366305.json b/attack-pattern/attack-pattern--8ee90538-b608-4379-bfef-d906cb366305.json new file mode 100644 index 00000000..f5813afc --- /dev/null +++ b/attack-pattern/attack-pattern--8ee90538-b608-4379-bfef-d906cb366305.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--c4c26002-8d61-4eb0-8163-dd91c5b575a9", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--8ee90538-b608-4379-bfef-d906cb366305", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.290Z", + "modified": "2020-02-05T20:28:15.290Z", + "name": "Windows Management Instrumentation", + "description": "Malware may use Windows Management Instrumentation (WMI) to perform a variety of operations.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/windows-mgt-inst.md", + "external_id": "T1047" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1047", + "external_id": "T1047" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--8f470860-de90-44e9-b88f-4b188918bb7c.json b/attack-pattern/attack-pattern--8f470860-de90-44e9-b88f-4b188918bb7c.json new file mode 100644 index 00000000..1d513616 --- /dev/null +++ b/attack-pattern/attack-pattern--8f470860-de90-44e9-b88f-4b188918bb7c.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--05245889-303c-4e38-bed8-70d1da02c531", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--8f470860-de90-44e9-b88f-4b188918bb7c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.270Z", + "modified": "2020-02-05T20:28:15.270Z", + "name": "Commonly Used Port", + "description": "Malware may use a common port to avoid detection of command and control activity.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/common-port.md", + "external_id": "T1043" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1043/", + "external_id": "T1043" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1436/", + "external_id": "T1436" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--90087c64-921d-4aef-bbb4-8fad5ba7c812.json b/attack-pattern/attack-pattern--90087c64-921d-4aef-bbb4-8fad5ba7c812.json new file mode 100644 index 00000000..3752a1c5 --- /dev/null +++ b/attack-pattern/attack-pattern--90087c64-921d-4aef-bbb4-8fad5ba7c812.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--3c03fe8f-02ba-4de1-9a60-48464df0d8ae", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--90087c64-921d-4aef-bbb4-8fad5ba7c812", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.309Z", + "modified": "2020-02-05T20:28:15.309Z", + "name": "Office Application Startup", + "description": "Malware may use a mechanism with Office for persistence when an Office-based application is started.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/office-app-startup.md", + "external_id": "T1137" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1137", + "external_id": "T1137" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--915a827a-d63c-46f0-ad85-0e2bf894c527.json b/attack-pattern/attack-pattern--915a827a-d63c-46f0-ad85-0e2bf894c527.json new file mode 100644 index 00000000..46569ada --- /dev/null +++ b/attack-pattern/attack-pattern--915a827a-d63c-46f0-ad85-0e2bf894c527.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--0f73dae4-4a83-4376-9187-98946d80f104", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--915a827a-d63c-46f0-ad85-0e2bf894c527", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.136Z", + "modified": "2020-02-05T20:28:15.136Z", + "name": "Automated Collection", + "description": "Malware uses automated techniques for collecting system data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/auto-collect.md", + "external_id": "T1119" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1119/", + "external_id": "T1119" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--916ef5a6-4865-4da7-bd65-664a0bdd536a.json b/attack-pattern/attack-pattern--916ef5a6-4865-4da7-bd65-664a0bdd536a.json new file mode 100644 index 00000000..3b608ac8 --- /dev/null +++ b/attack-pattern/attack-pattern--916ef5a6-4865-4da7-bd65-664a0bdd536a.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--26ff5f61-f0eb-4cba-82a3-18046d0305cd", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--916ef5a6-4865-4da7-bd65-664a0bdd536a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.345Z", + "modified": "2020-02-05T20:28:15.345Z", + "name": "Exfiltration Over Physical Medium", + "description": "Malware may exfiltrate data via a physical medium or device (e.g., USB drive).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/exfiltration/exfil-over-physical-medium.md", + "external_id": "T1052" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1052/", + "external_id": "T1052" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--9188ea31-fa9e-4fad-949b-f705e0fabd20.json b/attack-pattern/attack-pattern--9188ea31-fa9e-4fad-949b-f705e0fabd20.json new file mode 100644 index 00000000..c13dd2bd --- /dev/null +++ b/attack-pattern/attack-pattern--9188ea31-fa9e-4fad-949b-f705e0fabd20.json @@ -0,0 +1,174 @@ +{ + "type": "bundle", + "id": "bundle--be722ba6-4523-4190-9601-1538a540fba3", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--9188ea31-fa9e-4fad-949b-f705e0fabd20", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.172Z", + "modified": "2020-02-05T20:28:15.172Z", + "name": "Debugger Evasion", + "description": "Behaviors that make debugging difficult.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/evade-debugger.md", + "external_id": "M0002" + }, + { + "source_name": "external_source", + "url": "https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.synack.com/2016/02/17/analyzing-the-anti-analysis-logic-of-an-adware-installer/" + }, + { + "source_name": "external_source", + "url": "http://phishme.com/dridex-code-breaking-modify-the-malware-to-bypass-the-vm-bypass/" + }, + { + "source_name": "external_source", + "url": "http://antukh.com/blog/2015/01/19/malware-techniques-cheat-sheet/" + }, + { + "source_name": "external_source", + "url": "http://unprotect.tdgt.org/index.php/Unprotect_Project" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Block interrupt (via hooking) 1 and/or 3 to prevent debuggers from working.", + "name": "Block Interrupts" + }, + { + "definition": "Intentionally clearing software or hardware breakpoints.", + "name": "Break Point Clearing" + }, + { + "definition": "Move or copy the first bytes / instructions of the original code elsewhere. AKA stolen bytes or code splicing. For example, a packer may incorporate the first few instructions of the original EntryPoint (EP) into its unpacking stub before the tail transition in order to confuse automated unpackers and novice analysts. This can make it harder for rebuilding and may bypass breakpoints if set prematurely.", + "name": "Byte Stealing" + }, + { + "definition": "Changinging this value during run time can prevent some debuggers from attaching. Also confuses some unpackers and dumpers.", + "name": "Change SizeOfImage" + }, + { + "definition": "Check that the unpacking code is unmodified. Variation exists where unpacking code is part of the \"key\" used to unpack, therefore any Software Breakpoints during debugging causes unpacking to completely fail or result in malformed unpacked code.", + "name": "Code Integrity Check" + }, + { + "definition": "Using exception handling (SEH) to cause flow of program to non-obvious paths.", + "name": "Exception Misdirection" + }, + { + "definition": "CALL to a POP; finds base of code or data, often the packed version of the code; also used often in obfuscated/packed shellcode.", + "name": "Get Base Indirectly" + }, + { + "definition": "Encrypt blocks of code individually and decrypt temporarily only upon execution.", + "name": "Guard Pages" + }, + { + "definition": "modification of interrupt vector or descriptor tables.", + "name": "Hook Interrupt" + }, + { + "definition": "Add obfuscation between imports calls and APIs.", + "name": "Import Obfuscation" + }, + { + "definition": "variation of static linking where full API code inserted everywhere it would have been called.", + "name": "Inlining" + }, + { + "definition": "Use SEH or other methods to break out of a loop instead of a conditional jump.", + "name": "Loop Escapes" + }, + { + "definition": "Instead of unpacking into a pre-defined section/segment (ex: .text) of the binary, use malloc() / VirtualAlloc() to create a new segment. This makes keeping track of memory locations across different runs more difficult, as there is no guarantee that malloc/VirtualAlloc will assign the same address range each time.", + "name": "Malloc Use" + }, + { + "definition": "Any part of the header is changed or erased.", + "name": "Modify PE Header" + }, + { + "definition": "int3 with code replacement table; debugs itself.", + "name": "Nanomites" + }, + { + "definition": "LoadLibrary API calls or direct access of kernel32 via PEB (fs[0]) pointers, used to rebuild IAT or just obfuscate library use.", + "name": "Obfuscate Library Use" + }, + { + "definition": "Use several parallel threads to make analysis harder.", + "name": "Parallel Threads" + }, + { + "definition": "Take advantage of pipelining in modern processors to misdirect debugging, emulation, or static analysis tools. An unpacker can assume a certain number of opcodes will be cached and then proceed to overwrite them in memory, causing a debugger/emulator/analyzer to follow different code than is normally executed.", + "name": "Pipeline Misdirection" + }, + { + "definition": "Prevents debugger from attaching to process or to break until after the code of interest has been executed", + "name": "Pre-Debug" + }, + { + "definition": "relocate API code in separate buffer (calls don’t lead to imported DLLs).", + "name": "Relocate API Code" + }, + { + "definition": "Overwrite the RET address on the stack or the code at the RET address. Variation seen that writes to the start-up code or main module that called the malware's WinMain or DllMain.", + "name": "Return Obfuscation" + }, + { + "definition": "Calling RtlAdjustPrivilege to either prevent a debugger from attaching or to detect if a debugger is attached.", + "name": "RtlAdjustPrivilege" + }, + { + "definition": "Some analysis tools cannot handle binaries with misaligned sections.", + "name": "Section Misalignment" + }, + { + "definition": "Debug itself to prevent another debugger to be attached.", + "name": "Self-Debugging" + }, + { + "definition": "UnmapViewOfFile() on itself", + "name": "Self-Unmapping" + }, + { + "definition": "Copy locally the whole content of API code.", + "name": "Static Linking" + }, + { + "definition": "A variation of \"byte stealing\" where the first few instructions or bytes of an API are executed in user code, allowing the IAT to point into the middle of an API function. This confuses IAT rebuilders such as ImpRec and Scylla and may bypass breakpoints.", + "name": "Stolen API Code" + }, + { + "definition": "Erase or corrupt specific file parts to prevent rebuilding (header, packer stub, etc.).", + "name": "Tampering" + }, + { + "definition": "Setting dwMilliseconds in WaitForSingleObject to a small number will timeout the thread before the analyst can step through and analyze the code executing in the thread. Modifying this via patch, register, or stack to the value `0xFFFFFFFF`, the **INFINITE** constant circumvents this anti-debugging technique.", + "name": "Thread Timeout" + }, + { + "definition": "The unpacking code relies on use of int 1 or int 3, or it uses the interrupt vector table as part of the decryption \"key\".", + "name": "Use Interrupts" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--91907ea3-beed-40bd-b4d6-1875893568a6.json b/attack-pattern/attack-pattern--91907ea3-beed-40bd-b4d6-1875893568a6.json new file mode 100644 index 00000000..1800fccd --- /dev/null +++ b/attack-pattern/attack-pattern--91907ea3-beed-40bd-b4d6-1875893568a6.json @@ -0,0 +1,111 @@ +{ + "type": "bundle", + "id": "bundle--1c4c7009-11e0-492a-9bc9-6f09945e65fb", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--91907ea3-beed-40bd-b4d6-1875893568a6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.203Z", + "modified": "2020-02-05T20:28:15.203Z", + "name": "Virtual Machine Detection", + "description": "Detects whether the malware instance is being executed in a virtual machine (VM), such as VMWare. If so, conditional execution selects a benign execution path.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/detect-vm.md", + "external_id": "M0009" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" + }, + { + "source_name": "external_source", + "url": "http://unprotect.tdgt.org/index.php/Sandbox_Evasion" + }, + { + "source_name": "external_source", + "url": "https://www.hackread.com/gravityrat-malware-evades-detection-targets-india/" + }, + { + "source_name": "external_source", + "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1497/", + "external_id": "T1497" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Virtual machines create files on the file system (e.g., VMware creates files in the installation directory C:\\Program Files\\VMware\\VMware Tools). Malware can check the different folders to find virtual machine artifacts (e.g., Virtualbox has the artifact VBoxMouse.sys). [[2]](#2)", + "name": "Check File and Directory Artifacts" + }, + { + "definition": "VMware leaves many artifacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognizable footprints. Malware can search through physical memory for the strings VMware, commonly used to detect memory artifacts. [[2]](#2)", + "name": "Check Memory Artifacts" + }, + { + "definition": "Virtual machines often include specific named system objects by default, such as Windows device drivers, which can be detected by testing for specific strings, whether found in the Windows registry or other places.", + "name": "Check Named System Objects" + }, + { + "definition": "The VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. Malware can list the process and searches for the VMware string. Process related to Virtualbox can be detected by malware by query the process list. [[2]](#2)", + "name": "Check Processes" + }, + { + "definition": "Virtual machines register artifacts in the registry, which can be detected by malware. For example, a search for \"VMware\" or \"VBOX\" in the registry might reveal keys that include information about a virtual hard drive, adapters, running services, or virtual mouse. [[2]](#2) Example registry key value artifacts include \"HARDWARE\\Description\\System (SystemBiosVersion) (VBOX)\" and \"SYSTEM\\ControlSet001\\Control\\SystemInformation (SystemManufacturer) (VMWARE)\"; example registry key artifacts include \"SOFTWARE\\VMware, Inc.\\VMware Tools (VMWARE)\" and \"SOFTWARE\\Oracle\\VirtualBox Guest Additions (VBOX)\". [[5]](#5)", + "name": "Check Registry Keys" + }, + { + "definition": "VMwareService.exe runs the VMware Tools Service as a child of services.exe. It can be identified by listing services. [[2]](#2)", + "name": "Check Running Services" + }, + { + "definition": "The presence of virtual devices can indicate a virtualized environment (e.g., \"\\\\.\\VBoxTrayIPC\"). [[5]](#5)", + "name": "Check Virtual Devices" + }, + { + "definition": "Malware may check windows for VM-related characteristics such as:\n\t* *Window size*: tiny window size may indicate a VM.\n\t* *Unique windows*: may check for the presence of known windows from analysis tools running in a VM.\n\t* *Title bars*: may inject malicious code to svchost.exe to check all open window title bar text to a list of strings indicating virtualized environment.", + "name": "Check Windows" + }, + { + "definition": "Virtual machines offer guest additions that can be installed to add functionality such as clipboard sharing. Detecting the process responsible for these tasks, via its name or other methods, is a technique employed by malware for detecting whether it is being executed in a virtual machine.", + "name": "Guest Process Testing" + }, + { + "definition": "In three browser families, it is possible to extract the frequency of the Windows performance counter frequency, using standard HTML and Javascript. This value can then be used to detect whether the code is being executed in a virtual machine, by detecting two specific frequencies commonly used in virtual but not physical machines.", + "name": "HTML5 Performance Object Check" + }, + { + "definition": "Detects whether there is any \"user\" activity on the machine, such as the movement of the mouse cursor, non-default wallpaper, or recently opened Office files. If there is no human activity, the machine is suspected to be a virtualized machine and/or sandbox. Other items used to detect a user: mouse clicks (single/double), DialogBox, scrolling, color of background pixel, change in foreground window [[5]](#5).", + "name": "Human User Check" + }, + { + "definition": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment: \n * *Total physical memory*: most modern machines have at leave 4 GB of memory. (GlobalMemoryStatusEx) [[5]](#5).\n * *Drive size*: most modern machines have at least 80 GB disks. May use DeviceloControl (IOCTL_DISK_GET_LENGTH_INFO) or GetDiskFreeSpaceEx (TotalNumberOfBytes) [[5]](#5).\n * *USB drive*: checks whether there is a potential USB drive; if not a virtual environment is suspected.\n * *Printer*: checks whether there is a potential connected printer or default Windows printers; if not a virtual environment is suspected.\n * *Processor count*: checks number of processors; single CPU machines are suspect.\n * *Keyboard layout*\n * *Software*: checks whether software is relatively current.", + "name": "Modern Specs Check" + }, + { + "definition": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment. Items checked include:\n * *BIOS*: characteristics of the BIOS, such as version, can indicate virtualization.\n * *I/O Communication Port*: VMware uses virtual I/O ports for communication between the virtual machine and the host operating system to support functionality like copy and paste between the two systems. The port can be queried and compared with a magic number VMXh to identify the use of VMware.\n * *CPU Name*\n * *CPU Location*: When an Operating System is virtualized, the CPU is relocated. [[2]](#2)\n * *MAC Address*: VMware uses specific virtual MAC address that can be detected. The usual MAC address used started with the following numbers: \"00:0C:29\", \"00:1C:14\", \"00:50:56\", \"00:05:69\". Virtualbox uses specific virtual MAC address that can be detected by Malware. The usual MAC address used started with the following numbers: 08:00:27. [[2]](#2)", + "name": "Unique Hardware/Firmware Check" + }, + { + "definition": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM. [[2]](#2)\n * *SIDT (red pill)*: Red Pill is an anti-VM technique that executes the SIDT instruction to grab the value of the IDTR register. The virtual machine monitor must relocate the guest's IDTR to avoid conflict with the host's IDTR. Since the virtual machine monitor is not notified when the virtual machine runs the SIDT instruction, the IDTR for the virtual machine is returned.\n * *SGDT/SLDT (no pill)*: The No Pill technique relies on the fact that the LDT structure is assigned to a processor not an Operating System. The LDT location on a host machine will be zero and on a virtual machine will be non-zero.\n * *SMSW*\n * *STR*\n * *CPUID*: Checking the CPU ID found within the registry can provide information to system type.\n * *IN*\n * *RDTSC*\n * *VMCPUID*\n * *VPCEXT*", + "name": "x86 Instruction Testing" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--91b54219-5f02-4c6d-aaec-7bfb45e22cc4.json b/attack-pattern/attack-pattern--91b54219-5f02-4c6d-aaec-7bfb45e22cc4.json new file mode 100644 index 00000000..2e613b53 --- /dev/null +++ b/attack-pattern/attack-pattern--91b54219-5f02-4c6d-aaec-7bfb45e22cc4.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--867da7cc-59b0-4f53-a5d2-b1fffc7c4404", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--91b54219-5f02-4c6d-aaec-7bfb45e22cc4", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.316Z", + "modified": "2020-02-05T20:28:15.316Z", + "name": "AppInit DLLs", + "description": "Malware may abuse DLLs specified in the registry AppInit_DLLs value to load and run malicious DLLs.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/appinit-dlls.md", + "external_id": "T1103" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1103/", + "external_id": "T1103" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--9204fe33-1848-4be0-a1f6-0fc2841a9753.json b/attack-pattern/attack-pattern--9204fe33-1848-4be0-a1f6-0fc2841a9753.json new file mode 100644 index 00000000..f699335d --- /dev/null +++ b/attack-pattern/attack-pattern--9204fe33-1848-4be0-a1f6-0fc2841a9753.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--d4614103-bc8b-49ca-927d-60cceae3bd87", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--9204fe33-1848-4be0-a1f6-0fc2841a9753", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.233Z", + "modified": "2020-02-05T20:28:15.233Z", + "name": "Self Discovery", + "description": "Malware may gather information about itself, such as its filename or size on disk.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/self-discover.md", + "external_id": "M0038" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--92557c19-d2a7-4b25-b77c-34954e99d3a8.json b/attack-pattern/attack-pattern--92557c19-d2a7-4b25-b77c-34954e99d3a8.json new file mode 100644 index 00000000..641b114c --- /dev/null +++ b/attack-pattern/attack-pattern--92557c19-d2a7-4b25-b77c-34954e99d3a8.json @@ -0,0 +1,100 @@ +{ + "type": "bundle", + "id": "bundle--2b03f4c2-894d-49cf-ba59-01874987b721", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--92557c19-d2a7-4b25-b77c-34954e99d3a8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.390Z", + "modified": "2020-02-05T20:28:15.390Z", + "name": "Process Injection", + "description": "Malware may execute code in the address space of a separate process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/process-inject.md", + "external_id": "E1055" + }, + { + "source_name": "external_source", + "description": "Ashkan Hosseini, *Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques*, July 2017.", + "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "external_source", + "url": "https://github.com/LordNoteworthy/al-khaser" + }, + { + "source_name": "external_source", + "url": "https://citizenlab.ca/2016/04/between-hong-kong-and-burma/" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1055", + "external_id": "T1055" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Injects code using the Shell_TRyaWnd technique.", + "name": "Shell_TrayWnd" + }, + { + "definition": "Malware creates a thread using CreateRemoteThread (or NtCreateThreadEx, RtlCreateUserThread) and LoadLibrary. The path to the malware's malicious dynamic-link library (DLL) is written in the virtual address space of another process; the malware ensures the remote process loads it by creating a remote thread in the target process. This is one of the most common process injection methods. [[1]](#1)", + "name": "CreateRemoteThread" + }, + { + "definition": "Malware copies its malicious code into an existing open process and causes it to execute via shellcode or by calling CreateRemoteThread (instead of passing the address of the LoadLibrary) [[1]](#1)", + "name": "PE Injection" + }, + { + "definition": "Malware targets an existing thread of a process, avoiding noisy process or thread creations operations. [[1]](#1)", + "name": "Thread Execution Hijacking" + }, + { + "definition": "Malware can leverage hooking functionality to have its malicious DLL loaded upon an event getting triggered in a specific thread, which is usually done by calling SetWindowsHookEx to install a hook routine into the hook chain. [[1]](#1)", + "name": "SetWindowsHooksEx" + }, + { + "definition": "Malware may leverage Asynchronous Procedure Calls (APC) to force another thread to execute its code by attaching it to the APC Queue of the target thread (using QueueUserAPC / NtQueueApcThread); also called AtomBombing [[1]](#1), [[3]](#3).", + "name": "APC Injection" + }, + { + "definition": "GetThreadContext / SetThreadContext [[3]](#3).", + "name": "RunPE" + }, + { + "definition": "Malware may insert the location of its malicious library under a registry key (e.g., Appinit_DLL, AppCertDlls, IFEO) to have another process load its library. [[1]](#1)", + "name": "Registry Modification" + }, + { + "definition": "", + "name": "Extra Window Memory Injection (EWMI)" + }, + { + "definition": "Malware may use shims to target an executable (shims are a way of hooking into APIs and targeting specific executables and are provided by Microsoft for backward compatibility, allowing developers to apply program fixes without rewriting code) [[1]](#1).", + "name": "Shims" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--929e0835-9197-42d0-9a00-95b7b4e13dcb.json b/attack-pattern/attack-pattern--929e0835-9197-42d0-9a00-95b7b4e13dcb.json new file mode 100644 index 00000000..10738197 --- /dev/null +++ b/attack-pattern/attack-pattern--929e0835-9197-42d0-9a00-95b7b4e13dcb.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--0aaea22b-915d-4156-bf92-7956d8b1d01d", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--929e0835-9197-42d0-9a00-95b7b4e13dcb", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.281Z", + "modified": "2020-02-05T20:28:15.281Z", + "name": "User Interaction", + "description": "Malware may include code that relies on specific actions by a user to execute. Note that this MBC behavior differs from [User Execution](https://attack.mitre.org/techniques/T1204) in that it does do not include direct code execution (user action for *initial* execution) - MBE does not encompass ATT&CK's Initial Access Tactic.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/user-interaction.md", + "external_id": "E1204" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1204", + "external_id": "T1204" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--98511ebd-51ae-451e-8d14-b73f23640191.json b/attack-pattern/attack-pattern--98511ebd-51ae-451e-8d14-b73f23640191.json new file mode 100644 index 00000000..b26805f6 --- /dev/null +++ b/attack-pattern/attack-pattern--98511ebd-51ae-451e-8d14-b73f23640191.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--3e733d85-abd4-42a4-b902-28ab634de67c", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--98511ebd-51ae-451e-8d14-b73f23640191", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.272Z", + "modified": "2020-02-05T20:28:15.272Z", + "name": "Send Poisoned Text Message", + "description": "A malicious attachment is sent via spam SMS or MMS messages. When the user clicks the link, malware is installed.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/send-poison-text-msg.md", + "external_id": "M0021" + }, + { + "source_name": "external_source", + "url": "https://us.norton.com/internetsecurity-emerging-threats-mazar-bot-malware-invades-and-erases-android-devices.html" + }, + { + "source_name": "external_source", + "url": "https://www.player.one/new-android-sms-malware-can-completely-own-your-phone-just-one-text-how-avoid-mazar-512363" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--99960d3e-e9f8-47e9-9293-a18eb5b068af.json b/attack-pattern/attack-pattern--99960d3e-e9f8-47e9-9293-a18eb5b068af.json new file mode 100644 index 00000000..65465a89 --- /dev/null +++ b/attack-pattern/attack-pattern--99960d3e-e9f8-47e9-9293-a18eb5b068af.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--fdf4fe8f-a7f0-46e0-a611-9de7ba5e5b68", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--99960d3e-e9f8-47e9-9293-a18eb5b068af", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.323Z", + "modified": "2020-02-05T20:28:15.323Z", + "name": "Startup Items", + "description": "Malware may add an entry to the macOS StartupItems directory to enable persistence. Because StartupItems run during the bootup phase of macOS, they will run as root, enabling privilege escalation.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/startup-items.md", + "external_id": "T1165" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1165", + "external_id": "T1165" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--999d34f4-c740-497f-9074-563b8c11d8ce.json b/attack-pattern/attack-pattern--999d34f4-c740-497f-9074-563b8c11d8ce.json new file mode 100644 index 00000000..f391955c --- /dev/null +++ b/attack-pattern/attack-pattern--999d34f4-c740-497f-9074-563b8c11d8ce.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--e6eadc58-3147-4bf2-9ee9-2cb203e0dc6a", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--999d34f4-c740-497f-9074-563b8c11d8ce", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.429Z", + "modified": "2020-02-05T20:28:15.429Z", + "name": "Launch Daemon", + "description": "Malware may install a new MacOS launch daemon that can be configured to execute at startup.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/privilege-escalation/launch-daemon.md", + "external_id": "T1160" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1160", + "external_id": "T1160" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--9a5d9d87-44f6-42c5-ad27-0434a97ce7d6.json b/attack-pattern/attack-pattern--9a5d9d87-44f6-42c5-ad27-0434a97ce7d6.json new file mode 100644 index 00000000..9686fb41 --- /dev/null +++ b/attack-pattern/attack-pattern--9a5d9d87-44f6-42c5-ad27-0434a97ce7d6.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--f4ce354a-2ca7-4129-956f-569346b427f7", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--9a5d9d87-44f6-42c5-ad27-0434a97ce7d6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.470Z", + "modified": "2020-02-05T20:28:15.470Z", + "name": "Disk Structure Wipe", + "description": "Disk data structures are corrupted or wiped, making the system unable to boot.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/disk-structure-wipe.md", + "external_id": "T1487" + }, + { + "source_name": "external_source", + "url": "http://www.darkreading.com/attacks-breaches/disk-wiping-shamoon-malware-resurfaces-with-file-erasing-malware-in-tow/d/d-id/1333509" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1487/", + "external_id": "T1487" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--9bd44017-2ca1-4370-b06d-f55fd2071b6b.json b/attack-pattern/attack-pattern--9bd44017-2ca1-4370-b06d-f55fd2071b6b.json new file mode 100644 index 00000000..075d8686 --- /dev/null +++ b/attack-pattern/attack-pattern--9bd44017-2ca1-4370-b06d-f55fd2071b6b.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--2ba3431f-6d38-412b-856d-2debac5ad295", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--9bd44017-2ca1-4370-b06d-f55fd2071b6b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.117Z", + "modified": "2020-02-05T20:28:15.117Z", + "name": "Clipboard Data", + "description": "Malware collects data stored in the Windows clipboard.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/clipboard-data.md", + "external_id": "T1115" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1115/", + "external_id": "T1115" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--9c2ea49a-ea29-47b4-acca-087733a71b2c.json b/attack-pattern/attack-pattern--9c2ea49a-ea29-47b4-acca-087733a71b2c.json new file mode 100644 index 00000000..ee290aa2 --- /dev/null +++ b/attack-pattern/attack-pattern--9c2ea49a-ea29-47b4-acca-087733a71b2c.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--32ade3c4-5b7a-4799-afb4-f1f93e9b3d67", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--9c2ea49a-ea29-47b4-acca-087733a71b2c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.250Z", + "modified": "2020-02-05T20:28:15.250Z", + "name": "Data Encoding", + "description": "Malware encodes its command and control information using a standard system such as Unicode, Base64, etc.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/data-encode.md", + "external_id": "T1132" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1132/", + "external_id": "T1132" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--9ca32a1e-0f84-42d6-8be0-fccf0934a123.json b/attack-pattern/attack-pattern--9ca32a1e-0f84-42d6-8be0-fccf0934a123.json new file mode 100644 index 00000000..d50fce4c --- /dev/null +++ b/attack-pattern/attack-pattern--9ca32a1e-0f84-42d6-8be0-fccf0934a123.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--cfbca327-ff79-4943-92f0-beffbb56a8a4", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--9ca32a1e-0f84-42d6-8be0-fccf0934a123", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.411Z", + "modified": "2020-02-05T20:28:15.411Z", + "name": "Polymorphic Code", + "description": "Polymorphic code, a file with the same functionality but different execution, is created, often on the fly, making it difficult to detect. This behavior includes metamorphic code where the code is changed (not just executed differently), but with the behavior the same. Polymorphic Code behavior is typically identified through analysis of related samples.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/polymorphic-code.md", + "external_id": "M0029" + }, + { + "source_name": "external_source", + "url": "https://www.mccormick.northwestern.edu/eecs/documents/tech-reports/2010-2014/evaluating-android-anti-malware-against-transformation-attacks.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "A packer stub can generate polymorphic code.", + "name": "Packer Stub" + }, + { + "definition": "[[1]](#1)", + "name": "Call Indirections" + }, + { + "definition": "[[1]](#1)", + "name": "Code Reordering" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--9d154966-e9a9-444e-80cf-cd4c95e877bc.json b/attack-pattern/attack-pattern--9d154966-e9a9-444e-80cf-cd4c95e877bc.json new file mode 100644 index 00000000..7c82746a --- /dev/null +++ b/attack-pattern/attack-pattern--9d154966-e9a9-444e-80cf-cd4c95e877bc.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--ef6eb9d3-624a-4b44-abde-53b74af66493", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--9d154966-e9a9-444e-80cf-cd4c95e877bc", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.444Z", + "modified": "2020-02-05T20:28:15.444Z", + "name": "Setuid and Setgid", + "description": "Malware may take advantage of setuid or setgid bits in Linux or macOS applications to elevate privilege or for persistence.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/privilege-escalation/setuid-setgid.md", + "external_id": "T1166" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1166", + "external_id": "T1166" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--9ea6bec1-a908-422a-9154-28448b3ae618.json b/attack-pattern/attack-pattern--9ea6bec1-a908-422a-9154-28448b3ae618.json new file mode 100644 index 00000000..86167a7d --- /dev/null +++ b/attack-pattern/attack-pattern--9ea6bec1-a908-422a-9154-28448b3ae618.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--b2fa1f65-70f4-4bf9-a7b6-79da8cee22be", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--9ea6bec1-a908-422a-9154-28448b3ae618", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.283Z", + "modified": "2020-02-05T20:28:15.283Z", + "name": "Local Job Scheduling", + "description": "Malware may execute a program or script via local job scheduling (e.g., cron job) for execution or persistence purposes.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/local-job-sch.md", + "external_id": "T1168" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1168/", + "external_id": "T1168" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--9f7dd003-9dbd-4fcf-96e0-eda3246828db.json b/attack-pattern/attack-pattern--9f7dd003-9dbd-4fcf-96e0-eda3246828db.json new file mode 100644 index 00000000..30ee0a84 --- /dev/null +++ b/attack-pattern/attack-pattern--9f7dd003-9dbd-4fcf-96e0-eda3246828db.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--81ad96e5-0ba3-46dc-b68e-ac3d5a5b02fc", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--9f7dd003-9dbd-4fcf-96e0-eda3246828db", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.211Z", + "modified": "2020-02-05T20:28:15.211Z", + "name": "Domain Trust Discovery", + "description": "Malware may attempt to gather information on domain trust relationships that might be used to identify lateral movement opportunities.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/domain-trust-discover.md", + "external_id": "T1482" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1482", + "external_id": "T1482" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--a02e6e5e-2750-4ec8-af17-90088bb8f961.json b/attack-pattern/attack-pattern--a02e6e5e-2750-4ec8-af17-90088bb8f961.json new file mode 100644 index 00000000..7a5ec379 --- /dev/null +++ b/attack-pattern/attack-pattern--a02e6e5e-2750-4ec8-af17-90088bb8f961.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--9e95f4ef-2809-4048-99eb-014106f21e10", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a02e6e5e-2750-4ec8-af17-90088bb8f961", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.225Z", + "modified": "2020-02-05T20:28:15.225Z", + "name": "Account Discovery", + "description": "Malware may try to get names of local system or domain accounts.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/account-discover.md", + "external_id": "T1087" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1087", + "external_id": "T1087" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--a03b6507-fed8-416a-8425-0761f5f7f754.json b/attack-pattern/attack-pattern--a03b6507-fed8-416a-8425-0761f5f7f754.json new file mode 100644 index 00000000..f976bcd4 --- /dev/null +++ b/attack-pattern/attack-pattern--a03b6507-fed8-416a-8425-0761f5f7f754.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--237ac0e3-3ebc-41f7-ad93-0a3136592d6c", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a03b6507-fed8-416a-8425-0761f5f7f754", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.294Z", + "modified": "2020-02-05T20:28:15.294Z", + "name": "Scheduled Task", + "description": "Malware may use the Windows Task Scheduler to schedule programs or scripts to be executed at a date and time.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/scheduled-task.md", + "external_id": "T1053" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1053/", + "external_id": "T1053" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--a1f1b921-b815-4311-93c2-6c98a333fd5d.json b/attack-pattern/attack-pattern--a1f1b921-b815-4311-93c2-6c98a333fd5d.json new file mode 100644 index 00000000..8524b4de --- /dev/null +++ b/attack-pattern/attack-pattern--a1f1b921-b815-4311-93c2-6c98a333fd5d.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--5e700d19-7a68-4505-9b07-26e37097b1f5", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a1f1b921-b815-4311-93c2-6c98a333fd5d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.215Z", + "modified": "2020-02-05T20:28:15.215Z", + "name": "Query Registry", + "description": "Malware may gather information from the Windows registry.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/query-registry.md", + "external_id": "T1012" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1012", + "external_id": "T1012" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--a370131c-c76d-49a1-ac77-c1ca7f1b3ee2.json b/attack-pattern/attack-pattern--a370131c-c76d-49a1-ac77-c1ca7f1b3ee2.json new file mode 100644 index 00000000..7cc0e371 --- /dev/null +++ b/attack-pattern/attack-pattern--a370131c-c76d-49a1-ac77-c1ca7f1b3ee2.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--8aa3487e-eb11-45ad-8de3-bdd33375738c", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a370131c-c76d-49a1-ac77-c1ca7f1b3ee2", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.448Z", + "modified": "2020-02-05T20:28:15.448Z", + "name": "Credential Dumping", + "description": "Malware may obtain account login and password information.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/credential-access/credential-dump.md", + "external_id": "T1003" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1003/", + "external_id": "T1003" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--a483c23a-a85a-4068-a570-8fc45493e2bc.json b/attack-pattern/attack-pattern--a483c23a-a85a-4068-a570-8fc45493e2bc.json new file mode 100644 index 00000000..d52827c3 --- /dev/null +++ b/attack-pattern/attack-pattern--a483c23a-a85a-4068-a570-8fc45493e2bc.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--9fbd52c8-837a-457c-8bca-612b07eba98e", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a483c23a-a85a-4068-a570-8fc45493e2bc", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.363Z", + "modified": "2020-02-05T20:28:15.363Z", + "name": "Access Token Manipulation", + "description": "Malware manipulates access tokens to make a running process appear as thought it belongs to someone other than the user who started the process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/access-token.md", + "external_id": "T1134" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1134", + "external_id": "T1134" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--a49e3ab1-4f38-49b4-8bb2-5bf5778ae503.json b/attack-pattern/attack-pattern--a49e3ab1-4f38-49b4-8bb2-5bf5778ae503.json new file mode 100644 index 00000000..48864cd2 --- /dev/null +++ b/attack-pattern/attack-pattern--a49e3ab1-4f38-49b4-8bb2-5bf5778ae503.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--39ae0ee4-1a37-4dd2-8648-189cbea8792c", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a49e3ab1-4f38-49b4-8bb2-5bf5778ae503", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.450Z", + "modified": "2020-02-05T20:28:15.450Z", + "name": "Credentials in Registry", + "description": "Malware may query the Registry looking for credentials and passwords.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/credential-access/credentials-in-registry.md", + "external_id": "T1214" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1214/", + "external_id": "T1214" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--a5cd65d0-eee1-463e-a003-04f3a71bb813.json b/attack-pattern/attack-pattern--a5cd65d0-eee1-463e-a003-04f3a71bb813.json new file mode 100644 index 00000000..435f8082 --- /dev/null +++ b/attack-pattern/attack-pattern--a5cd65d0-eee1-463e-a003-04f3a71bb813.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--0a1be5b7-9cc4-4eeb-aa2f-8316d04c7a3e", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a5cd65d0-eee1-463e-a003-04f3a71bb813", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.394Z", + "modified": "2020-02-05T20:28:15.394Z", + "name": "Disabling Security Tools", + "description": "Malware may disable security tools to avoid detection. Security tools include OS security features and updating tools, anti-virus (AV) tools, firewalls, tool components providing security related logging and/or reporting, and Antimalware Scan Interface (AMSI) related capabilities.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/disable-security-tools.md", + "external_id": "E1089" + }, + { + "source_name": "external_source", + "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1089/", + "external_id": "T1089" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Bypasses or disables kernel patch protection mechanisms such as Windows' PatchGuard, enabling the malware instance to operate at the same level as the operating system kernel and kernel mode drivers (KMD).", + "name": "Disable Kernel Patch Protection" + }, + { + "definition": "Disables system file overwrite protection mechanisms such as Windows file protection, thereby enabling system files to be modified or replaced.", + "name": "Disable System File Overwrite Protection" + }, + { + "definition": "Security products may hook APIs to monitor the behavior of malware. To avoid being found, malware may load DLLs in memory and overwrite their bytes.", + "name": "Unhook APIs" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--a7ea0b40-a316-43db-9dcf-1ae03eda94a6.json b/attack-pattern/attack-pattern--a7ea0b40-a316-43db-9dcf-1ae03eda94a6.json new file mode 100644 index 00000000..32362255 --- /dev/null +++ b/attack-pattern/attack-pattern--a7ea0b40-a316-43db-9dcf-1ae03eda94a6.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--3b169172-c0e0-41c9-a832-7cff904713fb", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a7ea0b40-a316-43db-9dcf-1ae03eda94a6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.258Z", + "modified": "2020-02-05T20:28:15.258Z", + "name": "Uncommonly Used Port", + "description": "Malware may use an uncommon port to bypass poorly configured boundary controllers.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/uncommon-port.md", + "external_id": "T1065" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1065/", + "external_id": "T1065" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--a8037627-051d-48fe-8c03-5d78b9293f0c.json b/attack-pattern/attack-pattern--a8037627-051d-48fe-8c03-5d78b9293f0c.json new file mode 100644 index 00000000..a90e27fb --- /dev/null +++ b/attack-pattern/attack-pattern--a8037627-051d-48fe-8c03-5d78b9293f0c.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--b7f2b0df-67dc-4adc-8d8c-e4d6475e641c", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a8037627-051d-48fe-8c03-5d78b9293f0c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.231Z", + "modified": "2020-02-05T20:28:15.231Z", + "name": "Remote System Discovery", + "description": "Malware may try to get a list of network-accessible systems (by IP address or hostname).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/remote-sys-discover.md", + "external_id": "T1018" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1018", + "external_id": "T1018" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--a95f6808-9551-426a-8eaa-7794164d10e7.json b/attack-pattern/attack-pattern--a95f6808-9551-426a-8eaa-7794164d10e7.json new file mode 100644 index 00000000..f59237ae --- /dev/null +++ b/attack-pattern/attack-pattern--a95f6808-9551-426a-8eaa-7794164d10e7.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--6d368881-1183-4221-acbd-2a35a30b0811", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a95f6808-9551-426a-8eaa-7794164d10e7", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.123Z", + "modified": "2020-02-05T20:28:15.123Z", + "name": "Screen Capture", + "description": "Malware takes screen captures.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/screen-capture.md", + "external_id": "T1113" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1113/", + "external_id": "T1113" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--ab3bb771-c300-4480-87c0-0e5c55ec81d1.json b/attack-pattern/attack-pattern--ab3bb771-c300-4480-87c0-0e5c55ec81d1.json new file mode 100644 index 00000000..f5a40d0c --- /dev/null +++ b/attack-pattern/attack-pattern--ab3bb771-c300-4480-87c0-0e5c55ec81d1.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--b6dadf20-5daf-49a4-96b4-82a4c4605f15", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--ab3bb771-c300-4480-87c0-0e5c55ec81d1", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.463Z", + "modified": "2020-02-05T20:28:15.463Z", + "name": "Remote Access", + "description": "Malware may provide an attacker with potentially full access to a system via a remote network connection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/remote-access.md", + "external_id": "M0022" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Remote_access_trojan" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/DarkComet" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Malware may create a reverse shell. For example, malware can invoke cmd.exe and create three pipes (stdin, stdout, stderr) to forward data between cmd.exe and an adversary.", + "name": "Reverse Shell" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--af19022e-d8be-4cd2-a4b6-fb1c3a6a0f13.json b/attack-pattern/attack-pattern--af19022e-d8be-4cd2-a4b6-fb1c3a6a0f13.json new file mode 100644 index 00000000..9ba8d92f --- /dev/null +++ b/attack-pattern/attack-pattern--af19022e-d8be-4cd2-a4b6-fb1c3a6a0f13.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--24ca80e7-d8dc-4c6f-949d-960f62746d78", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--af19022e-d8be-4cd2-a4b6-fb1c3a6a0f13", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.195Z", + "modified": "2020-02-05T20:28:15.195Z", + "name": "Capture Evasion", + "description": "Malware has characteristics enabling it to evade capture from the infected system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/evade-capture.md", + "external_id": "M0036" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Malware is never written to disk (e.g., RAT plugins received from the controller are never written to disk).", + "name": "Memory-only Payload" + }, + { + "definition": "Decryption key is stored external to the executable or never touches the disk.", + "name": "Encrypted Payloads" + }, + { + "definition": "Multiple stages of loaders are used with an encoded payload.", + "name": "Multiple Stages of Loaders" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--af8dfa93-7114-43fc-b57a-d1a3c61c4acd.json b/attack-pattern/attack-pattern--af8dfa93-7114-43fc-b57a-d1a3c61c4acd.json new file mode 100644 index 00000000..ebb31079 --- /dev/null +++ b/attack-pattern/attack-pattern--af8dfa93-7114-43fc-b57a-d1a3c61c4acd.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--c5d2f38b-6aa7-4d52-a0ba-3464d171ffa5", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--af8dfa93-7114-43fc-b57a-d1a3c61c4acd", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.207Z", + "modified": "2020-02-05T20:28:15.207Z", + "name": "Emulator Detection", + "description": "Detects whether the malware instance is being executed inside an emulator. If so, conditional execution selects a benign execution path.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/detect-emulator.md", + "external_id": "M0004" + }, + { + "source_name": "external_source", + "url": "http://unprotect.tdgt.org/index.php/Sandbox_Evasion" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Checks whether particular files (e.g., QEMU files) exist.", + "name": "Check for Emulator-related Files" + }, + { + "definition": "Checks for WINE via the `get_wine_version` function from WINE's `ntdll.dll`.", + "name": "Check for WINE Version" + }, + { + "definition": "Emulators register artifacts in the registry, which can be detected by malware. For example, installation of QEMU results in the registry key: *HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0* with value=*Identifier* and data=*QEMU*, or registry key: *HARDWARE\\Description\\System* with value=*SystemBiosVersion* and data=*QEMU*. [[1]](#1)", + "name": "Check Emulator-related Registry Keys" + }, + { + "definition": "Some emulated systems fail to handle some network communications; such failures will indicate the emulated environment.", + "name": "Failed Network Connections" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--b176779c-a4df-49a4-993e-e424a114b73a.json b/attack-pattern/attack-pattern--b176779c-a4df-49a4-993e-e424a114b73a.json new file mode 100644 index 00000000..a778b263 --- /dev/null +++ b/attack-pattern/attack-pattern--b176779c-a4df-49a4-993e-e424a114b73a.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--95b80a8c-18bc-480f-bfb0-ea4b9f4aca73", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b176779c-a4df-49a4-993e-e424a114b73a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.254Z", + "modified": "2020-02-05T20:28:15.254Z", + "name": "Custom Cryptographic Protocol", + "description": "Malware may use a custom cryptographic protocol to hide command and control communications.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/custom-crypto-protocol.md", + "external_id": "T1024" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1024/", + "external_id": "T1024" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--b24b9670-5ac7-4982-972c-0691b9a81d0c.json b/attack-pattern/attack-pattern--b24b9670-5ac7-4982-972c-0691b9a81d0c.json new file mode 100644 index 00000000..18dd9531 --- /dev/null +++ b/attack-pattern/attack-pattern--b24b9670-5ac7-4982-972c-0691b9a81d0c.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--7db15c77-789a-4ac6-ab0c-7991c9f5442b", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b24b9670-5ac7-4982-972c-0691b9a81d0c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.421Z", + "modified": "2020-02-05T20:28:15.421Z", + "name": "Modify Trusted Execution Environment", + "description": "Malware may run code in the Android Trusted Execution Environment.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/mod-trust-exe-environ.md", + "external_id": "T1399" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1399", + "external_id": "T1399" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--b255fae3-82ad-4a9d-a76a-3301e0c3caed.json b/attack-pattern/attack-pattern--b255fae3-82ad-4a9d-a76a-3301e0c3caed.json new file mode 100644 index 00000000..f1ee5787 --- /dev/null +++ b/attack-pattern/attack-pattern--b255fae3-82ad-4a9d-a76a-3301e0c3caed.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--4180b65a-e127-4542-8cb7-91e77d5d4e9f", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b255fae3-82ad-4a9d-a76a-3301e0c3caed", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.300Z", + "modified": "2020-02-05T20:28:15.300Z", + "name": "Install Additional Program", + "description": "Installs another, different program on the system. The additional program can be any secondary module; examples include backdoors, malicious drivers, kernel modules, and OS X Apps.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/install-prog.md", + "external_id": "M0023" + }, + { + "source_name": "external_source", + "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" + }, + { + "source_name": "external_source", + "url": "https://www.fortinet.com/blog/threat-research/deep-analysis-of-driver-based-mitm-malware-itranslator.html" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--b297f2d1-8322-4153-8e4c-ecc411302a79.json b/attack-pattern/attack-pattern--b297f2d1-8322-4153-8e4c-ecc411302a79.json new file mode 100644 index 00000000..b8700ed4 --- /dev/null +++ b/attack-pattern/attack-pattern--b297f2d1-8322-4153-8e4c-ecc411302a79.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--186a11c1-8eca-40c5-aed2-94364889d034", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b297f2d1-8322-4153-8e4c-ecc411302a79", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.422Z", + "modified": "2020-02-05T20:28:15.422Z", + "name": "Masquerading", + "description": "Malware may change the name or location of files to avoid detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/masquerading.md", + "external_id": "T1036" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1036", + "external_id": "T1036" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--b2a6969f-5b08-43e4-8f8f-1cef31ff37cc.json b/attack-pattern/attack-pattern--b2a6969f-5b08-43e4-8f8f-1cef31ff37cc.json new file mode 100644 index 00000000..7a0abbb9 --- /dev/null +++ b/attack-pattern/attack-pattern--b2a6969f-5b08-43e4-8f8f-1cef31ff37cc.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--6cb408dc-1deb-4537-ac34-3da5384e4f5e", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b2a6969f-5b08-43e4-8f8f-1cef31ff37cc", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.372Z", + "modified": "2020-02-05T20:28:15.372Z", + "name": "Bypass User Account Control", + "description": "Malware bypasses Windows User Account Control.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/bypass-user-acct-cntl.md", + "external_id": "T1088" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1088", + "external_id": "T1088" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--b2c99aaa-a0e3-439d-92a3-402768d7282f.json b/attack-pattern/attack-pattern--b2c99aaa-a0e3-439d-92a3-402768d7282f.json new file mode 100644 index 00000000..064c7e21 --- /dev/null +++ b/attack-pattern/attack-pattern--b2c99aaa-a0e3-439d-92a3-402768d7282f.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--642595a3-aa6f-441a-9295-b782bdc36e10", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b2c99aaa-a0e3-439d-92a3-402768d7282f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.236Z", + "modified": "2020-02-05T20:28:15.236Z", + "name": "Software Discovery", + "description": "Malware may try to identify all software and applications installed on the device.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/sw-discover.md", + "external_id": "T1518" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1518", + "external_id": "T1518" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1418", + "external_id": "T1418" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--b4df4bd2-7208-4948-b649-7a5267f27e2e.json b/attack-pattern/attack-pattern--b4df4bd2-7208-4948-b649-7a5267f27e2e.json new file mode 100644 index 00000000..1bbf4707 --- /dev/null +++ b/attack-pattern/attack-pattern--b4df4bd2-7208-4948-b649-7a5267f27e2e.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--21dbe1ac-21d1-4c03-89a1-bd0a562a736f", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b4df4bd2-7208-4948-b649-7a5267f27e2e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.263Z", + "modified": "2020-02-05T20:28:15.263Z", + "name": "Remote Access Tools", + "description": "Malware may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/remote-access-tools.md", + "external_id": "T1219" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1219/", + "external_id": "T1219" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--b71f0bb4-21ef-46c1-b37c-7df65de756a4.json b/attack-pattern/attack-pattern--b71f0bb4-21ef-46c1-b37c-7df65de756a4.json new file mode 100644 index 00000000..abd9c545 --- /dev/null +++ b/attack-pattern/attack-pattern--b71f0bb4-21ef-46c1-b37c-7df65de756a4.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--ac1ccd56-c65f-443a-822d-bc64bd75849b", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b71f0bb4-21ef-46c1-b37c-7df65de756a4", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.208Z", + "modified": "2020-02-05T20:28:15.208Z", + "name": "Local Network Configuration Discovery", + "description": "Android malware may try to get details of on-board network interfaces through the java.net.NetworkInterface class.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/local-network-configuration-discover.md", + "external_id": "T1422" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1422", + "external_id": "T1422" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--b7333931-5e93-46cf-ab22-c2c6ff9a8986.json b/attack-pattern/attack-pattern--b7333931-5e93-46cf-ab22-c2c6ff9a8986.json new file mode 100644 index 00000000..aa6f572a --- /dev/null +++ b/attack-pattern/attack-pattern--b7333931-5e93-46cf-ab22-c2c6ff9a8986.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--7fd39f94-80d1-4be1-854f-83de3e5f59b1", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b7333931-5e93-46cf-ab22-c2c6ff9a8986", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.262Z", + "modified": "2020-02-05T20:28:15.262Z", + "name": "Port Knocking", + "description": "Malware may hide open ports.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/port-knocking.md", + "external_id": "T1205" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1205/", + "external_id": "T1205" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--b8f24e74-d267-4783-be19-13cb060aaa2d.json b/attack-pattern/attack-pattern--b8f24e74-d267-4783-be19-13cb060aaa2d.json new file mode 100644 index 00000000..906b9a37 --- /dev/null +++ b/attack-pattern/attack-pattern--b8f24e74-d267-4783-be19-13cb060aaa2d.json @@ -0,0 +1,83 @@ +{ + "type": "bundle", + "id": "bundle--a647017d-8cfd-47f7-b5e2-8a8e16779e3e", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b8f24e74-d267-4783-be19-13cb060aaa2d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.459Z", + "modified": "2020-02-05T20:28:15.459Z", + "name": "Hooking", + "description": "Malware alters API behavior or redirects execution to a malicious API version for a variety of purposes. Malware may use hooking to load and execute code within the context of another process, hiding execution and gaining elevated privileges and access to the process's memory. Methods related to anti-behavioral analysis are below. For example, hooking can be used to prevent memory dumps - see also [Memory Dump Obstruction](https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/memory-dump-obstruct.md).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/credential-access/hooking.md", + "external_id": "E1179" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/" + }, + { + "source_name": "external_source", + "url": "https://docs.microsoft.com/en-us/windows/win32/winmsg/about-hooks?redirectedfrom=MSDN#hook-procedures" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1179/", + "external_id": "T1179" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Patching this function to always return NULL prevents drivers from getting information about the physical address space layout, preventing memory dumps. [[1]](#1)", + "name": "Patch MmGetPhysicalMemoryRanges" + }, + { + "definition": "Prevents memory dumps by preventing mapping of memory into the kernel's virtual address space. [[1]](#1)", + "name": "Hook memory mapping APIs" + }, + { + "definition": "Intercepts and executes designated code in response to events such as messages, keystrokes, and mouse inputs. [[3]](#3)", + "name": "Hook procedures" + }, + { + "definition": "", + "name": "Import Address Hooking (IAT) Hooking" + }, + { + "definition": "overwrites the first bytes in an API function to redirect code flow.", + "name": "Inline Hooking" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--b8ffc69c-45d1-4420-a1de-566d88c213c6.json b/attack-pattern/attack-pattern--b8ffc69c-45d1-4420-a1de-566d88c213c6.json new file mode 100644 index 00000000..80d382fe --- /dev/null +++ b/attack-pattern/attack-pattern--b8ffc69c-45d1-4420-a1de-566d88c213c6.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--b1a17e05-763a-4dc0-aaed-0f8e8f725437", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b8ffc69c-45d1-4420-a1de-566d88c213c6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.348Z", + "modified": "2020-02-05T20:28:15.348Z", + "name": "File System Logical Offsets", + "description": "Malware may bypass Windows file access controls by analyzing file system data structures.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/file-sys-logical-offset.md", + "external_id": "T1006" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1006", + "external_id": "T1006" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--bfa0510e-ffed-49a3-a66a-cef073dd488e.json b/attack-pattern/attack-pattern--bfa0510e-ffed-49a3-a66a-cef073dd488e.json new file mode 100644 index 00000000..6c84e8b9 --- /dev/null +++ b/attack-pattern/attack-pattern--bfa0510e-ffed-49a3-a66a-cef073dd488e.json @@ -0,0 +1,70 @@ +{ + "type": "bundle", + "id": "bundle--048383dc-97d2-46aa-b3f2-54db36c958cb", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--bfa0510e-ffed-49a3-a66a-cef073dd488e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.162Z", + "modified": "2020-02-05T20:28:15.162Z", + "name": "Disassembler Evasion", + "description": "Malware code evades disassembly in a recursive or linear disassembler. Some methods apply to both types of disassemblers; others apply to one type and not the other.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-static-analysis/evade-disassembler.md", + "external_id": "M0012" + }, + { + "source_name": "external_source", + "url": "http://staff.ustc.edu.cn/~bjhua/courses/security/2014/readings/anti-disas.pdf" + }, + { + "source_name": "external_source", + "url": "http://www.kernelhacking.com/rodrigo/docs/blackhat2012-paper.pdf" + }, + { + "source_name": "external_source", + "url": "https://isc.sans.edu/diary/Malicious+VBA+Office+Document+Without+Source+Code/24870" + }, + { + "source_name": "external_source", + "url": "https://boingboing.net/2019/05/05/p-code-r-us.html" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Simple number or string arguments to API calls are calculated at runtime, making linear disassembly more difficult.", + "name": "Argument Obfuscation" + }, + { + "definition": "Conditional jumps are sometimes used to confuse disassembly engines, resulting in the wrong instruction boundaries and thus wrong mnemonic and operands; identified by instructions *jmp/jcc to a label+#* (e.g., JNE loc_401345fe+2).", + "name": "Conditional Misdirection" + }, + { + "definition": "Explicit use of computed values for control flow, often many times in the same basic block or function.", + "name": "Value Dependent Jumps" + }, + { + "definition": "Variables, often strings, are broken into multiple parts and store out of order, in different memory ranges, or both. They must then be recomposed before use.", + "name": "Variable Recomposition" + }, + { + "definition": "Typically, VBA source code is compiled into p-code, which is stored with compressed sourced code in the OLE file with VBA macros. VBA Stomping - when the VBA source code is removed and only the p-code remains - makes analysis much harder. See [[3]](#3) for an analysis of a VBA-Stomped malicious VBA Office document. See [[4]](#4) for information on Evil Clippy, a tool that creates malicious MS Office documents.", + "name": "VBA Stomping" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--c12572b5-e25b-4ef9-944a-81d81050323e.json b/attack-pattern/attack-pattern--c12572b5-e25b-4ef9-944a-81d81050323e.json new file mode 100644 index 00000000..6844d4d6 --- /dev/null +++ b/attack-pattern/attack-pattern--c12572b5-e25b-4ef9-944a-81d81050323e.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--132f590b-8b1e-40d6-b01b-ab1926344b69", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--c12572b5-e25b-4ef9-944a-81d81050323e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.343Z", + "modified": "2020-02-05T20:28:15.343Z", + "name": "Exfiltration Over Command and Control Channel", + "description": "Malware may exfiltrate data via the command and control channel.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/exfiltration/exfil-over-c2-channel.md", + "external_id": "T1041" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1041/", + "external_id": "T1041" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--c20a6281-74cb-41fe-8575-ca053579b768.json b/attack-pattern/attack-pattern--c20a6281-74cb-41fe-8575-ca053579b768.json new file mode 100644 index 00000000..1ff770be --- /dev/null +++ b/attack-pattern/attack-pattern--c20a6281-74cb-41fe-8575-ca053579b768.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--3fe5a68d-087f-44de-a0b9-284fc17c473e", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--c20a6281-74cb-41fe-8575-ca053579b768", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.274Z", + "modified": "2020-02-05T20:28:15.274Z", + "name": "Execution through Module Load", + "description": "Malware may use the Windows module loader to execute code on a system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/execution-via-module-load.md", + "external_id": "T1129" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1129", + "external_id": "T1129" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--c376d9bb-5e45-42f5-95ce-b57d6ce417b8.json b/attack-pattern/attack-pattern--c376d9bb-5e45-42f5-95ce-b57d6ce417b8.json new file mode 100644 index 00000000..d609d1a9 --- /dev/null +++ b/attack-pattern/attack-pattern--c376d9bb-5e45-42f5-95ce-b57d6ce417b8.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--5f56b3c2-7143-4cbf-bf6a-42045df2834b", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--c376d9bb-5e45-42f5-95ce-b57d6ce417b8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.224Z", + "modified": "2020-02-05T20:28:15.224Z", + "name": "System Network Configuration Discovery", + "description": "Malware may try to find details about the system's network configuration.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/system-network-config-discover.md", + "external_id": "T1016" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1016", + "external_id": "T1016" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--c5e52bb6-425f-416a-afb7-58d67093ef9c.json b/attack-pattern/attack-pattern--c5e52bb6-425f-416a-afb7-58d67093ef9c.json new file mode 100644 index 00000000..30682b59 --- /dev/null +++ b/attack-pattern/attack-pattern--c5e52bb6-425f-416a-afb7-58d67093ef9c.json @@ -0,0 +1,63 @@ +{ + "type": "bundle", + "id": "bundle--8b9ad208-3958-41cf-aa97-0f88a88f313d", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--c5e52bb6-425f-416a-afb7-58d67093ef9c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.475Z", + "modified": "2020-02-05T20:28:15.475Z", + "name": "Generate Fraudulent Advertising Revenue", + "description": "Malware may generate advertising revenue by generating clicks of advertising links. The ATT&CK technique, [Generate Fraudulent Advertising Revenue](https://attack.mitre.org/techniques/T1472/), pertains only to mobile platform, but the behavior is applicable to other platforms as well.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/generate-fraud-rev.md", + "external_id": "E1472" + }, + { + "source_name": "external_source", + "url": "https://www.itworld.com/article/2734253/security/behind-the--massive--malware-ad-revenue-fraud-case.html" + }, + { + "source_name": "external_source", + "url": "https://www.fipp.com/news/insightnews/what-are-the-nine-types-of-digital-ad-fraud" + }, + { + "source_name": "external_source", + "url": "https://www.huffingtonpost.com/2011/11/09/click-hijack-hackers-online-ad-scam_n_1084497.html" + }, + { + "source_name": "external_source", + "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1472/", + "external_id": "T1472" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Malware alters DNS server settings to route to a rogue DNS server: when the user clicks on a search result link displayed through a search engine query, malware re-routes the user to different website. Instead of going to the requested site, the user is taken to an alternate website such that the click triggers payment to the threat actor. [[1]](#1)", + "name": "Click Hijacking" + }, + { + "definition": "Malware injects ad windows onto websites the user is views. [[2]](#2)", + "name": "Advertisement Replacement Fraud" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--c63442e8-94ac-422a-af1a-f51279f2c9ae.json b/attack-pattern/attack-pattern--c63442e8-94ac-422a-af1a-f51279f2c9ae.json new file mode 100644 index 00000000..2992e624 --- /dev/null +++ b/attack-pattern/attack-pattern--c63442e8-94ac-422a-af1a-f51279f2c9ae.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--d2ad9468-166c-4090-bf6e-bf1183b90f51", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--c63442e8-94ac-422a-af1a-f51279f2c9ae", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.327Z", + "modified": "2020-02-05T20:28:15.327Z", + "name": "Shortcut Modification", + "description": "Malware may use shortcuts or symbolic links to open files or execute programs.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/shortcut-mod.md", + "external_id": "T1023" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1023/", + "external_id": "T1023" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--c87a9a20-73bb-4dd1-8531-2f7c246a4660.json b/attack-pattern/attack-pattern--c87a9a20-73bb-4dd1-8531-2f7c246a4660.json new file mode 100644 index 00000000..d2352b81 --- /dev/null +++ b/attack-pattern/attack-pattern--c87a9a20-73bb-4dd1-8531-2f7c246a4660.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--fc53fc2d-b4fc-4751-a50e-472d1445279d", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--c87a9a20-73bb-4dd1-8531-2f7c246a4660", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.338Z", + "modified": "2020-02-05T20:28:15.338Z", + "name": "Exfiltration Over Alternative Protocol", + "description": "Malware may exfiltrate data with protocol different that the main C2 protocol or channel.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/exfiltration/exfil-over-alternative-protocol.md", + "external_id": "T1048" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1048/", + "external_id": "T1048" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--c969317c-d5ec-4886-91d5-6ed12aef2fd7.json b/attack-pattern/attack-pattern--c969317c-d5ec-4886-91d5-6ed12aef2fd7.json new file mode 100644 index 00000000..352c02c2 --- /dev/null +++ b/attack-pattern/attack-pattern--c969317c-d5ec-4886-91d5-6ed12aef2fd7.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--1ed95a38-7b1c-4775-b6c6-cc3fb17fb94d", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--c969317c-d5ec-4886-91d5-6ed12aef2fd7", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.431Z", + "modified": "2020-02-05T20:28:15.431Z", + "name": "File System Permissions Weakness", + "description": "Malware may exploit a software vulnerability to escalate privileges.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/privilege-escalation/file-system-perm-weakness.md", + "external_id": "T1044" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1044", + "external_id": "T1044" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--c9e8178e-280c-4fde-9e94-44db17382b97.json b/attack-pattern/attack-pattern--c9e8178e-280c-4fde-9e94-44db17382b97.json new file mode 100644 index 00000000..f22f4c66 --- /dev/null +++ b/attack-pattern/attack-pattern--c9e8178e-280c-4fde-9e94-44db17382b97.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--1449eef3-6f26-49fc-9190-9f8ec40c4bb2", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--c9e8178e-280c-4fde-9e94-44db17382b97", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.385Z", + "modified": "2020-02-05T20:28:15.385Z", + "name": "Parent PID Spoofing", + "description": "Malware may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/parent-pid-spoof.md", + "external_id": "T1502" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1502/", + "external_id": "T1502" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--ca41dedd-dddb-45bb-bbf7-ef5a17b1b4f5.json b/attack-pattern/attack-pattern--ca41dedd-dddb-45bb-bbf7-ef5a17b1b4f5.json new file mode 100644 index 00000000..9747f095 --- /dev/null +++ b/attack-pattern/attack-pattern--ca41dedd-dddb-45bb-bbf7-ef5a17b1b4f5.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--df5c8998-7dca-4e5c-a58f-a3fe3e150e97", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--ca41dedd-dddb-45bb-bbf7-ef5a17b1b4f5", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.413Z", + "modified": "2020-02-05T20:28:15.413Z", + "name": "Alternative Installation Location", + "description": "Malware may install itself not as a file on the hard drive.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/alter-install-location.md", + "external_id": "M0027" + }, + { + "source_name": "external_source", + "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Stores itself in memory.", + "name": "Fileless Malware" + }, + { + "definition": "Stores itself in the Windows registry.", + "name": "Registry Install" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--cec46ca6-08c3-46d6-b37f-92c50fe689bb.json b/attack-pattern/attack-pattern--cec46ca6-08c3-46d6-b37f-92c50fe689bb.json new file mode 100644 index 00000000..75567bd6 --- /dev/null +++ b/attack-pattern/attack-pattern--cec46ca6-08c3-46d6-b37f-92c50fe689bb.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--22420d37-738f-4f8a-95f9-57ae02f360af", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--cec46ca6-08c3-46d6-b37f-92c50fe689bb", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.308Z", + "modified": "2020-02-05T20:28:15.308Z", + "name": "Component Firmware", + "description": "Malware may overwrite the flash memory contents of system BIOS or other firmware. [[1]](#1). Methods related to malware (extending ATT&CK's definitions) are below.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/component-firmware.md", + "external_id": "E1109" + }, + { + "source_name": "external_source", + "url": "https://www.scmagazine.com/home/opinions/are-synful-knock-style-router-attacks-set-to-become-the-new-normal/" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1109/", + "external_id": "T1109" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Cisco routers can have their firmware images modified in order to maliciously infect and persist on end-user machines in a network. This is accomplished by using default or acquired credentials to gain access to a router and to install a backdoor. The implant resides within a modified Cisco IOS image and, when loaded, maintains its persistence in the environment, even after a system reboot. However, any further modules loaded by the attacker will only exist in the router's volatile memory and will not be available for use after reboot. Known affected hardware includes Cisco routers 1841, 2811, and 3825.", + "name": "Router Firmware" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--d0bfadad-c04b-4eed-b9aa-f11d3e84bc6c.json b/attack-pattern/attack-pattern--d0bfadad-c04b-4eed-b9aa-f11d3e84bc6c.json new file mode 100644 index 00000000..b695c8fa --- /dev/null +++ b/attack-pattern/attack-pattern--d0bfadad-c04b-4eed-b9aa-f11d3e84bc6c.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--0c54c8ba-618a-4a60-8b0b-0a313aa6e0c7", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--d0bfadad-c04b-4eed-b9aa-f11d3e84bc6c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.383Z", + "modified": "2020-02-05T20:28:15.383Z", + "name": "DCShadow", + "description": "Malware may use DCShadow, a method of manipulating Active Directory (AD) data, to register a rogue domain controller, which may be able to inject and replicate changes into the AD infrastructure for any domain object (e.g., credentials and keys).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/dcshadow.md", + "external_id": "T1207" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1207", + "external_id": "T1207" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--d1db8aeb-d1f6-466c-bf30-38d6ad72ade7.json b/attack-pattern/attack-pattern--d1db8aeb-d1f6-466c-bf30-38d6ad72ade7.json new file mode 100644 index 00000000..3b7e74cc --- /dev/null +++ b/attack-pattern/attack-pattern--d1db8aeb-d1f6-466c-bf30-38d6ad72ade7.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--71b52963-f1ac-4010-b377-92901efd9713", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--d1db8aeb-d1f6-466c-bf30-38d6ad72ade7", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.106Z", + "modified": "2020-02-05T20:28:15.106Z", + "name": "Secondary CPU Execution (THEORETICAL)", + "description": "Executes some or all of the code of the malware instance on a secondary, non-CPU processor (e.g., graphics processing unit (GPU)). This behavior is not included in the MBC because no real world examples have been found.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/theoretical-behaviors/second-cpu-exe.md", + "external_id": "M0015" + }, + { + "source_name": "external_source", + "url": "https://arstechnica.com/information-technology/2015/05/gpu-based-rootkit-and-keylogger-offer-superior-stealth-and-computing-power/" + }, + { + "source_name": "external_source", + "url": "http://www.cs.columbia.edu/~mikepo/papers/gpukeylogger.eurosec13.pdf" + }, + { + "source_name": "external_source", + "url": "https://news.softpedia.com/news/New-Malware-Pieces-Run-Completely-on-Graphics-Card-480809.shtml" + }, + { + "source_name": "external_source", + "url": "https://news.softpedia.com/news/intel-researchers-gpu-based-malware-not-as-scary-as-intitially-thought-490490.shtml" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--d20ad1d9-e3df-499c-b7a8-84c67eb64144.json b/attack-pattern/attack-pattern--d20ad1d9-e3df-499c-b7a8-84c67eb64144.json new file mode 100644 index 00000000..3dd3ff3d --- /dev/null +++ b/attack-pattern/attack-pattern--d20ad1d9-e3df-499c-b7a8-84c67eb64144.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--0f439446-145d-4221-841f-b1e77dc1a3b8", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--d20ad1d9-e3df-499c-b7a8-84c67eb64144", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.351Z", + "modified": "2020-02-05T20:28:15.351Z", + "name": "Indicator Removal on Host", + "description": "Malware may delete artifacts on the infected system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/indicator-remove-host.md", + "external_id": "T1070" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1070", + "external_id": "T1070" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--d21cffb9-b381-47f4-9428-950873cccf21.json b/attack-pattern/attack-pattern--d21cffb9-b381-47f4-9428-950873cccf21.json new file mode 100644 index 00000000..f5b108dd --- /dev/null +++ b/attack-pattern/attack-pattern--d21cffb9-b381-47f4-9428-950873cccf21.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--83d67b77-85ea-48e5-a3fa-cf54c5d0ba41", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--d21cffb9-b381-47f4-9428-950873cccf21", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.324Z", + "modified": "2020-02-05T20:28:15.324Z", + "name": "Backdoor", + "description": "Malware achieves persistence via a backdoor. Installation of a backdoor is covered by the [Remote Access](https://github.com/MBCProject/mbc-markdown/blob/master/impact/remote-access.md) under the [Impact](https://github.com/MBCProject/mbc-markdown/tree/master/impact) objective.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/backdoor.md", + "external_id": "M0037" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--d410c87e-8b82-47d9-8f43-15ea0e908e52.json b/attack-pattern/attack-pattern--d410c87e-8b82-47d9-8f43-15ea0e908e52.json new file mode 100644 index 00000000..64c9dac8 --- /dev/null +++ b/attack-pattern/attack-pattern--d410c87e-8b82-47d9-8f43-15ea0e908e52.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--0e645748-4961-479f-bd90-f0e357038298", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--d410c87e-8b82-47d9-8f43-15ea0e908e52", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.487Z", + "modified": "2020-02-05T20:28:15.487Z", + "name": "Manipulate Network Traffic", + "description": "Malware intercepts and manipulates network traffic, typically accessing or modifying data, going to or originating from the system on which the malware instance is executing. Also known as a Man-in-the-Middle attack.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/manipulate-network-traffic.md", + "external_id": "M0019" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection/" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1493/", + "external_id": "T1493" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--d6513614-2072-4aa9-b5fe-9bbb3994ab30.json b/attack-pattern/attack-pattern--d6513614-2072-4aa9-b5fe-9bbb3994ab30.json new file mode 100644 index 00000000..39acd881 --- /dev/null +++ b/attack-pattern/attack-pattern--d6513614-2072-4aa9-b5fe-9bbb3994ab30.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--d1d89d3b-da1b-4c55-80a4-c7a6f4da04e4", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--d6513614-2072-4aa9-b5fe-9bbb3994ab30", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.212Z", + "modified": "2020-02-05T20:28:15.212Z", + "name": "Network Share Discovery", + "description": "Malware may discover and/or scan shared network drives.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/network-share-discover.md", + "external_id": "T1135" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1135", + "external_id": "T1135" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--d77057dc-8454-4a4c-9dd4-3da26ae009be.json b/attack-pattern/attack-pattern--d77057dc-8454-4a4c-9dd4-3da26ae009be.json new file mode 100644 index 00000000..bb660df8 --- /dev/null +++ b/attack-pattern/attack-pattern--d77057dc-8454-4a4c-9dd4-3da26ae009be.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--a2cb61de-adf9-471d-8f33-25472cd0eab8", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--d77057dc-8454-4a4c-9dd4-3da26ae009be", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.302Z", + "modified": "2020-02-05T20:28:15.302Z", + "name": "Conditional Execution", + "description": "Malware checks system environment conditions or characteristics to determine execution path. For example, malware may not run or be dormant unless system conditions are right, or file that is dropped may vary according to execution environment. Conditional execution happens autonomously, not because of an attacker's command.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/conditional-execute.md", + "external_id": "M0025" + }, + { + "source_name": "external_source", + "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Malware terminates its execution based on a trigger condition or value (or because it has completed).", + "name": "Suicide Exit" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--db081b29-8422-45c1-a622-a5405fe78a58.json b/attack-pattern/attack-pattern--db081b29-8422-45c1-a622-a5405fe78a58.json new file mode 100644 index 00000000..898e5b59 --- /dev/null +++ b/attack-pattern/attack-pattern--db081b29-8422-45c1-a622-a5405fe78a58.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--9f99bc6d-6e4a-4f36-9697-c65cefa9fc31", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--db081b29-8422-45c1-a622-a5405fe78a58", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.330Z", + "modified": "2020-02-05T20:28:15.330Z", + "name": "Modify Existing Service", + "description": "Malware may modify an existing service to gain persistence. Modification may include disabling a service.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/modify-service.md", + "external_id": "E1031" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1031", + "external_id": "T1031" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--db4db0bf-8914-4cf2-b128-6fc458eceef0.json b/attack-pattern/attack-pattern--db4db0bf-8914-4cf2-b128-6fc458eceef0.json new file mode 100644 index 00000000..4db654de --- /dev/null +++ b/attack-pattern/attack-pattern--db4db0bf-8914-4cf2-b128-6fc458eceef0.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--3d81d110-ee11-427a-bbf1-ab197dfc2394", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--db4db0bf-8914-4cf2-b128-6fc458eceef0", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.131Z", + "modified": "2020-02-05T20:28:15.131Z", + "name": "Audio Capture", + "description": "Malware leverages system's peripheral devices to capture audio.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/audio-capture.md", + "external_id": "T1123" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1123/", + "external_id": "T1123" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--dcf577a4-f3c7-4abe-90f3-0e2cfeba0e2d.json b/attack-pattern/attack-pattern--dcf577a4-f3c7-4abe-90f3-0e2cfeba0e2d.json new file mode 100644 index 00000000..0665b49b --- /dev/null +++ b/attack-pattern/attack-pattern--dcf577a4-f3c7-4abe-90f3-0e2cfeba0e2d.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--9b63d724-a5c0-433f-8ebf-904d1664884a", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--dcf577a4-f3c7-4abe-90f3-0e2cfeba0e2d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.242Z", + "modified": "2020-02-05T20:28:15.242Z", + "name": "Fallback Channels", + "description": "Malware may contain a secondary command and control server or may communicate over a backup channel.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/fallback-channels.md", + "external_id": "T1008" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1008/", + "external_id": "T1008" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--de4972da-8a7d-4d60-96e7-0c3d7d4fc394.json b/attack-pattern/attack-pattern--de4972da-8a7d-4d60-96e7-0c3d7d4fc394.json new file mode 100644 index 00000000..059ed36c --- /dev/null +++ b/attack-pattern/attack-pattern--de4972da-8a7d-4d60-96e7-0c3d7d4fc394.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--01954119-631f-4b5f-abf8-738a02c5f8a1", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--de4972da-8a7d-4d60-96e7-0c3d7d4fc394", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.381Z", + "modified": "2020-02-05T20:28:15.381Z", + "name": "File Permissions Modification", + "description": "Malware may modify file permissions to evade detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/file-permission-mod.md", + "external_id": "T1222" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1222", + "external_id": "T1222" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--df815f03-3c56-4fc7-a443-e6ce5e002664.json b/attack-pattern/attack-pattern--df815f03-3c56-4fc7-a443-e6ce5e002664.json new file mode 100644 index 00000000..ae4717c6 --- /dev/null +++ b/attack-pattern/attack-pattern--df815f03-3c56-4fc7-a443-e6ce5e002664.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--3d83f76b-4996-4cdb-90ef-8547a186f3e7", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--df815f03-3c56-4fc7-a443-e6ce5e002664", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.268Z", + "modified": "2020-02-05T20:28:15.268Z", + "name": "C2 Communication", + "description": "All command and control malware use client/server communication. The methods listed below can be used to capture explicit communication details. Remote file copy behavior is captured separately, as is done in ATT&CK - see [Remote File Copy](https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/remote-file-copy.md).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/command-control-comm.md", + "external_id": "M0030" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--e7aa19e5-50c9-4a10-ab07-d774e2a38166.json b/attack-pattern/attack-pattern--e7aa19e5-50c9-4a10-ab07-d774e2a38166.json new file mode 100644 index 00000000..6752e962 --- /dev/null +++ b/attack-pattern/attack-pattern--e7aa19e5-50c9-4a10-ab07-d774e2a38166.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--f70b24f2-303a-44fe-be80-655375f837b0", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--e7aa19e5-50c9-4a10-ab07-d774e2a38166", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.426Z", + "modified": "2020-02-05T20:28:15.426Z", + "name": "Configuration Modification", + "description": "Malware may install malicious configuration settings or may modify existing configuration settings. This MBC behavior extends the related ATT&CK technique to all platforms and to the Persistence objective.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/config-mod.md", + "external_id": "E1478" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1478", + "external_id": "T1478" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--e7b72976-3e0e-4957-ac09-33a204c4d4b5.json b/attack-pattern/attack-pattern--e7b72976-3e0e-4957-ac09-33a204c4d4b5.json new file mode 100644 index 00000000..254162e3 --- /dev/null +++ b/attack-pattern/attack-pattern--e7b72976-3e0e-4957-ac09-33a204c4d4b5.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--7dd36a64-e5ed-4961-9bd8-3b9bdf45d9a8", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--e7b72976-3e0e-4957-ac09-33a204c4d4b5", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.418Z", + "modified": "2020-02-05T20:28:15.418Z", + "name": "BITS Jobs", + "description": "Malware may abuse Windows Background Intelligent Transfer Service (BITS) to download and/or execute malicious code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/bits-jobs.md", + "external_id": "T1197" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1197", + "external_id": "T1197" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--e7dcd590-8f60-4f7d-bb91-ec2863e56e2a.json b/attack-pattern/attack-pattern--e7dcd590-8f60-4f7d-bb91-ec2863e56e2a.json new file mode 100644 index 00000000..f42ad3a6 --- /dev/null +++ b/attack-pattern/attack-pattern--e7dcd590-8f60-4f7d-bb91-ec2863e56e2a.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--78e18752-e385-4e53-aa8f-61e2f3b9fd23", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--e7dcd590-8f60-4f7d-bb91-ec2863e56e2a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.314Z", + "modified": "2020-02-05T20:28:15.314Z", + "name": "Registry Run Keys / Startup Folder", + "description": "Malware may add an entry to the Windows Registry run keys or startup folder to enable persistence.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/registry-run-startup.md", + "external_id": "E1060" + }, + { + "source_name": "external_source", + "url": "https://threatvector.cylance.com/en_us/home/windows-registry-persistence-part-2-the-run-keys-and-search-order.html" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1060", + "external_id": "T1060" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--e7f6dd03-80ee-4721-baed-949bd060ed48.json b/attack-pattern/attack-pattern--e7f6dd03-80ee-4721-baed-949bd060ed48.json new file mode 100644 index 00000000..dacdff96 --- /dev/null +++ b/attack-pattern/attack-pattern--e7f6dd03-80ee-4721-baed-949bd060ed48.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--294dee7d-5c37-4132-907e-f662f1741471", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--e7f6dd03-80ee-4721-baed-949bd060ed48", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.144Z", + "modified": "2020-02-05T20:28:15.144Z", + "name": "Access Call Log", + "description": "Malware gathers call log data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/access-call-log.md", + "external_id": "T1433" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1433/", + "external_id": "T1433" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--e9a06bb6-c6e9-4718-9434-f6b737eee9e8.json b/attack-pattern/attack-pattern--e9a06bb6-c6e9-4718-9434-f6b737eee9e8.json new file mode 100644 index 00000000..68e96204 --- /dev/null +++ b/attack-pattern/attack-pattern--e9a06bb6-c6e9-4718-9434-f6b737eee9e8.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--a1cf21d5-04ac-468b-ba49-cb8aec8d08ec", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--e9a06bb6-c6e9-4718-9434-f6b737eee9e8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.288Z", + "modified": "2020-02-05T20:28:15.288Z", + "name": "Command-Line Interface", + "description": "Malware may use command-line interfaces to execute programs on a system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/command-line.md", + "external_id": "T1059" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1059", + "external_id": "T1059" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--e9f0d1de-13f3-499a-a0ee-32fe37912720.json b/attack-pattern/attack-pattern--e9f0d1de-13f3-499a-a0ee-32fe37912720.json new file mode 100644 index 00000000..92d16dc8 --- /dev/null +++ b/attack-pattern/attack-pattern--e9f0d1de-13f3-499a-a0ee-32fe37912720.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--e6dbd7ee-0006-4fd1-b584-ffc18b3c96dc", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--e9f0d1de-13f3-499a-a0ee-32fe37912720", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.409Z", + "modified": "2020-02-05T20:28:15.409Z", + "name": "Boot Sector Modification", + "description": "The boot sectors of a hard drive are modified (e.g., Master Boot Record (MBR)). ATT&CK associates bootkits with the Persistence. See ATT&CK: [**Bootkit**](https://attack.mitre.org/techniques/T1067/).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/boot-sector-mod.md", + "external_id": "M0028" + }, + { + "source_name": "external_source", + "url": "https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1067/", + "external_id": "T1067" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--e9f915ef-38e5-4c6a-a885-c26073023fe5.json b/attack-pattern/attack-pattern--e9f915ef-38e5-4c6a-a885-c26073023fe5.json new file mode 100644 index 00000000..5718b096 --- /dev/null +++ b/attack-pattern/attack-pattern--e9f915ef-38e5-4c6a-a885-c26073023fe5.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--7b589353-5b72-443e-ba93-d08a21cb76b2", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--e9f915ef-38e5-4c6a-a885-c26073023fe5", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.109Z", + "modified": "2020-02-05T20:28:15.109Z", + "name": "Exploitation of Remote Services", + "description": "Malware may exploit a vulnerability in a program, service, or operating system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/lateral-movement/exploit-remote-services.md", + "external_id": "T1210" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1210", + "external_id": "T1210" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--ebf911df-6135-42a8-a9f5-76676f546d4a.json b/attack-pattern/attack-pattern--ebf911df-6135-42a8-a9f5-76676f546d4a.json new file mode 100644 index 00000000..0894aad0 --- /dev/null +++ b/attack-pattern/attack-pattern--ebf911df-6135-42a8-a9f5-76676f546d4a.json @@ -0,0 +1,82 @@ +{ + "type": "bundle", + "id": "bundle--ed40c29c-431d-49e5-858a-853074115662", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--ebf911df-6135-42a8-a9f5-76676f546d4a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.198Z", + "modified": "2020-02-05T20:28:15.198Z", + "name": "Memory Dump Evasion", + "description": "Malware hinders retrieval and/or discovery of the contents of the physical memory of the system on which the malware instance is executing [[1]](#1).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/evade-memory-dump.md", + "external_id": "M0006" + }, + { + "source_name": "external_source", + "url": "http://blog.threatexpert.com/2008/04/kraken-changes-tactics.html" + }, + { + "source_name": "external_source", + "url": "http://waleedassar.blogspot.com/search/label/anti-dump" + }, + { + "source_name": "external_source", + "url": "https://www.gironsec.com/code/packers.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Encrypt the executing malware instance code in memory.", + "name": "Code Encryption in Memory" + }, + { + "definition": "Erase PE header from memory.", + "name": "Erase the PE header" + }, + { + "definition": "Hide arbitrary segments of virtual memory.", + "name": "Hide virtual memory" + }, + { + "definition": "Set the SizeOfImage field of PEB.LoaderData to be huge.", + "name": "SizeOfImage" + }, + { + "definition": "Erase or corrupt specific file parts to prevent rebuilding (header, packer stub, etc.).", + "name": "Tampering" + }, + { + "definition": "Encrypt blocks of code individually and decrypt temporarily only upon execution.", + "name": "Guard Pages" + }, + { + "definition": "Resolve API addresses before each use to prevent complete dumping.", + "name": "On-the-Fly APIs" + }, + { + "definition": "API behavior can be altered to prevent memory dumps. For example, inaccurate data can be reported when the contents of the physical memory of the system on which the malware instance is executing is retrieved. See [Hooking](https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/hooking.md).", + "name": "Feed Misinformation" + }, + { + "definition": "flow opcodes (e.g., jumps, loops) are removed and emulated (or decrypted) by the packer during execution, resulting in incorrect dumps. [[4]](#4)", + "name": "Flow Opcode Obstruction" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--ecee9e53-6ad7-4459-a02a-66bfc9e6caed.json b/attack-pattern/attack-pattern--ecee9e53-6ad7-4459-a02a-66bfc9e6caed.json new file mode 100644 index 00000000..be688999 --- /dev/null +++ b/attack-pattern/attack-pattern--ecee9e53-6ad7-4459-a02a-66bfc9e6caed.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--6937d9e0-2f34-4e3d-8b04-a22b411d71cd", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--ecee9e53-6ad7-4459-a02a-66bfc9e6caed", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.119Z", + "modified": "2020-02-05T20:28:15.119Z", + "name": "Data from Network Shared Drive", + "description": "Malware collects from remote systems via shared network drives that are accessible from the compromised system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/data-network-share.md", + "external_id": "T1039" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1039/", + "external_id": "T1039" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--ecef682a-60cb-46a6-a7af-c90b4d679669.json b/attack-pattern/attack-pattern--ecef682a-60cb-46a6-a7af-c90b4d679669.json new file mode 100644 index 00000000..a5b1f521 --- /dev/null +++ b/attack-pattern/attack-pattern--ecef682a-60cb-46a6-a7af-c90b4d679669.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--d1478fed-e0fc-4aaa-beed-c64353c2a295", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--ecef682a-60cb-46a6-a7af-c90b4d679669", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.415Z", + "modified": "2020-02-05T20:28:15.415Z", + "name": "NTFS File Attributes", + "description": "Malware may store malicious data in file attribute metadata.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/ntfs-file-attr.md", + "external_id": "T1096" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1096/", + "external_id": "T1096" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--eebc4347-09b3-4871-8f16-db2e1cbfe135.json b/attack-pattern/attack-pattern--eebc4347-09b3-4871-8f16-db2e1cbfe135.json new file mode 100644 index 00000000..e77dc245 --- /dev/null +++ b/attack-pattern/attack-pattern--eebc4347-09b3-4871-8f16-db2e1cbfe135.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--3d3b444c-d48b-4d25-8944-ac7a3651a847", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--eebc4347-09b3-4871-8f16-db2e1cbfe135", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.355Z", + "modified": "2020-02-05T20:28:15.355Z", + "name": "Hidden Window", + "description": "Malware may use a macOS/OS X tag to prevent its application icron from appearing in the Dock to avoid detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/hidden-window.md", + "external_id": "T1143" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1143", + "external_id": "T1143" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--f2f10f49-dd06-4323-aedd-7806286c6529.json b/attack-pattern/attack-pattern--f2f10f49-dd06-4323-aedd-7806286c6529.json new file mode 100644 index 00000000..c9b0b63f --- /dev/null +++ b/attack-pattern/attack-pattern--f2f10f49-dd06-4323-aedd-7806286c6529.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--280dbcf4-54bb-469a-b3b6-4fc59e4b97a0", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--f2f10f49-dd06-4323-aedd-7806286c6529", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.453Z", + "modified": "2020-02-05T20:28:15.453Z", + "name": "Account Manipulation", + "description": "Malware may manipulate accounts to maintain access to credentials or permission levels.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/credential-access/acct-manipulate.md", + "external_id": "T1098" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1098/", + "external_id": "T1098" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--f42d3d87-e374-4114-bc93-a52cae45e3d0.json b/attack-pattern/attack-pattern--f42d3d87-e374-4114-bc93-a52cae45e3d0.json new file mode 100644 index 00000000..96f96db8 --- /dev/null +++ b/attack-pattern/attack-pattern--f42d3d87-e374-4114-bc93-a52cae45e3d0.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--05bf48d2-dddd-45f9-a9f4-5dd6bdbbff26", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--f42d3d87-e374-4114-bc93-a52cae45e3d0", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.401Z", + "modified": "2020-02-05T20:28:15.401Z", + "name": "Redundant Access", + "description": "Malware may use more than one type of access for persistence and to avoid detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/redundant-access.md", + "external_id": "T1108" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1108", + "external_id": "T1108" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--f48a693f-aeb3-4e68-99e3-01c56e223272.json b/attack-pattern/attack-pattern--f48a693f-aeb3-4e68-99e3-01c56e223272.json new file mode 100644 index 00000000..3837d821 --- /dev/null +++ b/attack-pattern/attack-pattern--f48a693f-aeb3-4e68-99e3-01c56e223272.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--99c3f4d0-39e0-4508-a74a-771f2a47a617", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--f48a693f-aeb3-4e68-99e3-01c56e223272", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.434Z", + "modified": "2020-02-05T20:28:15.434Z", + "name": "Application Shimming", + "description": "Malware may use Windows Application Compatibility Infrastructure/Framework (application shim) to elevate privileges or install programs.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/privilege-escalation/app-shimming.md", + "external_id": "T1138" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1138", + "external_id": "T1138" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--f538e66c-fab9-4a8b-b547-a206e4ddfe1b.json b/attack-pattern/attack-pattern--f538e66c-fab9-4a8b-b547-a206e4ddfe1b.json new file mode 100644 index 00000000..a01a2ea7 --- /dev/null +++ b/attack-pattern/attack-pattern--f538e66c-fab9-4a8b-b547-a206e4ddfe1b.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--13f8cc46-064e-4b83-86d0-bbc15c9b45c8", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--f538e66c-fab9-4a8b-b547-a206e4ddfe1b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.321Z", + "modified": "2020-02-05T20:28:15.321Z", + "name": "Create Account", + "description": "Malware may create a local system or domain account for persistence.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/create-account.md", + "external_id": "T1136" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1136", + "external_id": "T1136" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--f54dfa9e-e208-4695-81e8-478d887dba7c.json b/attack-pattern/attack-pattern--f54dfa9e-e208-4695-81e8-478d887dba7c.json new file mode 100644 index 00000000..113f4505 --- /dev/null +++ b/attack-pattern/attack-pattern--f54dfa9e-e208-4695-81e8-478d887dba7c.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--1dffc8d6-c71d-4aca-a6a4-be82ddd4391d", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--f54dfa9e-e208-4695-81e8-478d887dba7c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.217Z", + "modified": "2020-02-05T20:28:15.217Z", + "name": "Process Discovery", + "description": "Malware may try to get information about running processes.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/process-discover.md", + "external_id": "T1057" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1057", + "external_id": "T1057" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--f7136ba2-6455-48f4-90df-63f8f43ae0f4.json b/attack-pattern/attack-pattern--f7136ba2-6455-48f4-90df-63f8f43ae0f4.json new file mode 100644 index 00000000..c0aca515 --- /dev/null +++ b/attack-pattern/attack-pattern--f7136ba2-6455-48f4-90df-63f8f43ae0f4.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--7dcea0b5-5190-4109-b45f-fc4e6158d6d5", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--f7136ba2-6455-48f4-90df-63f8f43ae0f4", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.214Z", + "modified": "2020-02-05T20:28:15.214Z", + "name": "System Information Discovery", + "description": "Malware may attempt to get detailed information about the system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/system-info-discover.md", + "external_id": "T1082" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--f7768d3e-3a55-4876-8793-4e78d68f3a38.json b/attack-pattern/attack-pattern--f7768d3e-3a55-4876-8793-4e78d68f3a38.json new file mode 100644 index 00000000..73779fb7 --- /dev/null +++ b/attack-pattern/attack-pattern--f7768d3e-3a55-4876-8793-4e78d68f3a38.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--b38dc31f-b77a-4e93-921c-7b3456048a0e", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--f7768d3e-3a55-4876-8793-4e78d68f3a38", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.465Z", + "modified": "2020-02-05T20:28:15.465Z", + "name": "Endpoint Denial of Service", + "description": "Malware may make a system unavailable, for example, by locking a user out of a system. The ATT&CK technique, [Lock User Out of Device](https://attack.mitre.org/techniques/T1446/), pertains to the Android platform; the technique [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499/) is applicable to other platforms.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/endpoint-denial-of-service.md", + "external_id": "T1499" + }, + { + "source_name": "external_source", + "url": "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1499/", + "external_id": "T1499" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1446/", + "external_id": "T1446" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Locks user out of a system.", + "name": "User Lock Out" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--f92667e4-d874-4fee-afac-f4770cf6cede.json b/attack-pattern/attack-pattern--f92667e4-d874-4fee-afac-f4770cf6cede.json new file mode 100644 index 00000000..c7f7cbd0 --- /dev/null +++ b/attack-pattern/attack-pattern--f92667e4-d874-4fee-afac-f4770cf6cede.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--3fbee9bb-be96-45fd-b2c7-149949bfcb17", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--f92667e4-d874-4fee-afac-f4770cf6cede", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.228Z", + "modified": "2020-02-05T20:28:15.228Z", + "name": "Analysis Tool Discovery", + "description": "Malware can employ various means to detect whether analysis tools are present or running on the system on which it is executing. Note that analysis tools are used to *analyze* malware whereas security software (see [Security Software Discovery](https://github.com/MBCProject/mbc-markdown/blob/master/discovery/security-sw-discover.md)) aims to *detect/mitigate* malware on a system or network.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/analysis-tool-discover.md", + "external_id": "M0013" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Malware can scan for the process name associated with common analysis tools: \n * Debuggers: OllyDBG / ImmunityDebugger / WinDbg / IDA Pro\n * SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns)\n * PCAP Utilities: Wireshark / Dumpcap\n * Process Utilities: ProcessHacker / SysAnalyzer / HookExplorer / SysInspector\n * PE Utilities: ImportREC / PETools / LordPE\n * Sandboxes: Joe Sandbox, etc.", + "name": "Process detection" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--fabff5fa-5d64-4167-9f95-6e25c35002ff.json b/attack-pattern/attack-pattern--fabff5fa-5d64-4167-9f95-6e25c35002ff.json new file mode 100644 index 00000000..0d2865c2 --- /dev/null +++ b/attack-pattern/attack-pattern--fabff5fa-5d64-4167-9f95-6e25c35002ff.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--ae8522c8-395f-43e4-947e-7830749642a2", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--fabff5fa-5d64-4167-9f95-6e25c35002ff", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.260Z", + "modified": "2020-02-05T20:28:15.260Z", + "name": "Standard Cryptographic Protocol", + "description": "Malware may use a standard cryptographic protocol to conceal command and control traffic or other data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/std-crypto-protocol.md", + "external_id": "T1032" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1032/", + "external_id": "T1032" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--fb4f9ec2-9c0e-4b28-9af7-b2bd4c69ff65.json b/attack-pattern/attack-pattern--fb4f9ec2-9c0e-4b28-9af7-b2bd4c69ff65.json new file mode 100644 index 00000000..f7749d2a --- /dev/null +++ b/attack-pattern/attack-pattern--fb4f9ec2-9c0e-4b28-9af7-b2bd4c69ff65.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--ec7d44b5-00bb-48c4-bfd8-bc4d9bab2252", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--fb4f9ec2-9c0e-4b28-9af7-b2bd4c69ff65", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.441Z", + "modified": "2020-02-05T20:28:15.441Z", + "name": "Sudo", + "description": "Malware may take advantage of the sudoers file in Linux or macOS for privilege escalation.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/privilege-escalation/sudo.md", + "external_id": "T1169" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1169", + "external_id": "T1169" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--fb7a6e89-4943-47a3-980f-d22c9f394d40.json b/attack-pattern/attack-pattern--fb7a6e89-4943-47a3-980f-d22c9f394d40.json new file mode 100644 index 00000000..3859eb52 --- /dev/null +++ b/attack-pattern/attack-pattern--fb7a6e89-4943-47a3-980f-d22c9f394d40.json @@ -0,0 +1,85 @@ +{ + "type": "bundle", + "id": "bundle--17d56821-99c4-45a7-8e7c-5f029736b5b5", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--fb7a6e89-4943-47a3-980f-d22c9f394d40", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.157Z", + "modified": "2020-02-05T20:28:15.157Z", + "name": "Software Packing", + "description": "This code characteristic - Software Packing - can make static and behavioral analysis difficult and includes packing with a software protectors, such as Themida and Armadillo [[1]](#1). Methods related to anti-analysis are below.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-static-analysis/software-packing.md", + "external_id": "E1045" + }, + { + "source_name": "external_source", + "description": "Ange Albertini, Packers, 5 April 2010,", + "url": "https://gironsec.com/code/packers.pdf" + }, + { + "source_name": "external_source", + "description": "Jiang Ming et al, Towards Paving the Way for Large-Scale Windows Malware Analysis: Generic Binary Unpacking with Orders-of-Magnitude Performance Boost, October 2018,", + "url": "https://dl.acm.org/citation.cfm?id=3243771." + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1045/", + "external_id": "T1045" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "the malware is packed by one packer, the result is packed, etc.", + "name": "Nested Packing" + }, + { + "definition": "Uses a standard algorithm, such as UPX or LZMA, to compress an executable file.", + "name": "Standard Compression" + }, + { + "definition": "Uses a standard algorithm to compress the opcode mnemonics.", + "name": "Standard Compression of Code" + }, + { + "definition": "Uses a standard algorithm to compress strings and variables (executable file data).", + "name": "Standard Compression of Data" + }, + { + "definition": "Uses a custom algorithm to compress an executable file.", + "name": "Custom Compression" + }, + { + "definition": "Uses a custom algorithm to compress opcode mnemonics.", + "name": "Custom Compression of Code" + }, + { + "definition": "Uses a custom algorithm to compress strings and variables (executable file data).", + "name": "Custom Compression of Data" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--fbe0f011-0dbb-4a6e-a860-32120311f74b.json b/attack-pattern/attack-pattern--fbe0f011-0dbb-4a6e-a860-32120311f74b.json new file mode 100644 index 00000000..750a3231 --- /dev/null +++ b/attack-pattern/attack-pattern--fbe0f011-0dbb-4a6e-a860-32120311f74b.json @@ -0,0 +1,78 @@ +{ + "type": "bundle", + "id": "bundle--9340454a-2cfd-4357-8393-c3de81a2ed2d", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--fbe0f011-0dbb-4a6e-a860-32120311f74b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.175Z", + "modified": "2020-02-05T20:28:15.175Z", + "name": "Dynamic Analysis Evasion", + "description": "Malware may obstruct dynamic analysis in a sandbox, emulator, or virtual machine.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/evade-dynamic-analysis.md", + "external_id": "M0003" + }, + { + "source_name": "external_source", + "url": "http://joe4security.blogspot.com/2013/06/overloading-sandboxes-new-generic.html" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf" + }, + { + "source_name": "external_source", + "url": "https://research.checkpoint.com/2019-resurgence-of-smokeloader/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Overloads a sandbox by generating a flood of meaningless behavioral data. [[1]](#1)", + "name": "Data Flood" + }, + { + "definition": "Inclusion of a demo binary/mode that is executed when token is absent or not enough privileged.", + "name": "Demo Mode" + }, + { + "definition": "Original file is written to disk then executed. May confuse some sandboxes, especially if the dropped executable must be provided specific arguments and the original dropper is not associated with the drop file(s).", + "name": "Drop Code" + }, + { + "definition": "Encode a file on disk, such as an implant's config file.", + "name": "Encode File" + }, + { + "definition": "execution happens when a particular file or directory is accessed, often through hooking certain API calls such as CreateFileA and CreateFileW.", + "name": "Hook File System" + }, + { + "definition": "modification of interrupt vector or descriptor tables.", + "name": "Hook Interrupt" + }, + { + "definition": "Creates an illusion; makes the analyst think something happened when it didn't.", + "name": "Illusion" + } + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--fc82f55c-157b-40b6-ae7c-ade5f0fc9be2.json b/attack-pattern/attack-pattern--fc82f55c-157b-40b6-ae7c-ade5f0fc9be2.json new file mode 100644 index 00000000..5c3fd44e --- /dev/null +++ b/attack-pattern/attack-pattern--fc82f55c-157b-40b6-ae7c-ade5f0fc9be2.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--6d32695d-5ef1-4b6a-88c9-d2b9350d50a2", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--fc82f55c-157b-40b6-ae7c-ade5f0fc9be2", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.380Z", + "modified": "2020-02-05T20:28:15.380Z", + "name": "Process Hollowing", + "description": "Instead of performing [Process Injection](https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/process-inject.md), malware may unmap (hollows out) legitimate code from the target process's memory (e.g., svchost.exe) and overwrite the memory space with a malicious code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/process-hollow.md", + "external_id": "T1093" + }, + { + "source_name": "external_source", + "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1093", + "external_id": "T1093" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/attack-pattern/attack-pattern--fe182cf0-6215-458b-9b49-7a8b23aa430c.json b/attack-pattern/attack-pattern--fe182cf0-6215-458b-9b49-7a8b23aa430c.json new file mode 100644 index 00000000..69ec8f12 --- /dev/null +++ b/attack-pattern/attack-pattern--fe182cf0-6215-458b-9b49-7a8b23aa430c.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--6596cfb1-7327-45e2-91a0-228ff5d41aca", + "objects": [ + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--fe182cf0-6215-458b-9b49-7a8b23aa430c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.447Z", + "modified": "2020-02-05T20:28:15.447Z", + "name": "LLMNR/NBT-NS Poisoning", + "description": "Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. Malware may spoof an authoritative source, poisoning the service.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/credential-access/LLMNR-poison.md", + "external_id": "T1171" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1171/", + "external_id": "T1171" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/identity/identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf.json b/identity/identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf.json new file mode 100644 index 00000000..d9218596 --- /dev/null +++ b/identity/identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf.json @@ -0,0 +1,18 @@ +{ + "type": "bundle", + "id": "bundle--840a99da-33fd-4f5a-8fdb-fefa91bb96d3", + "objects": [ + { + "type": "identity", + "spec_version": "2.1", + "id": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-01-01T00:00:00.000Z", + "modified": "2020-01-01T00:00:00.000Z", + "name": "The MITRE Corporation", + "identity_class": "organization", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/malware/malware--0823d7b2-2870-4bb8-9818-a31108708c93.json b/malware/malware--0823d7b2-2870-4bb8-9818-a31108708c93.json new file mode 100644 index 00000000..8148e5e2 --- /dev/null +++ b/malware/malware--0823d7b2-2870-4bb8-9818-a31108708c93.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--b1b647f6-bae2-471c-a2a4-fa5549384509", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--0823d7b2-2870-4bb8-9818-a31108708c93", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.174Z", + "modified": "2020-02-05T20:28:16.174Z", + "name": "Terminator", + "description": "A remote access tool (RAT).", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/terminator.md", + "external_id": "X0021" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2013" + } + ] +} \ No newline at end of file diff --git a/malware/malware--0cc95157-e602-407e-9225-3d595cb1a6e8.json b/malware/malware--0cc95157-e602-407e-9225-3d595cb1a6e8.json new file mode 100644 index 00000000..896553ec --- /dev/null +++ b/malware/malware--0cc95157-e602-407e-9225-3d595cb1a6e8.json @@ -0,0 +1,34 @@ +{ + "type": "bundle", + "id": "bundle--4c6f2e40-2e06-4d78-8a25-9891fd5d1ed5", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.152Z", + "modified": "2020-02-05T20:28:16.152Z", + "name": "TrickBot", + "description": "Trojan spyware program that has mainly been used for targeting banking sites. TrickBot is written in the C++ programming language.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/trickbot.md", + "external_id": "X0025" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2016" + } + ] +} \ No newline at end of file diff --git a/malware/malware--1114f1d1-94fb-4499-b1b3-980de47dbd11.json b/malware/malware--1114f1d1-94fb-4499-b1b3-980de47dbd11.json new file mode 100644 index 00000000..add94745 --- /dev/null +++ b/malware/malware--1114f1d1-94fb-4499-b1b3-980de47dbd11.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--d9ebadc8-fc1f-4b65-9a3e-3d14311c064a", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--1114f1d1-94fb-4499-b1b3-980de47dbd11", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.178Z", + "modified": "2020-02-05T20:28:16.178Z", + "name": "Hupigon", + "description": "A family of backdoors.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/hupigon.md", + "external_id": "X0008" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HUPIGON" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_aliases": [ + "Delf", + "Emerleox", + "Logsnif", + "Graybird", + "Pcclient" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2013" + } + ] +} \ No newline at end of file diff --git a/malware/malware--135968d7-8b5f-492e-9423-9c98bc4d9d06.json b/malware/malware--135968d7-8b5f-492e-9423-9c98bc4d9d06.json new file mode 100644 index 00000000..6cea6417 --- /dev/null +++ b/malware/malware--135968d7-8b5f-492e-9423-9c98bc4d9d06.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--0acecfad-7fc8-4cff-87ea-5ce3a52c3803", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--135968d7-8b5f-492e-9423-9c98bc4d9d06", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.176Z", + "modified": "2020-02-05T20:28:16.176Z", + "name": "Locky Bart", + "description": "Locky Bart is ransomware.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/locky-bart.md", + "external_id": "X0011" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2017" + } + ] +} \ No newline at end of file diff --git a/malware/malware--19f41321-fc57-475f-b7d5-ef5285f4b489.json b/malware/malware--19f41321-fc57-475f-b7d5-ef5285f4b489.json new file mode 100644 index 00000000..8d78e3b6 --- /dev/null +++ b/malware/malware--19f41321-fc57-475f-b7d5-ef5285f4b489.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--c5ef5bc8-7d0d-425e-bf25-17664922f80a", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--19f41321-fc57-475f-b7d5-ef5285f4b489", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.172Z", + "modified": "2020-02-05T20:28:16.172Z", + "name": "MazarBot", + "description": "Targets Android phones via a poisoned text message.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/mazarbot.md", + "external_id": "X0012" + }, + { + "source_name": "external_source", + "url": "https://us.norton.com/internetsecurity-emerging-threats-mazar-bot-malware-invades-and-erases-android-devices.html" + }, + { + "source_name": "external_source", + "url": "https://www.player.one/new-android-sms-malware-can-completely-own-your-phone-just-one-text-how-avoid-mazar-512363" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "Android" + ], + "x_mitre_year": "2016" + } + ] +} \ No newline at end of file diff --git a/malware/malware--1d8cb82f-6d6c-4726-aa93-e2a84e3e644e.json b/malware/malware--1d8cb82f-6d6c-4726-aa93-e2a84e3e644e.json new file mode 100644 index 00000000..1b2402dd --- /dev/null +++ b/malware/malware--1d8cb82f-6d6c-4726-aa93-e2a84e3e644e.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--c0bfd179-c5c2-42ba-8416-b3d63a4d15bd", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--1d8cb82f-6d6c-4726-aa93-e2a84e3e644e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.160Z", + "modified": "2020-02-05T20:28:16.160Z", + "name": "SamSam", + "description": "Ransomware.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/samsam.md", + "external_id": "X0016" + }, + { + "source_name": "external_source", + "url": "https://www.us-cert.gov/ncas/alerts/AA18-337A" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/cybercrime/2018/05/samsam-ransomware-need-know/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_aliases": [ + "MSIL/Samas.A", + "Samas", + "Samsa" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2015" + } + ] +} \ No newline at end of file diff --git a/malware/malware--2106d331-215f-45ce-8899-3c11a4c47a8c.json b/malware/malware--2106d331-215f-45ce-8899-3c11a4c47a8c.json new file mode 100644 index 00000000..902c6f58 --- /dev/null +++ b/malware/malware--2106d331-215f-45ce-8899-3c11a4c47a8c.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--74e35b7e-cb1a-4296-9635-ec40eed28854", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--2106d331-215f-45ce-8899-3c11a4c47a8c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.159Z", + "modified": "2020-02-05T20:28:16.159Z", + "name": "YiSpecter", + "description": "YiSpecter is Apple iOS malware that can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to a C2 server. It uses tricks to hide its icons from iOS’s SpringBoard, which prevents the user from finding and deleting it. The components also use the same name and logos of system apps to trick iOS power users.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/yispecter.md", + "external_id": "X0024" + }, + { + "source_name": "external_source", + "url": "http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "iOS" + ], + "x_mitre_year": "2015" + } + ] +} \ No newline at end of file diff --git a/malware/malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea.json b/malware/malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea.json new file mode 100644 index 00000000..ca12e09b --- /dev/null +++ b/malware/malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--c7183aa1-f78d-46bf-a160-517ee6a4abda", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.161Z", + "modified": "2020-02-05T20:28:16.161Z", + "name": "Poison-Ivy", + "description": "Remote Access Trojan (RAT).", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/poison-ivy.md", + "external_id": "X0014" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2005" + } + ] +} \ No newline at end of file diff --git a/malware/malware--682044ae-1d33-445d-80d1-d923fade2663.json b/malware/malware--682044ae-1d33-445d-80d1-d923fade2663.json new file mode 100644 index 00000000..7908364b --- /dev/null +++ b/malware/malware--682044ae-1d33-445d-80d1-d923fade2663.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--ab1485a2-fd9f-4a30-9c5e-b84cb6aad63b", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--682044ae-1d33-445d-80d1-d923fade2663", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.157Z", + "modified": "2020-02-05T20:28:16.157Z", + "name": "Shamoon", + "description": "Data wiping malware.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/shamoon.md", + "external_id": "X0018" + }, + { + "source_name": "external_source", + "url": "http://www.darkreading.com/attacks-breaches/disk-wiping-shamoon-malware-resurfaces-with-file-erasing-malware-in-tow/d/d-id/1333509" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2012" + } + ] +} \ No newline at end of file diff --git a/malware/malware--6cfae3aa-e8ee-4f11-aebd-b2ea95d60c27.json b/malware/malware--6cfae3aa-e8ee-4f11-aebd-b2ea95d60c27.json new file mode 100644 index 00000000..f8ac7aa9 --- /dev/null +++ b/malware/malware--6cfae3aa-e8ee-4f11-aebd-b2ea95d60c27.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--557e61ae-86ff-42a5-887e-5d6070189c3b", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--6cfae3aa-e8ee-4f11-aebd-b2ea95d60c27", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.156Z", + "modified": "2020-02-05T20:28:16.156Z", + "name": "Redhip", + "description": "An information stealer.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/redhip.md", + "external_id": "X0015" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2011" + } + ] +} \ No newline at end of file diff --git a/malware/malware--7d15a1bf-98dc-4da5-9867-15cba30ed3cc.json b/malware/malware--7d15a1bf-98dc-4da5-9867-15cba30ed3cc.json new file mode 100644 index 00000000..076f1c5a --- /dev/null +++ b/malware/malware--7d15a1bf-98dc-4da5-9867-15cba30ed3cc.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--cc9b3ec9-e46c-4345-a071-0c03765bd27d", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--7d15a1bf-98dc-4da5-9867-15cba30ed3cc", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.169Z", + "modified": "2020-02-05T20:28:16.169Z", + "name": "Heriplor Trojan", + "description": "This Trojan is associated with the Energetic Bear group [[1]](#1).", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/heriplor.md", + "external_id": "X0025" + }, + { + "source_name": "external_source", + "url": "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2012-2019" + } + ] +} \ No newline at end of file diff --git a/malware/malware--8c3f24a7-b0ca-4934-9374-b73508cd1be1.json b/malware/malware--8c3f24a7-b0ca-4934-9374-b73508cd1be1.json new file mode 100644 index 00000000..dd678bf7 --- /dev/null +++ b/malware/malware--8c3f24a7-b0ca-4934-9374-b73508cd1be1.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--9155f86a-d297-49b8-86e4-5d0170437a70", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--8c3f24a7-b0ca-4934-9374-b73508cd1be1", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.170Z", + "modified": "2020-02-05T20:28:16.170Z", + "name": "Kovter", + "description": "A trojan that performs click-fraud.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/kovter.md", + "external_id": "X0009" + }, + { + "source_name": "external_source", + "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2016" + } + ] +} \ No newline at end of file diff --git a/malware/malware--8d5ffd62-8943-4426-8191-f66ab5881da8.json b/malware/malware--8d5ffd62-8943-4426-8191-f66ab5881da8.json new file mode 100644 index 00000000..7516eb83 --- /dev/null +++ b/malware/malware--8d5ffd62-8943-4426-8191-f66ab5881da8.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--e62e1f74-0b52-40ad-94da-63012f44ad89", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--8d5ffd62-8943-4426-8191-f66ab5881da8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.167Z", + "modified": "2020-02-05T20:28:16.167Z", + "name": "Ursnif", + "description": "A banking trojan that uses malware macros to evade sandbox detection. Variant of Gozi.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/ursnif.md", + "external_id": "X0022" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_aliases": [ + "Dreambot", + "Gozi" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2016" + } + ] +} \ No newline at end of file diff --git a/malware/malware--8e60252b-1708-4809-8384-ca8937936aff.json b/malware/malware--8e60252b-1708-4809-8384-ca8937936aff.json new file mode 100644 index 00000000..4916cbf1 --- /dev/null +++ b/malware/malware--8e60252b-1708-4809-8384-ca8937936aff.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--5846f16f-d20b-479c-b950-23f9a7da710d", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--8e60252b-1708-4809-8384-ca8937936aff", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.175Z", + "modified": "2020-02-05T20:28:16.175Z", + "name": "Bagle", + "description": "A mass-mailing computer worm affecting Microsoft Windows.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/bagle.md", + "external_id": "X0001" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Bagle_(computer_worm)" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/malware/worm_bagle.u" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Bagle_(computer_worm)" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2004" + } + ] +} \ No newline at end of file diff --git a/malware/malware--901ac923-57ee-4d6a-b14a-ae64e3225b8c.json b/malware/malware--901ac923-57ee-4d6a-b14a-ae64e3225b8c.json new file mode 100644 index 00000000..e02fa1b3 --- /dev/null +++ b/malware/malware--901ac923-57ee-4d6a-b14a-ae64e3225b8c.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--27dae2df-0fbc-484a-a660-1d54df3363f8", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--901ac923-57ee-4d6a-b14a-ae64e3225b8c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.151Z", + "modified": "2020-02-05T20:28:16.151Z", + "name": "DNSChanger", + "description": "Used to change DNS settings to generate fraudulent advertising revenue.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/dnschanger.md", + "external_id": "X0005" + }, + { + "source_name": "external_source", + "url": "https://www.huffingtonpost.com/2011/11/09/click-hijack-hackers-online-ad-scam_n_1084497.html" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2011" + } + ] +} \ No newline at end of file diff --git a/malware/malware--9168de31-46b0-4c9f-9e20-77e77e78a0ab.json b/malware/malware--9168de31-46b0-4c9f-9e20-77e77e78a0ab.json new file mode 100644 index 00000000..ccbe6240 --- /dev/null +++ b/malware/malware--9168de31-46b0-4c9f-9e20-77e77e78a0ab.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--cabec97b-a8f5-48fe-a368-a89161ab10bc", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--9168de31-46b0-4c9f-9e20-77e77e78a0ab", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.154Z", + "modified": "2020-02-05T20:28:16.154Z", + "name": "Geneio", + "description": "Geneio is a byproduct of the DYLD_PRINT_TIFILE vulnerability. Geneio can gain access to the MAC Keychain and persist until removed by the user.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/geneio.md", + "external_id": "X0007" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.org/mac/2015/08/genieo-installer-tricks-keychain/" + }, + { + "source_name": "external_source", + "url": "https://support.norton.com/sp/en/us/home/current/solutions/v103415336_EndUserProfile_en_us" + }, + { + "source_name": "external_source", + "url": "https://www.symantec.com/security_response/writeup.jsp?docid=2014-071013-3137-99" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "OS X" + ], + "x_mitre_year": "2015" + } + ] +} \ No newline at end of file diff --git a/malware/malware--92c8c384-839c-40a2-b58d-3af2ee3f1938.json b/malware/malware--92c8c384-839c-40a2-b58d-3af2ee3f1938.json new file mode 100644 index 00000000..b3048d6d --- /dev/null +++ b/malware/malware--92c8c384-839c-40a2-b58d-3af2ee3f1938.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--87b0f65d-7f58-4e9a-9f89-06b27cf7d936", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--92c8c384-839c-40a2-b58d-3af2ee3f1938", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.145Z", + "modified": "2020-02-05T20:28:16.145Z", + "name": "Gamut", + "description": "A spamming botnet.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/gamut.md", + "external_id": "X0006" + }, + { + "source_name": "external_source", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_aliases": [ + "Bobax" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2014" + } + ] +} \ No newline at end of file diff --git a/malware/malware--a0008d7c-30f1-43f7-a798-50552e1fa282.json b/malware/malware--a0008d7c-30f1-43f7-a798-50552e1fa282.json new file mode 100644 index 00000000..fbdafa38 --- /dev/null +++ b/malware/malware--a0008d7c-30f1-43f7-a798-50552e1fa282.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--6d2b4d02-bd0e-41aa-8bae-91999c7a5c66", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--a0008d7c-30f1-43f7-a798-50552e1fa282", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.153Z", + "modified": "2020-02-05T20:28:16.153Z", + "name": "UP007 Malware Family", + "description": "Description.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/up007.md", + "external_id": "X0011" + }, + { + "source_name": "external_source", + "url": "https://citizenlab.ca/2016/04/between-hong-kong-and-burma/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2016" + } + ] +} \ No newline at end of file diff --git a/malware/malware--a8688d54-9b39-4fad-bff9-b7bf8c5c146f.json b/malware/malware--a8688d54-9b39-4fad-bff9-b7bf8c5c146f.json new file mode 100644 index 00000000..acbff919 --- /dev/null +++ b/malware/malware--a8688d54-9b39-4fad-bff9-b7bf8c5c146f.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--399eee3b-f05d-487a-97e6-003426efb43b", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--a8688d54-9b39-4fad-bff9-b7bf8c5c146f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.168Z", + "modified": "2020-02-05T20:28:16.168Z", + "name": "Stuxnet", + "description": "A malicious worm targeting SCADA systems.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/stuxnet.md", + "external_id": "X0019" + }, + { + "source_name": "external_source", + "url": "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.bbc.com/timelines/zc6fbk7" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Stuxnet" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_aliases": [ + "Rootkit.Tmphider", + "W32.Temphid" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2010" + } + ] +} \ No newline at end of file diff --git a/malware/malware--ab86ee1d-8789-4357-aff2-d6fec9434952.json b/malware/malware--ab86ee1d-8789-4357-aff2-d6fec9434952.json new file mode 100644 index 00000000..4c4b89ad --- /dev/null +++ b/malware/malware--ab86ee1d-8789-4357-aff2-d6fec9434952.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--dfdadd4b-a09c-4fdb-a92a-d9469c870f33", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--ab86ee1d-8789-4357-aff2-d6fec9434952", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.164Z", + "modified": "2020-02-05T20:28:16.164Z", + "name": "SYNful Knock", + "description": "A modification of the router's firmware images used to maintain persistence.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/synful-knock.md", + "external_id": "X0020" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "Cisco" + ], + "x_mitre_year": "2015" + } + ] +} \ No newline at end of file diff --git a/malware/malware--b3fd453e-0c69-46ab-9138-e8eca8585173.json b/malware/malware--b3fd453e-0c69-46ab-9138-e8eca8585173.json new file mode 100644 index 00000000..c3b69ee9 --- /dev/null +++ b/malware/malware--b3fd453e-0c69-46ab-9138-e8eca8585173.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--7cd4d66e-08d1-420a-8633-aa2df16a6b7d", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--b3fd453e-0c69-46ab-9138-e8eca8585173", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.146Z", + "modified": "2020-02-05T20:28:16.146Z", + "name": "Dark Comet", + "description": "A Remote Access Trojan (RAT) that allows a user to control the system via a GUI. It has many features which allows a user to use it as administrative remote help tool; however, DarkComet has many features which can be used maliciously. DarkComet is commonly used to spy on the victims by taking screen captures, key-logging, or password stealing.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/dark-comet.md", + "external_id": "X0004" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/DarkComet" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2008" + } + ] +} \ No newline at end of file diff --git a/malware/malware--bf2e37d0-29cf-43ef-82d1-f970a128e6bf.json b/malware/malware--bf2e37d0-29cf-43ef-82d1-f970a128e6bf.json new file mode 100644 index 00000000..f26dbf42 --- /dev/null +++ b/malware/malware--bf2e37d0-29cf-43ef-82d1-f970a128e6bf.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--ad61f358-ac89-4b5c-aab0-01c5d8b7e695", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--bf2e37d0-29cf-43ef-82d1-f970a128e6bf", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.163Z", + "modified": "2020-02-05T20:28:16.163Z", + "name": "Kraken", + "description": "A family of bots.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/kraken.md", + "external_id": "X0010" + }, + { + "source_name": "external_source", + "url": "http://blog.threatexpert.com/2008/04/kraken-changes-tactics.html" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_aliases": [ + "Bobax" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2008" + } + ] +} \ No newline at end of file diff --git a/malware/malware--cb0b4776-cbd6-417c-b6c1-51f67f44d5b1.json b/malware/malware--cb0b4776-cbd6-417c-b6c1-51f67f44d5b1.json new file mode 100644 index 00000000..69130999 --- /dev/null +++ b/malware/malware--cb0b4776-cbd6-417c-b6c1-51f67f44d5b1.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--f3baf832-6a7d-4f37-a5b7-2b5f2591c8b7", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--cb0b4776-cbd6-417c-b6c1-51f67f44d5b1", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.173Z", + "modified": "2020-02-05T20:28:16.173Z", + "name": "Mebromi", + "description": "A BIOS bootkit.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/mebromi.md", + "external_id": "X0013" + }, + { + "source_name": "external_source", + "url": "https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2011" + } + ] +} \ No newline at end of file diff --git a/malware/malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10.json b/malware/malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10.json new file mode 100644 index 00000000..227d16c1 --- /dev/null +++ b/malware/malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--b61c52a4-560e-41c7-b597-e8c2b7d08e42", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.148Z", + "modified": "2020-02-05T20:28:16.148Z", + "name": "WebCobra", + "description": "Cryptojacking malware.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/webcobra.md", + "external_id": "X0023" + }, + { + "source_name": "external_source", + "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" + }, + { + "source_name": "external_source", + "url": "https://www.forbes.com/sites/rachelwolfson/2018/11/13/cryptojacking-on-the-rise-webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/#16f5542cc336" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2018" + } + ] +} \ No newline at end of file diff --git a/malware/malware--dc90c5ae-c90c-4733-a9c4-c3a2a6bea3e1.json b/malware/malware--dc90c5ae-c90c-4733-a9c4-c3a2a6bea3e1.json new file mode 100644 index 00000000..becc8e2d --- /dev/null +++ b/malware/malware--dc90c5ae-c90c-4733-a9c4-c3a2a6bea3e1.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--2868865f-e2c9-4c80-a7ad-cdb663c5122f", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--dc90c5ae-c90c-4733-a9c4-c3a2a6bea3e1", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.150Z", + "modified": "2020-02-05T20:28:16.150Z", + "name": "BlackEnergy", + "description": "An HTTP-based botnet used mostly for DDoS attacks.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/blackenergy.md", + "external_id": "X0002" + }, + { + "source_name": "external_source", + "url": "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2007" + } + ] +} \ No newline at end of file diff --git a/malware/malware--e042c0eb-4540-4f41-87c4-a57510c7d4ed.json b/malware/malware--e042c0eb-4540-4f41-87c4-a57510c7d4ed.json new file mode 100644 index 00000000..d9879ff5 --- /dev/null +++ b/malware/malware--e042c0eb-4540-4f41-87c4-a57510c7d4ed.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--ec9d381c-e795-46a9-81b7-13033e4323d6", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--e042c0eb-4540-4f41-87c4-a57510c7d4ed", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.165Z", + "modified": "2020-02-05T20:28:16.165Z", + "name": "Conficker", + "description": "A worm targeting Microsoft Windows operations systems.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/conficker.md", + "external_id": "X0003" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Conficker" + }, + { + "source_name": "external_source", + "url": "http://www.csl.sri.com/users/vinod/papers/Conficker/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_aliases": [ + "Downup", + "Downadup", + "Kido" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2008" + } + ] +} \ No newline at end of file diff --git a/malware/malware--eee42dbc-18ca-4db7-9115-672245d8893d.json b/malware/malware--eee42dbc-18ca-4db7-9115-672245d8893d.json new file mode 100644 index 00000000..81508e28 --- /dev/null +++ b/malware/malware--eee42dbc-18ca-4db7-9115-672245d8893d.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--3d655812-7b8a-4b86-93d0-2ed91c752fb9", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--eee42dbc-18ca-4db7-9115-672245d8893d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.155Z", + "modified": "2020-02-05T20:28:16.155Z", + "name": "GotBotKR", + "description": "Modified version of a publicly available backdoor name GoBot2. Modifications are mainly evasion techniques specific to South Korea.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/gotbotkr.md", + "external_id": "X0027" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2019" + } + ] +} \ No newline at end of file diff --git a/malware/malware--f79355e1-6d17-4d9a-83f7-6d3a985bddb4.json b/malware/malware--f79355e1-6d17-4d9a-83f7-6d3a985bddb4.json new file mode 100644 index 00000000..f88db6ee --- /dev/null +++ b/malware/malware--f79355e1-6d17-4d9a-83f7-6d3a985bddb4.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--1e6e4e78-2d3f-496b-9af5-4b33fe872e3e", + "objects": [ + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--f79355e1-6d17-4d9a-83f7-6d3a985bddb4", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.149Z", + "modified": "2020-02-05T20:28:16.149Z", + "name": "SearchAwesome", + "description": "Adware that intercepts encrypted web traffic to inject ads.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/searchawesome.md", + "external_id": "X0017" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_platform": [ + "Mac OSX" + ], + "x_mitre_year": "2018" + } + ] +} \ No newline at end of file diff --git a/marking-definition/marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3.json b/marking-definition/marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3.json new file mode 100644 index 00000000..6bc7f4a0 --- /dev/null +++ b/marking-definition/marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3.json @@ -0,0 +1,16 @@ +{ + "type": "bundle", + "id": "bundle--dc25ea92-17c2-451c-82d5-d2795920b3e3", + "objects": [ + { + "type": "marking-definition", + "spec_version": "2.1", + "id": "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3", + "created": "2020-01-01T00:00:00.000Z", + "definition_type": "statement", + "definition": { + "statement": "Copyright (c) 2020, The MITRE Corporation. All rights reserved." + } + } + ] +} \ No newline at end of file diff --git a/mbc.json b/mbc.json new file mode 100644 index 00000000..daea70f9 --- /dev/null +++ b/mbc.json @@ -0,0 +1,10435 @@ +{ + "type": "bundle", + "id": "bundle--b7c3b088-ea5d-4ccb-bc75-29d4c7ea71ca", + "objects": [ + { + "type": "identity", + "spec_version": "2.1", + "id": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-01-01T00:00:00.000Z", + "modified": "2020-01-01T00:00:00.000Z", + "name": "The MITRE Corporation", + "identity_class": "organization", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--4ea52273-1834-4df1-8bc7-6ee8738748a2", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.467Z", + "modified": "2020-02-05T20:28:15.467Z", + "name": "Data Encrypted for Impact", + "description": "Malware may encrypt files stored on the system to prevent user access until a ransom is paid and/or to interrupt system availability. The encryption process usually iterates over all letter drives in the system (except for CD drives) and then recursively encrypts all files with specific suffixes.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/encrypt-impact.md", + "external_id": "E1486" + }, + { + "source_name": "external_source", + "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/" + }, + { + "source_name": "external_source", + "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1486/", + "external_id": "T1486" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1471/", + "external_id": "T1471" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--34f875d3-da11-4112-bfd8-fe2d9deaf609", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.342Z", + "modified": "2020-02-05T20:28:15.342Z", + "name": "Automated Exfiltration", + "description": "Malware may exfiltrate data via automated processing or scripting.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/exfiltration/auto-exfiltrate.md", + "external_id": "E1020" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1020/", + "external_id": "T1020" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--9d154966-e9a9-444e-80cf-cd4c95e877bc", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.444Z", + "modified": "2020-02-05T20:28:15.444Z", + "name": "Setuid and Setgid", + "description": "Malware may take advantage of setuid or setgid bits in Linux or macOS applications to elevate privilege or for persistence.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/privilege-escalation/setuid-setgid.md", + "external_id": "T1166" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1166", + "external_id": "T1166" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--0d36eb1b-4454-435f-9e8c-285d235341c7", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.122Z", + "modified": "2020-02-05T20:28:15.122Z", + "name": "Data from Removable Media", + "description": "Malware collects from removable media connected to the compromised system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/data-removable-media.md", + "external_id": "T1025" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1025/", + "external_id": "T1025" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--6d80c035-3515-48dc-91cd-9c14c888fbc6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.490Z", + "modified": "2020-02-05T20:28:15.490Z", + "name": "Service Stop", + "description": "Malware may stop or disable services on a system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/service-stop.md", + "external_id": "T1489" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1489/", + "external_id": "T1489" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b176779c-a4df-49a4-993e-e424a114b73a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.254Z", + "modified": "2020-02-05T20:28:15.254Z", + "name": "Custom Cryptographic Protocol", + "description": "Malware may use a custom cryptographic protocol to hide command and control communications.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/custom-crypto-protocol.md", + "external_id": "T1024" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1024/", + "external_id": "T1024" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--55d0d35e-668a-45dc-a727-c7446b3e5d08", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.340Z", + "modified": "2020-02-05T20:28:15.340Z", + "name": "Exfiltration Over Other Network Medium", + "description": "Malware may exfiltrate data via a different network medium than the command and control channel.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/exfiltration/exfil-over-other-network-medium.md", + "external_id": "T1011" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1011/", + "external_id": "T1011" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--d20ad1d9-e3df-499c-b7a8-84c67eb64144", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.351Z", + "modified": "2020-02-05T20:28:15.351Z", + "name": "Indicator Removal on Host", + "description": "Malware may delete artifacts on the infected system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/indicator-remove-host.md", + "external_id": "T1070" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1070", + "external_id": "T1070" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--ca41dedd-dddb-45bb-bbf7-ef5a17b1b4f5", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.413Z", + "modified": "2020-02-05T20:28:15.413Z", + "name": "Alternative Installation Location", + "description": "Malware may install itself not as a file on the hard drive.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/alter-install-location.md", + "external_id": "M0027" + }, + { + "source_name": "external_source", + "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Stores itself in memory.", + "name": "Fileless Malware" + }, + { + "definition": "Stores itself in the Windows registry.", + "name": "Registry Install" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--d6513614-2072-4aa9-b5fe-9bbb3994ab30", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.212Z", + "modified": "2020-02-05T20:28:15.212Z", + "name": "Network Share Discovery", + "description": "Malware may discover and/or scan shared network drives.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/network-share-discover.md", + "external_id": "T1135" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1135", + "external_id": "T1135" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--ebf911df-6135-42a8-a9f5-76676f546d4a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.198Z", + "modified": "2020-02-05T20:28:15.198Z", + "name": "Memory Dump Evasion", + "description": "Malware hinders retrieval and/or discovery of the contents of the physical memory of the system on which the malware instance is executing [[1]](#1).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/evade-memory-dump.md", + "external_id": "M0006" + }, + { + "source_name": "external_source", + "url": "http://blog.threatexpert.com/2008/04/kraken-changes-tactics.html" + }, + { + "source_name": "external_source", + "url": "http://waleedassar.blogspot.com/search/label/anti-dump" + }, + { + "source_name": "external_source", + "url": "https://www.gironsec.com/code/packers.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Encrypt the executing malware instance code in memory.", + "name": "Code Encryption in Memory" + }, + { + "definition": "Erase PE header from memory.", + "name": "Erase the PE header" + }, + { + "definition": "Hide arbitrary segments of virtual memory.", + "name": "Hide virtual memory" + }, + { + "definition": "Set the SizeOfImage field of PEB.LoaderData to be huge.", + "name": "SizeOfImage" + }, + { + "definition": "Erase or corrupt specific file parts to prevent rebuilding (header, packer stub, etc.).", + "name": "Tampering" + }, + { + "definition": "Encrypt blocks of code individually and decrypt temporarily only upon execution.", + "name": "Guard Pages" + }, + { + "definition": "Resolve API addresses before each use to prevent complete dumping.", + "name": "On-the-Fly APIs" + }, + { + "definition": "API behavior can be altered to prevent memory dumps. For example, inaccurate data can be reported when the contents of the physical memory of the system on which the malware instance is executing is retrieved. See [Hooking](https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/hooking.md).", + "name": "Feed Misinformation" + }, + { + "definition": "flow opcodes (e.g., jumps, loops) are removed and emulated (or decrypted) by the packer during execution, resulting in incorrect dumps. [[4]](#4)", + "name": "Flow Opcode Obstruction" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--731ecd6a-9782-4272-84f3-f4d5ff3732e0", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.446Z", + "modified": "2020-02-05T20:28:15.446Z", + "name": "Credentials in Web Browsers", + "description": "Malware may acquire credentials from web browsers by reading files specific to the target browser.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/credential-access/credentials-in-web-browsers.md", + "external_id": "T1503" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1503/", + "external_id": "T1503" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--67291481-c3c0-4b34-86c9-fa2b7694c706", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.164Z", + "modified": "2020-02-05T20:28:15.164Z", + "name": "Executable Code Optimization", + "description": "Code is optimized, making it harder to statically analyze.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-static-analysis/exe-code-optimize.md", + "external_id": "M0034" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Minification_(programming)" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Relative operands of jumps and calls into are made absolute (better compression). May confuse some basic block detection algorithms.", + "name": "Jump/Call Absolute Address" + }, + { + "definition": "Minification is 'the process of removing all unnecessary characters from source code without changing its functionality.' [[1]](#1) A simple example is when all the unnecessary whitespace and comments are removed. Minification is distinguished from compression in that it neither adds to nor changes the code seen by the interpreter. Minification is often used for malware written in interpreted languages, such as JavaScript, PHP, or Python. Legitimate code that is transmitted many times a second, such as JavaScript on websites, often uses minification to simply reduce the number of bytes transmitted.", + "name": "Minification" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--58e6e2a9-7074-4fb6-930d-3177a4302737", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.375Z", + "modified": "2020-02-05T20:28:15.375Z", + "name": "Binary Padding", + "description": "Malware is padded to increase its size beyond what security tools can handle or to change its hash.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/binary-pad.md", + "external_id": "T1009" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1009", + "external_id": "T1009" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--613f0744-5c1e-4ed1-a79e-ea132e27e085", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.115Z", + "modified": "2020-02-05T20:28:15.115Z", + "name": "Distributed Component Object Model", + "description": "Malware may use Windows Distributed Component Object Model (DCOM) for lateral movement.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/lateral-movement/distributed-comp-obj-model.md", + "external_id": "T1175" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1175", + "external_id": "T1175" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--1c4e8b61-bdb4-4ff5-bbf2-10dda4b276da", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.304Z", + "modified": "2020-02-05T20:28:15.304Z", + "name": "Scripting", + "description": "Malware may use scripts to bypass process monitoring mechanisms (e.g., VBScript). Malicious scripts can be embedded in Microsoft Office documents, which will execute when the document is opened or when the user enables and runs the macro.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/scripting.md", + "external_id": "T1064" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1064", + "external_id": "T1064" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--d77057dc-8454-4a4c-9dd4-3da26ae009be", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.302Z", + "modified": "2020-02-05T20:28:15.302Z", + "name": "Conditional Execution", + "description": "Malware checks system environment conditions or characteristics to determine execution path. For example, malware may not run or be dormant unless system conditions are right, or file that is dropped may vary according to execution environment. Conditional execution happens autonomously, not because of an attacker's command.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/conditional-execute.md", + "external_id": "M0025" + }, + { + "source_name": "external_source", + "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Malware terminates its execution based on a trigger condition or value (or because it has completed).", + "name": "Suicide Exit" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--d1db8aeb-d1f6-466c-bf30-38d6ad72ade7", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.106Z", + "modified": "2020-02-05T20:28:15.106Z", + "name": "Secondary CPU Execution (THEORETICAL)", + "description": "Executes some or all of the code of the malware instance on a secondary, non-CPU processor (e.g., graphics processing unit (GPU)). This behavior is not included in the MBC because no real world examples have been found.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/theoretical-behaviors/second-cpu-exe.md", + "external_id": "M0015" + }, + { + "source_name": "external_source", + "url": "https://arstechnica.com/information-technology/2015/05/gpu-based-rootkit-and-keylogger-offer-superior-stealth-and-computing-power/" + }, + { + "source_name": "external_source", + "url": "http://www.cs.columbia.edu/~mikepo/papers/gpukeylogger.eurosec13.pdf" + }, + { + "source_name": "external_source", + "url": "https://news.softpedia.com/news/New-Malware-Pieces-Run-Completely-on-Graphics-Card-480809.shtml" + }, + { + "source_name": "external_source", + "url": "https://news.softpedia.com/news/intel-researchers-gpu-based-malware-not-as-scary-as-intitially-thought-490490.shtml" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--3df182e8-9ada-4e1e-874c-8bc8d7fa7c1c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.125Z", + "modified": "2020-02-05T20:28:15.125Z", + "name": "Access Sensitive Data or Credentials in Files", + "description": "Malware accesses files that contain sensitive data or credentials (e.g., passwords). Access of Bitcoin and other cryptocurrency wallets also fall under this behavior.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/access-sensitive-data.md", + "external_id": "E1409" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1409/", + "external_id": "T1409" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--3968a5bc-ed1f-4abf-a978-05f84d4cbf5c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.398Z", + "modified": "2020-02-05T20:28:15.398Z", + "name": "Exploitation for Defense Evasion", + "description": "Malware may exploit a software vulnerability in defensive security software to avoid detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/exploit-for-defense.md", + "external_id": "T1211" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1211", + "external_id": "T1211" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--1e98510a-2454-445e-9942-47a5686f2bbd", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.279Z", + "modified": "2020-02-05T20:28:15.279Z", + "name": "Dynamic Data Exchange", + "description": "Malware may use Windows Dynamic Data Exchange (DDE) to execute commands.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/dynamic-data-ex.md", + "external_id": "T1173" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1173", + "external_id": "T1173" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a5cd65d0-eee1-463e-a003-04f3a71bb813", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.394Z", + "modified": "2020-02-05T20:28:15.394Z", + "name": "Disabling Security Tools", + "description": "Malware may disable security tools to avoid detection. Security tools include OS security features and updating tools, anti-virus (AV) tools, firewalls, tool components providing security related logging and/or reporting, and Antimalware Scan Interface (AMSI) related capabilities.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/disable-security-tools.md", + "external_id": "E1089" + }, + { + "source_name": "external_source", + "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1089/", + "external_id": "T1089" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Bypasses or disables kernel patch protection mechanisms such as Windows' PatchGuard, enabling the malware instance to operate at the same level as the operating system kernel and kernel mode drivers (KMD).", + "name": "Disable Kernel Patch Protection" + }, + { + "definition": "Disables system file overwrite protection mechanisms such as Windows file protection, thereby enabling system files to be modified or replaced.", + "name": "Disable System File Overwrite Protection" + }, + { + "definition": "Security products may hook APIs to monitor the behavior of malware. To avoid being found, malware may load DLLs in memory and overwrite their bytes.", + "name": "Unhook APIs" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7ea4b671-1dba-4990-9c5c-f36ae7ea1cbe", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.265Z", + "modified": "2020-02-05T20:28:15.265Z", + "name": "Web Service", + "description": "Malware may use existing external Web services for relaying C2 commands.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/web-service.md", + "external_id": "T1102" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1102/", + "external_id": "T1102" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--915a827a-d63c-46f0-ad85-0e2bf894c527", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.136Z", + "modified": "2020-02-05T20:28:15.136Z", + "name": "Automated Collection", + "description": "Malware uses automated techniques for collecting system data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/auto-collect.md", + "external_id": "T1119" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1119/", + "external_id": "T1119" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--17717ca4-3713-496e-87d7-13a95a6b1790", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.150Z", + "modified": "2020-02-05T20:28:15.150Z", + "name": "Executable Code Obfuscation", + "description": "Executable code can be obfuscated to hinder disassembly and static code analysis. This behavior is specific to a malware sample's executable code (data and text sections).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-static-analysis/exe-code-obfuscate.md", + "external_id": "M0032" + }, + { + "source_name": "external_source", + "url": "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html" + }, + { + "source_name": "external_source", + "url": "https://cofense.com/recent-geodo-malware-campaigns-feature-heavily-obfuscated-macros/" + }, + { + "source_name": "external_source", + "description": "Rob Simmons, \"Comparing Malicious Files,\" BSides, 2019.", + "url": "http://www.irongeek.com/i.php?page=videos/bsidescharm2019/2-04-comparing-malicious-files-robert-simmons" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Instead of storing function names in the Import Address Table (IAT) and calling GetProcAddress, a DLL is loaded and the name of each of its exports is hashed until it matches a specific hash. Manual symbol resolution is then used to access and execute the exported function. This method is often used by shellcode because it reduces the size of each import from a human-readable string to a sequence of four bytes. The Method is also known as \"Imports by Hash\" and \"GET_APIS_WITH_CRC.\" [[1]](#1)", + "name": "API Hashing" + }, + { + "definition": "Insert code to impede disassembly.\n * *Dead Code Insertion*: Include \"dead\" code with no real functionality.\n * *Fake Code Insertion*: Add fake code similar to known packers or known goods to fool identification. Can confuse some automated unpackers.\n * *Jump Insertion*: Insert jumps to make analysis visually harder.\n * *Thunk Code Insertion*: Variation on Jump Insertion. Used by some compilers for user-generated functions.\n * *Junk Code Insertion*: Insert dummy code between relevant opcodes. Can make signature writing more complex.", + "name": "Code Insertion" + }, + { + "definition": "Obfuscate data values through indirection of local or global variables. For example, the instruction *if (a == 0) do x* can be obfuscated by setting a global variable, *Z*, to zero and using it in the instruction: *if (a==Z) do x*. [NEEDS REVIEW]", + "name": "Data Value Obfuscation" + }, + { + "definition": "Obfuscate the entry point of the malware executable.", + "name": "Entry Point Obfuscation" + }, + { + "definition": "Encrypt blocks of code individually and decrypt temporarily only upon execution.", + "name": "Guard Pages" + }, + { + "definition": "Obfuscate the import address table.", + "name": "Import Address Table Obfuscation" + }, + { + "definition": "Store and load imports with a compact import table format. Each DLL needed by the executable is mentioned in the IAT, but only one function from each/most is imported; the rest are imported via GetProcAddress calls.", + "name": "Import Compression" + }, + { + "definition": "Jump after the first byte of an instruction to confuse disassembler.", + "name": "Instruction Overlap" + }, + { + "definition": "Split code into sections that may be rearranged and are connected by unconditional jumps.", + "name": "Interleaving Code" + }, + { + "definition": "Merge all sections resulting in just one entry in the sections table to make readability more difficult. May affect some detection signatures if written to be section dependent.", + "name": "Merged Code Sections" + }, + { + "definition": "", + "name": "Structured Exception Handling (SEH)" + }, + { + "definition": "Build and decrypt strings on the stack at each use, then discard to avoid obvious references.", + "name": "Stack Strings" + }, + { + "definition": "Remove or rename symbolic information commonly inserted by compilers for debugging purposes.", + "name": "Symbol Obfuscation" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--257eb250-d032-4eb8-a440-41fe91633738", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.221Z", + "modified": "2020-02-05T20:28:15.221Z", + "name": "Peripheral Device Discovery", + "description": "Malware may try to get information about peripheral devices.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/peripheral-device-discover.md", + "external_id": "T1120" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1120", + "external_id": "T1120" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--6246be32-1085-40b4-aa18-6ead153e84fc", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.318Z", + "modified": "2020-02-05T20:28:15.318Z", + "name": "Kernel Modules and Extensions", + "description": "Malware may use loadable kernel modules to persist on a system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/kernel-modules-ext.md", + "external_id": "T1215" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1215", + "external_id": "T1215" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--1ab23a6a-e131-4321-be30-7f3f3861dac0", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.275Z", + "modified": "2020-02-05T20:28:15.275Z", + "name": "Prevent Concurrent Execution", + "description": "To avoid running multiple instances of itself, malware may check a system to see if it is already running.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/prevent-concurrent-exe.md", + "external_id": "M0024" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/malware/worm_bagle.u" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--05dab55a-36c8-47d0-9a60-28f19fe18cdf", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.335Z", + "modified": "2020-02-05T20:28:15.335Z", + "name": "Data Encrypted", + "description": "Malware may obfuscate data via encryption or encoding before exfiltration.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/exfiltration/data-encrypted.md", + "external_id": "E1022" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1022/", + "external_id": "T1022" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--6fcd4fe2-3997-4591-91e9-987fba8a79fa", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.424Z", + "modified": "2020-02-05T20:28:15.424Z", + "name": "Regsvr32", + "description": "Malware may use the Regsvr32.exe command-line program to execute binary code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/regsvr32.md", + "external_id": "T1117" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1117", + "external_id": "T1117" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7aef87fb-3c58-4545-9566-c63439e68c55", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.333Z", + "modified": "2020-02-05T20:28:15.333Z", + "name": ".bash_profile and .bashrc", + "description": "Malware may insert code into these Linux and macOS files to gain persistence.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/bash.md", + "external_id": "T1156" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1156", + "external_id": "T1156" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--6dd00b46-cafd-4eab-9a94-1cae503e089a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.135Z", + "modified": "2020-02-05T20:28:15.135Z", + "name": "Location Tracking", + "description": "Malware tracks a system's physical location.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/location-track.md", + "external_id": "T1430" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1430/", + "external_id": "T1430" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--4c4599cf-a384-46fa-83f2-f05967673158", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.273Z", + "modified": "2020-02-05T20:28:15.273Z", + "name": "PowerShell", + "description": "Malware may use PowerShell to execute code on a system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/power-shell.md", + "external_id": "T1086" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1086", + "external_id": "T1086" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--6c58676d-57be-4bbc-a9b2-54a11098ca12", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.193Z", + "modified": "2020-02-05T20:28:15.193Z", + "name": "Emulator Evasion", + "description": "Behaviors that obstruct analysis in an emulator.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/evade-emulator.md", + "external_id": "M0005" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7917db1d-3be0-4a58-b706-00c62379a7b2", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.219Z", + "modified": "2020-02-05T20:28:15.219Z", + "name": "File and Directory Discovery", + "description": "Malware may enumerate files and/or directories.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/file-and-directory-discover.md", + "external_id": "T1083" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1083", + "external_id": "T1083" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--3b3c03d0-8e57-4e10-b3bd-ef53515afc92", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.405Z", + "modified": "2020-02-05T20:28:15.405Z", + "name": "Virtualization/Sandbox Evasion", + "description": "Malware may check for the presence or a virtual machine or sandbox to avoid detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/virtualization-sandbox-evade.md", + "external_id": "T1497" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1497", + "external_id": "T1497" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--f7768d3e-3a55-4876-8793-4e78d68f3a38", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.465Z", + "modified": "2020-02-05T20:28:15.465Z", + "name": "Endpoint Denial of Service", + "description": "Malware may make a system unavailable, for example, by locking a user out of a system. The ATT&CK technique, [Lock User Out of Device](https://attack.mitre.org/techniques/T1446/), pertains to the Android platform; the technique [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499/) is applicable to other platforms.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/endpoint-denial-of-service.md", + "external_id": "T1499" + }, + { + "source_name": "external_source", + "url": "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1499/", + "external_id": "T1499" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1446/", + "external_id": "T1446" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Locks user out of a system.", + "name": "User Lock Out" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a49e3ab1-4f38-49b4-8bb2-5bf5778ae503", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.450Z", + "modified": "2020-02-05T20:28:15.450Z", + "name": "Credentials in Registry", + "description": "Malware may query the Registry looking for credentials and passwords.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/credential-access/credentials-in-registry.md", + "external_id": "T1214" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1214/", + "external_id": "T1214" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--90087c64-921d-4aef-bbb4-8fad5ba7c812", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.309Z", + "modified": "2020-02-05T20:28:15.309Z", + "name": "Office Application Startup", + "description": "Malware may use a mechanism with Office for persistence when an Office-based application is started.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/office-app-startup.md", + "external_id": "T1137" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1137", + "external_id": "T1137" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--ecef682a-60cb-46a6-a7af-c90b4d679669", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.415Z", + "modified": "2020-02-05T20:28:15.415Z", + "name": "NTFS File Attributes", + "description": "Malware may store malicious data in file attribute metadata.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/ntfs-file-attr.md", + "external_id": "T1096" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1096/", + "external_id": "T1096" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7f7f9c9f-db90-4294-91ad-d1c9da04e9d8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.118Z", + "modified": "2020-02-05T20:28:15.118Z", + "name": "Data from Local System", + "description": "Malware collects sensitive data from local system sources.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/data-local-system.md", + "external_id": "T1005" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1005/", + "external_id": "T1005" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--0bee0786-1469-4d9d-8887-acd8fb6fe95e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.248Z", + "modified": "2020-02-05T20:28:15.248Z", + "name": "Connection Proxy", + "description": "Malware may use a connection proxy to manage command and control communications.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/connect-proxy.md", + "external_id": "T1090" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1090/", + "external_id": "T1090" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--c5e52bb6-425f-416a-afb7-58d67093ef9c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.475Z", + "modified": "2020-02-05T20:28:15.475Z", + "name": "Generate Fraudulent Advertising Revenue", + "description": "Malware may generate advertising revenue by generating clicks of advertising links. The ATT&CK technique, [Generate Fraudulent Advertising Revenue](https://attack.mitre.org/techniques/T1472/), pertains only to mobile platform, but the behavior is applicable to other platforms as well.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/generate-fraud-rev.md", + "external_id": "E1472" + }, + { + "source_name": "external_source", + "url": "https://www.itworld.com/article/2734253/security/behind-the--massive--malware-ad-revenue-fraud-case.html" + }, + { + "source_name": "external_source", + "url": "https://www.fipp.com/news/insightnews/what-are-the-nine-types-of-digital-ad-fraud" + }, + { + "source_name": "external_source", + "url": "https://www.huffingtonpost.com/2011/11/09/click-hijack-hackers-online-ad-scam_n_1084497.html" + }, + { + "source_name": "external_source", + "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1472/", + "external_id": "T1472" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Malware alters DNS server settings to route to a rogue DNS server: when the user clicks on a search result link displayed through a search engine query, malware re-routes the user to different website. Instead of going to the requested site, the user is taken to an alternate website such that the click triggers payment to the threat actor. [[1]](#1)", + "name": "Click Hijacking" + }, + { + "definition": "Malware injects ad windows onto websites the user is views. [[2]](#2)", + "name": "Advertisement Replacement Fraud" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a8037627-051d-48fe-8c03-5d78b9293f0c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.231Z", + "modified": "2020-02-05T20:28:15.231Z", + "name": "Remote System Discovery", + "description": "Malware may try to get a list of network-accessible systems (by IP address or hostname).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/remote-sys-discover.md", + "external_id": "T1018" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1018", + "external_id": "T1018" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--9204fe33-1848-4be0-a1f6-0fc2841a9753", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.233Z", + "modified": "2020-02-05T20:28:15.233Z", + "name": "Self Discovery", + "description": "Malware may gather information about itself, such as its filename or size on disk.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/self-discover.md", + "external_id": "M0038" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b71f0bb4-21ef-46c1-b37c-7df65de756a4", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.208Z", + "modified": "2020-02-05T20:28:15.208Z", + "name": "Local Network Configuration Discovery", + "description": "Android malware may try to get details of on-board network interfaces through the java.net.NetworkInterface class.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/local-network-configuration-discover.md", + "external_id": "T1422" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1422", + "external_id": "T1422" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--fe182cf0-6215-458b-9b49-7a8b23aa430c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.447Z", + "modified": "2020-02-05T20:28:15.447Z", + "name": "LLMNR/NBT-NS Poisoning", + "description": "Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. Malware may spoof an authoritative source, poisoning the service.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/credential-access/LLMNR-poison.md", + "external_id": "T1171" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1171/", + "external_id": "T1171" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a1f1b921-b815-4311-93c2-6c98a333fd5d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.215Z", + "modified": "2020-02-05T20:28:15.215Z", + "name": "Query Registry", + "description": "Malware may gather information from the Windows registry.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/query-registry.md", + "external_id": "T1012" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1012", + "external_id": "T1012" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--9ca32a1e-0f84-42d6-8be0-fccf0934a123", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.411Z", + "modified": "2020-02-05T20:28:15.411Z", + "name": "Polymorphic Code", + "description": "Polymorphic code, a file with the same functionality but different execution, is created, often on the fly, making it difficult to detect. This behavior includes metamorphic code where the code is changed (not just executed differently), but with the behavior the same. Polymorphic Code behavior is typically identified through analysis of related samples.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/polymorphic-code.md", + "external_id": "M0029" + }, + { + "source_name": "external_source", + "url": "https://www.mccormick.northwestern.edu/eecs/documents/tech-reports/2010-2014/evaluating-android-anti-malware-against-transformation-attacks.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "A packer stub can generate polymorphic code.", + "name": "Packer Stub" + }, + { + "definition": "[[1]](#1)", + "name": "Call Indirections" + }, + { + "definition": "[[1]](#1)", + "name": "Code Reordering" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--f42d3d87-e374-4114-bc93-a52cae45e3d0", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.401Z", + "modified": "2020-02-05T20:28:15.401Z", + "name": "Redundant Access", + "description": "Malware may use more than one type of access for persistence and to avoid detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/redundant-access.md", + "external_id": "T1108" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1108", + "external_id": "T1108" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--e9f0d1de-13f3-499a-a0ee-32fe37912720", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.409Z", + "modified": "2020-02-05T20:28:15.409Z", + "name": "Boot Sector Modification", + "description": "The boot sectors of a hard drive are modified (e.g., Master Boot Record (MBR)). ATT&CK associates bootkits with the Persistence. See ATT&CK: [**Bootkit**](https://attack.mitre.org/techniques/T1067/).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/boot-sector-mod.md", + "external_id": "M0028" + }, + { + "source_name": "external_source", + "url": "https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1067/", + "external_id": "T1067" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--587a54c2-89ae-42aa-9504-b820378e2aff", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.110Z", + "modified": "2020-02-05T20:28:15.110Z", + "name": "Remote Desktop Protocol", + "description": "Malware may connect to a remote system over Remote Desktop Protocol.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/lateral-movement/remote-desktop-protocol.md", + "external_id": "T1076" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1076", + "external_id": "T1076" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--584bb03d-6bdb-4385-a52a-e2a80d58b1e7", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.133Z", + "modified": "2020-02-05T20:28:15.133Z", + "name": "Microphone or Camera Capture", + "description": "Malware records activities using the device microphone and/or camera.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/micro-cam-capture.md", + "external_id": "T1429" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1429/", + "external_id": "T1429" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1512/", + "external_id": "T1512" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1429/", + "external_id": "T1429" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--929e0835-9197-42d0-9a00-95b7b4e13dcb", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.281Z", + "modified": "2020-02-05T20:28:15.281Z", + "name": "User Interaction", + "description": "Malware may include code that relies on specific actions by a user to execute. Note that this MBC behavior differs from [User Execution](https://attack.mitre.org/techniques/T1204) in that it does do not include direct code execution (user action for *initial* execution) - MBE does not encompass ATT&CK's Initial Access Tactic.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/user-interaction.md", + "external_id": "E1204" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1204", + "external_id": "T1204" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--5010e76c-7f54-467d-8042-90ff48523dd2", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.278Z", + "modified": "2020-02-05T20:28:15.278Z", + "name": "Remote Commands", + "description": "Malware may provide an attacker with explicit commands. This behavior differs from the [Remote Access](https://github.com/MBCProject/mbc-markdown/blob/master/impact/remote-access.md) behavior under the [Impact](https://github.com/MBCProject/mbc-markdown/tree/master/impact) objective in that *Impact: Remote Access* is potentially much broader and may include full remote access.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/remote-commands.md", + "external_id": "M0011" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "", + "name": "Delete File" + }, + { + "definition": "", + "name": "Download File" + }, + { + "definition": "", + "name": "Execute" + }, + { + "definition": "", + "name": "Shutdown" + }, + { + "definition": "", + "name": "Sleep" + }, + { + "definition": "", + "name": "Uninstall" + }, + { + "definition": "", + "name": "Upload File" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--6406f5d5-3adb-4855-ba12-87b3f9e7fb28", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.267Z", + "modified": "2020-02-05T20:28:15.267Z", + "name": "Data Obfuscation", + "description": "Malware hides its command and control information.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/data-obfuscate.md", + "external_id": "T1001" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1001/", + "external_id": "T1001" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--f2f10f49-dd06-4323-aedd-7806286c6529", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.453Z", + "modified": "2020-02-05T20:28:15.453Z", + "name": "Account Manipulation", + "description": "Malware may manipulate accounts to maintain access to credentials or permission levels.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/credential-access/acct-manipulate.md", + "external_id": "T1098" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1098/", + "external_id": "T1098" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--c969317c-d5ec-4886-91d5-6ed12aef2fd7", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.431Z", + "modified": "2020-02-05T20:28:15.431Z", + "name": "File System Permissions Weakness", + "description": "Malware may exploit a software vulnerability to escalate privileges.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/privilege-escalation/file-system-perm-weakness.md", + "external_id": "T1044" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1044", + "external_id": "T1044" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--101d8709-b8d4-4604-a835-b122f1ecb227", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.319Z", + "modified": "2020-02-05T20:28:15.319Z", + "name": "New Service", + "description": "Malware may install a new service to gain persistence or to escalate privileges (from administrator to SYSTEM).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/new-service.md", + "external_id": "T1050" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1050", + "external_id": "T1050" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--c12572b5-e25b-4ef9-944a-81d81050323e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.343Z", + "modified": "2020-02-05T20:28:15.343Z", + "name": "Exfiltration Over Command and Control Channel", + "description": "Malware may exfiltrate data via the command and control channel.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/exfiltration/exfil-over-c2-channel.md", + "external_id": "T1041" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1041/", + "external_id": "T1041" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--739c387d-4465-421d-9b6b-51ca77c52a0d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.406Z", + "modified": "2020-02-05T20:28:15.406Z", + "name": "Code Signing", + "description": "Malware code is digitally signed to appear as legitimate software.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/code-signing.md", + "external_id": "T1116" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1116", + "external_id": "T1116" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--131c6f15-5bc4-4583-9b8d-ea06ef139d0b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.481Z", + "modified": "2020-02-05T20:28:15.481Z", + "name": "Inhibit System Recovery", + "description": "Malware may delete OS data and turn off services designed to provide system recovery.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/inhibit-system-recovery.md", + "external_id": "T1490" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1490/", + "external_id": "T1490" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--139411fc-5539-4254-825c-12a9d5b3973b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.378Z", + "modified": "2020-02-05T20:28:15.378Z", + "name": "Image File Execution Options Injection", + "description": "Malware may use Image File Execution Options to launch a process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/image-file-exe-opt-inj.md", + "external_id": "T1183" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1183", + "external_id": "T1183" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--af8dfa93-7114-43fc-b57a-d1a3c61c4acd", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.207Z", + "modified": "2020-02-05T20:28:15.207Z", + "name": "Emulator Detection", + "description": "Detects whether the malware instance is being executed inside an emulator. If so, conditional execution selects a benign execution path.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/detect-emulator.md", + "external_id": "M0004" + }, + { + "source_name": "external_source", + "url": "http://unprotect.tdgt.org/index.php/Sandbox_Evasion" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Checks whether particular files (e.g., QEMU files) exist.", + "name": "Check for Emulator-related Files" + }, + { + "definition": "Checks for WINE via the `get_wine_version` function from WINE's `ntdll.dll`.", + "name": "Check for WINE Version" + }, + { + "definition": "Emulators register artifacts in the registry, which can be detected by malware. For example, installation of QEMU results in the registry key: *HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0* with value=*Identifier* and data=*QEMU*, or registry key: *HARDWARE\\Description\\System* with value=*SystemBiosVersion* and data=*QEMU*. [[1]](#1)", + "name": "Check Emulator-related Registry Keys" + }, + { + "definition": "Some emulated systems fail to handle some network communications; such failures will indicate the emulated environment.", + "name": "Failed Network Connections" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--82db8cfb-f51f-4903-b652-cd8a2e4166fa", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.492Z", + "modified": "2020-02-05T20:28:15.492Z", + "name": "Exploit Kit Behavior", + "description": "An Exploit Kit is a toolkit that exploits vulnerabilities in software to deliver malicious payloads (malware).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/exploit-kit-behavior.md", + "external_id": "E1190" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1190", + "external_id": "T1190" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--fabff5fa-5d64-4167-9f95-6e25c35002ff", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.260Z", + "modified": "2020-02-05T20:28:15.260Z", + "name": "Standard Cryptographic Protocol", + "description": "Malware may use a standard cryptographic protocol to conceal command and control traffic or other data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/std-crypto-protocol.md", + "external_id": "T1032" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1032/", + "external_id": "T1032" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--51fb196e-4be8-4b21-ba5b-fce4d7de6767", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.256Z", + "modified": "2020-02-05T20:28:15.256Z", + "name": "Domain Name Generation", + "description": "Malware generates the domain name of the command and control server to which it connects. Access to on the fly domains enables C2 to operate as domains and IP addresses are blocked. The algorithm can be complicated in more advanced bots; understanding the details so that names can be predicted can be useful in mitigation and response.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/domain-name-generate.md", + "external_id": "M0031" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/security-world/2016/12/explained-domain-generating-algorithm/" + }, + { + "source_name": "external_source", + "url": "http://blog.threatexpert.com/2008/04/kraken-changes-tactics.html" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Conficker" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1483/", + "external_id": "T1483" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--9ea6bec1-a908-422a-9154-28448b3ae618", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.283Z", + "modified": "2020-02-05T20:28:15.283Z", + "name": "Local Job Scheduling", + "description": "Malware may execute a program or script via local job scheduling (e.g., cron job) for execution or persistence purposes.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/local-job-sch.md", + "external_id": "T1168" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1168/", + "external_id": "T1168" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--867bc93b-83c8-4bcd-876b-a8f190dd7de7", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.310Z", + "modified": "2020-02-05T20:28:15.310Z", + "name": "System Firmware", + "description": "Malware may overwrite the system firmware with malicious firmware that is difficult to detect and/or enables persistence.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/system-firmware.md", + "external_id": "T1019" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1109/", + "external_id": "T1109" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--3cf9e9ac-9280-4a8d-b8b3-976abc855055", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.337Z", + "modified": "2020-02-05T20:28:15.337Z", + "name": "Data Compressed", + "description": "Malware may compress data prior to exfiltration.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/exfiltration/data-compress.md", + "external_id": "T1002" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1002/", + "external_id": "T1002" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--f7136ba2-6455-48f4-90df-63f8f43ae0f4", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.214Z", + "modified": "2020-02-05T20:28:15.214Z", + "name": "System Information Discovery", + "description": "Malware may attempt to get detailed information about the system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/system-info-discover.md", + "external_id": "T1082" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--58f11920-e04f-4935-864a-c2121842bf8d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.326Z", + "modified": "2020-02-05T20:28:15.326Z", + "name": "Browser Extensions", + "description": "Malware may add functionality to browsers or customize them with extensions or plugins.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/browser-extend.md", + "external_id": "T1176" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1176", + "external_id": "T1176" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a7ea0b40-a316-43db-9dcf-1ae03eda94a6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.258Z", + "modified": "2020-02-05T20:28:15.258Z", + "name": "Uncommonly Used Port", + "description": "Malware may use an uncommon port to bypass poorly configured boundary controllers.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/uncommon-port.md", + "external_id": "T1065" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1065/", + "external_id": "T1065" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--422b0025-9286-4a11-812d-5494dab28d9a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.477Z", + "modified": "2020-02-05T20:28:15.477Z", + "name": "Resource Hijacking", + "description": "Uses system resources for other purposes; as a result, the system may not be available for intended uses.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/hijack-sys-resources.md", + "external_id": "M0018" + }, + { + "source_name": "external_source", + "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" + }, + { + "source_name": "external_source", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/wannacry-uiwix-ransomware-monero-mining-malware-follow-suit/" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1496/", + "external_id": "T1496" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Consume system resources for the purpose of password cracking.", + "name": "Password Cracking" + }, + { + "definition": "Consume system resources to mine for cryptocurrency (e.g., Bitcoin, Litecoin, etc.).", + "name": "Cryptojacking" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--9bd44017-2ca1-4370-b06d-f55fd2071b6b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.117Z", + "modified": "2020-02-05T20:28:15.117Z", + "name": "Clipboard Data", + "description": "Malware collects data stored in the Windows clipboard.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/clipboard-data.md", + "external_id": "T1115" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1115/", + "external_id": "T1115" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--8f470860-de90-44e9-b88f-4b188918bb7c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.270Z", + "modified": "2020-02-05T20:28:15.270Z", + "name": "Commonly Used Port", + "description": "Malware may use a common port to avoid detection of command and control activity.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/common-port.md", + "external_id": "T1043" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1043/", + "external_id": "T1043" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1436/", + "external_id": "T1436" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--89685060-9bc7-48f1-aa8e-4c70f08f8935", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.396Z", + "modified": "2020-02-05T20:28:15.396Z", + "name": "Rundll32", + "description": "Malware may use the Rundll32.exe program to execute binary code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/rundll32.md", + "external_id": "T1085" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1085", + "external_id": "T1085" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--4c235631-ef76-4afc-9386-e1d9be003c44", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.140Z", + "modified": "2020-02-05T20:28:15.140Z", + "name": "Input Capture", + "description": "Malware captures user input.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/input-capture.md", + "external_id": "E1056" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1056/", + "external_id": "T1056" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Mouse events are captured.", + "name": "Mouse Events" + }, + { + "definition": "Keyboard events are captured.", + "name": "Keyboard Events" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--05f6625b-7291-4a4b-8ec1-4044efa6cb2e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.416Z", + "modified": "2020-02-05T20:28:15.416Z", + "name": "Deobfuscate/Decode Files or Information", + "description": "This behavior is the counterpart to [Obfuscated Files or Information](https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/obfuscate-files.md), which is used to hide artifacts of an intrusion.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/deobfuscate-files.md", + "external_id": "T1140" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1140", + "external_id": "T1140" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--65a87d14-443d-48bc-8056-af041b7092be", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.496Z", + "modified": "2020-02-05T20:28:15.496Z", + "name": "Disk Content Wipe", + "description": "The contents of a storage device are partially or completely wiped. Rather than selecting individual files (see [Data Destruction](https://github.com/MBCProject/mbc-markdown/tree/master/impact/data-destruction.md)), arbitrary data is destroyed.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/disk-content-wipe.md", + "external_id": "T1488" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1488/", + "external_id": "T1488" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1447/", + "external_id": "T1447" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--8063d2a0-1f1b-4210-a56d-4375aafda2a1", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.439Z", + "modified": "2020-02-05T20:28:15.439Z", + "name": "DLL Search Order Hijacking", + "description": "Malware may place a malicious DLL with the same name as a legitimate, but ambiguously specified, DLL in a location that Windows searches before the legitimate DLL (called a binary planting attack).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/privilege-escalation/dll-search-order-hijack.md", + "external_id": "T1038" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1038", + "external_id": "T1038" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--8ea02c43-667a-4db1-86f4-89cf99d7f6f9", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.230Z", + "modified": "2020-02-05T20:28:15.230Z", + "name": "Network Service Scanning", + "description": "Malware may try to a listing of services running on remotes hosts.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/network-service-scan.md", + "external_id": "T1046" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1046", + "external_id": "T1046" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--fbe0f011-0dbb-4a6e-a860-32120311f74b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.175Z", + "modified": "2020-02-05T20:28:15.175Z", + "name": "Dynamic Analysis Evasion", + "description": "Malware may obstruct dynamic analysis in a sandbox, emulator, or virtual machine.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/evade-dynamic-analysis.md", + "external_id": "M0003" + }, + { + "source_name": "external_source", + "url": "http://joe4security.blogspot.com/2013/06/overloading-sandboxes-new-generic.html" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf" + }, + { + "source_name": "external_source", + "url": "https://research.checkpoint.com/2019-resurgence-of-smokeloader/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Overloads a sandbox by generating a flood of meaningless behavioral data. [[1]](#1)", + "name": "Data Flood" + }, + { + "definition": "Inclusion of a demo binary/mode that is executed when token is absent or not enough privileged.", + "name": "Demo Mode" + }, + { + "definition": "Original file is written to disk then executed. May confuse some sandboxes, especially if the dropped executable must be provided specific arguments and the original dropper is not associated with the drop file(s).", + "name": "Drop Code" + }, + { + "definition": "Encode a file on disk, such as an implant's config file.", + "name": "Encode File" + }, + { + "definition": "execution happens when a particular file or directory is accessed, often through hooking certain API calls such as CreateFileA and CreateFileW.", + "name": "Hook File System" + }, + { + "definition": "modification of interrupt vector or descriptor tables.", + "name": "Hook Interrupt" + }, + { + "definition": "Creates an illusion; makes the analyst think something happened when it didn't.", + "name": "Illusion" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--03b4fd1e-96db-4c28-b9c7-18ef0510c129", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.216Z", + "modified": "2020-02-05T20:28:15.216Z", + "name": "Security Software Discovery", + "description": "Malware may try to get a listing of security software or defensive tools installed on the system. Note that security software aims to *detect/mitigate* malware on a system whereas analysis tools (see [Analysis Tool Discovery](https://github.com/MBCProject/mbc-markdown/blob/master/discovery/analysis-tool-discover.md)) are used to *analyze* malware.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/security-sw-discover.md", + "external_id": "T1063" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1063", + "external_id": "T1063" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b2a6969f-5b08-43e4-8f8f-1cef31ff37cc", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.372Z", + "modified": "2020-02-05T20:28:15.372Z", + "name": "Bypass User Account Control", + "description": "Malware bypasses Windows User Account Control.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/bypass-user-acct-cntl.md", + "external_id": "T1088" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1088", + "external_id": "T1088" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--37e2cfce-37c2-4a5a-a98e-3bf5b4cd9db6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.280Z", + "modified": "2020-02-05T20:28:15.280Z", + "name": "Execution through API", + "description": "Malware may execute via the Windows application programming interface (API).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/execution-via-api.md", + "external_id": "T1106" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1106", + "external_id": "T1106" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--21936a10-00e4-4e54-8fd7-00223e432cbf", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.114Z", + "modified": "2020-02-05T20:28:15.114Z", + "name": "Supply Chain Compromise", + "description": "The supply chain may be compromised to enable initial malware infection. Malware-related methods are listed below to supplement the information available defined in ATT&CK: [**Supply Chain Compromise**](https://attack.mitre.org/techniques/T1195/).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/lateral-movement/supply-chain-compromise.md", + "external_id": "E1195" + }, + { + "source_name": "external_source", + "url": "http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1195/", + "external_id": "T1195" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Abusing enterprise certificates enables malware to exploit private APIs and infect a wide range of users (see *Exploit Private APIs* below).", + "name": "Abuse Enterprise Certificates" + }, + { + "definition": "Malware can exploit private APIs to infect jailbroken and non-jailbroken iOS devices. Research shows that over 100 apps in the App Store have abused private APIs and bypassed Apple’s strict code review.", + "name": "Exploit Private APIs" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7a79533e-479c-4272-8220-f639ca223b2e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.332Z", + "modified": "2020-02-05T20:28:15.332Z", + "name": "Malicious Network Driver", + "description": "Malicious network drivers can be installed on several machines on a network via an exploited server with high uptime. Once the drivers are installed on the host machines, they can re-infect the server if it is restarted (persistence), can infect other machines on the network (lateral movement), and can redirect traffic on the network.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/malicious-network-drv.md", + "external_id": "M0026" + }, + { + "source_name": "external_source", + "url": "https://www.zdnet.com/article/luckymouse-targets-govt-entities-through-malicious-ndisproxy-driver/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--65fe37b4-19b9-4630-8d51-5afd6dc3234d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.403Z", + "modified": "2020-02-05T20:28:15.403Z", + "name": "Indicator Blocking", + "description": "Malware blocks indicators or events that would indicate malicious activity. Methods relevant to the malware domain are below.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/indicator-blocking.md", + "external_id": "E1054" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1054/", + "external_id": "T1054" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Malware captures the message body of incoming SMS messages and aborts displaying messages that meets a certain criteria.", + "name": "Remove SMS Warning Messages" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--916ef5a6-4865-4da7-bd65-664a0bdd536a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.345Z", + "modified": "2020-02-05T20:28:15.345Z", + "name": "Exfiltration Over Physical Medium", + "description": "Malware may exfiltrate data via a physical medium or device (e.g., USB drive).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/exfiltration/exfil-over-physical-medium.md", + "external_id": "T1052" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1052/", + "external_id": "T1052" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--5d6f607a-b64e-4b25-ba0c-0ed3854f4557", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.218Z", + "modified": "2020-02-05T20:28:15.218Z", + "name": "System Network Connections Discovery", + "description": "Malware may try to get a listing of network connections to/from the compromised system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/system-network-conn-discover.md", + "external_id": "T1049" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1049", + "external_id": "T1049" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--df815f03-3c56-4fc7-a443-e6ce5e002664", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.268Z", + "modified": "2020-02-05T20:28:15.268Z", + "name": "C2 Communication", + "description": "All command and control malware use client/server communication. The methods listed below can be used to capture explicit communication details. Remote file copy behavior is captured separately, as is done in ATT&CK - see [Remote File Copy](https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/remote-file-copy.md).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/command-control-comm.md", + "external_id": "M0030" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--8429c75f-5cf7-4057-90b7-e94a0c8f7060", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.365Z", + "modified": "2020-02-05T20:28:15.365Z", + "name": "Hidden Files and Directories", + "description": "Malware may hide files and folders to avoid detection and/or to persist on the system. See potential methods below.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/hidden-files.md", + "external_id": "E1158" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1158", + "external_id": "T1158" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--999d34f4-c740-497f-9074-563b8c11d8ce", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.429Z", + "modified": "2020-02-05T20:28:15.429Z", + "name": "Launch Daemon", + "description": "Malware may install a new MacOS launch daemon that can be configured to execute at startup.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/privilege-escalation/launch-daemon.md", + "external_id": "T1160" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1160", + "external_id": "T1160" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--8da9c3ba-1ff0-4390-a2e4-7d859b4f5cc8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.237Z", + "modified": "2020-02-05T20:28:15.237Z", + "name": "SMTP Connection Discovery", + "description": "Malware may test whether an outgoing SMTP connection can be made from the system on which the malware instance is executing to some SMTP server, by sending a test SMTP transaction.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/smtp-connect-discover.md", + "external_id": "M0014" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--031beb01-79db-43f5-a901-1e32a4b79628", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.368Z", + "modified": "2020-02-05T20:28:15.368Z", + "name": "Modify Registry", + "description": "Malware may make changes to the Windows Registry to hide execution or to persist on the system (note that ATT&CK does not extend this behavior to the Persistence objective).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/modify-reg.md", + "external_id": "E1112" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1112", + "external_id": "T1112" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--0dde3fa0-8e37-413d-bbe8-f75428801408", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.142Z", + "modified": "2020-02-05T20:28:15.142Z", + "name": "Capture SMS Messages", + "description": "Malware captures data sent via SMS (e.g., authentication credentials).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/capture-sms.md", + "external_id": "T1412" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1412/", + "external_id": "T1412" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--cec46ca6-08c3-46d6-b37f-92c50fe689bb", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.308Z", + "modified": "2020-02-05T20:28:15.308Z", + "name": "Component Firmware", + "description": "Malware may overwrite the flash memory contents of system BIOS or other firmware. [[1]](#1). Methods related to malware (extending ATT&CK's definitions) are below.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/component-firmware.md", + "external_id": "E1109" + }, + { + "source_name": "external_source", + "url": "https://www.scmagazine.com/home/opinions/are-synful-knock-style-router-attacks-set-to-become-the-new-normal/" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1109/", + "external_id": "T1109" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Cisco routers can have their firmware images modified in order to maliciously infect and persist on end-user machines in a network. This is accomplished by using default or acquired credentials to gain access to a router and to install a backdoor. The implant resides within a modified Cisco IOS image and, when loaded, maintains its persistence in the environment, even after a system reboot. However, any further modules loaded by the attacker will only exist in the router's volatile memory and will not be available for use after reboot. Known affected hardware includes Cisco routers 1841, 2811, and 3825.", + "name": "Router Firmware" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--fc82f55c-157b-40b6-ae7c-ade5f0fc9be2", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.380Z", + "modified": "2020-02-05T20:28:15.380Z", + "name": "Process Hollowing", + "description": "Instead of performing [Process Injection](https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/process-inject.md), malware may unmap (hollows out) legitimate code from the target process's memory (e.g., svchost.exe) and overwrite the memory space with a malicious code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/process-hollow.md", + "external_id": "T1093" + }, + { + "source_name": "external_source", + "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1093", + "external_id": "T1093" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--64098173-07b5-47f3-bd31-f3ae0f83ba93", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.247Z", + "modified": "2020-02-05T20:28:15.247Z", + "name": "Custom Command and Control Protocol", + "description": "Malware may use a custom command and control protocol instead of encapsulating commands and data in a [Standard Application Layer Protocol](https://github.com/MBCProject/mbc-markdown/tree/master/command-and-control/std-protocol.md).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/custom-c2-protocol.md", + "external_id": "T1094" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1094/", + "external_id": "T1094" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--2f098b48-391a-4869-acba-b10ba07a4522", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.209Z", + "modified": "2020-02-05T20:28:15.209Z", + "name": "System Service Discovery", + "description": "Malware may try to get information about registered services.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/system-service-discover.md", + "external_id": "T1007" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1007", + "external_id": "T1007" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--893190c4-3228-4d10-854b-cd8469fb9172", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.128Z", + "modified": "2020-02-05T20:28:15.128Z", + "name": "Data Staged", + "description": "Malware stages collected data prior to [Exfiltration](https://github.com/MBCProject/mbc-markdown/tree/master/exfiltration).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/data-staged.md", + "external_id": "T1074" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1074/", + "external_id": "T1074" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7a0a5840-aed7-48bf-abcb-89056c1ba932", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.239Z", + "modified": "2020-02-05T20:28:15.239Z", + "name": "System Time Discovery", + "description": "Malware may try to get the system time or time zone for a system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/system-time-discover.md", + "external_id": "T1087" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1124", + "external_id": "T1124" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--1665b6e5-769a-4abb-9de1-4719ac6ce727", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.369Z", + "modified": "2020-02-05T20:28:15.369Z", + "name": "File Deletion", + "description": "Malware may remove dropped files or tools to avoid detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/file-deletion.md", + "external_id": "E1107" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1107", + "external_id": "T1107" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--c9e8178e-280c-4fde-9e94-44db17382b97", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.385Z", + "modified": "2020-02-05T20:28:15.385Z", + "name": "Parent PID Spoofing", + "description": "Malware may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/parent-pid-spoof.md", + "external_id": "T1502" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1502/", + "external_id": "T1502" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--8ee90538-b608-4379-bfef-d906cb366305", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.290Z", + "modified": "2020-02-05T20:28:15.290Z", + "name": "Windows Management Instrumentation", + "description": "Malware may use Windows Management Instrumentation (WMI) to perform a variety of operations.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/windows-mgt-inst.md", + "external_id": "T1047" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1047", + "external_id": "T1047" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b8ffc69c-45d1-4420-a1de-566d88c213c6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.348Z", + "modified": "2020-02-05T20:28:15.348Z", + "name": "File System Logical Offsets", + "description": "Malware may bypass Windows file access controls by analyzing file system data structures.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/file-sys-logical-offset.md", + "external_id": "T1006" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1006", + "external_id": "T1006" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--91907ea3-beed-40bd-b4d6-1875893568a6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.203Z", + "modified": "2020-02-05T20:28:15.203Z", + "name": "Virtual Machine Detection", + "description": "Detects whether the malware instance is being executed in a virtual machine (VM), such as VMWare. If so, conditional execution selects a benign execution path.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/detect-vm.md", + "external_id": "M0009" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" + }, + { + "source_name": "external_source", + "url": "http://unprotect.tdgt.org/index.php/Sandbox_Evasion" + }, + { + "source_name": "external_source", + "url": "https://www.hackread.com/gravityrat-malware-evades-detection-targets-india/" + }, + { + "source_name": "external_source", + "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1497/", + "external_id": "T1497" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Virtual machines create files on the file system (e.g., VMware creates files in the installation directory C:\\Program Files\\VMware\\VMware Tools). Malware can check the different folders to find virtual machine artifacts (e.g., Virtualbox has the artifact VBoxMouse.sys). [[2]](#2)", + "name": "Check File and Directory Artifacts" + }, + { + "definition": "VMware leaves many artifacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognizable footprints. Malware can search through physical memory for the strings VMware, commonly used to detect memory artifacts. [[2]](#2)", + "name": "Check Memory Artifacts" + }, + { + "definition": "Virtual machines often include specific named system objects by default, such as Windows device drivers, which can be detected by testing for specific strings, whether found in the Windows registry or other places.", + "name": "Check Named System Objects" + }, + { + "definition": "The VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. Malware can list the process and searches for the VMware string. Process related to Virtualbox can be detected by malware by query the process list. [[2]](#2)", + "name": "Check Processes" + }, + { + "definition": "Virtual machines register artifacts in the registry, which can be detected by malware. For example, a search for \"VMware\" or \"VBOX\" in the registry might reveal keys that include information about a virtual hard drive, adapters, running services, or virtual mouse. [[2]](#2) Example registry key value artifacts include \"HARDWARE\\Description\\System (SystemBiosVersion) (VBOX)\" and \"SYSTEM\\ControlSet001\\Control\\SystemInformation (SystemManufacturer) (VMWARE)\"; example registry key artifacts include \"SOFTWARE\\VMware, Inc.\\VMware Tools (VMWARE)\" and \"SOFTWARE\\Oracle\\VirtualBox Guest Additions (VBOX)\". [[5]](#5)", + "name": "Check Registry Keys" + }, + { + "definition": "VMwareService.exe runs the VMware Tools Service as a child of services.exe. It can be identified by listing services. [[2]](#2)", + "name": "Check Running Services" + }, + { + "definition": "The presence of virtual devices can indicate a virtualized environment (e.g., \"\\\\.\\VBoxTrayIPC\"). [[5]](#5)", + "name": "Check Virtual Devices" + }, + { + "definition": "Malware may check windows for VM-related characteristics such as:\n\t* *Window size*: tiny window size may indicate a VM.\n\t* *Unique windows*: may check for the presence of known windows from analysis tools running in a VM.\n\t* *Title bars*: may inject malicious code to svchost.exe to check all open window title bar text to a list of strings indicating virtualized environment.", + "name": "Check Windows" + }, + { + "definition": "Virtual machines offer guest additions that can be installed to add functionality such as clipboard sharing. Detecting the process responsible for these tasks, via its name or other methods, is a technique employed by malware for detecting whether it is being executed in a virtual machine.", + "name": "Guest Process Testing" + }, + { + "definition": "In three browser families, it is possible to extract the frequency of the Windows performance counter frequency, using standard HTML and Javascript. This value can then be used to detect whether the code is being executed in a virtual machine, by detecting two specific frequencies commonly used in virtual but not physical machines.", + "name": "HTML5 Performance Object Check" + }, + { + "definition": "Detects whether there is any \"user\" activity on the machine, such as the movement of the mouse cursor, non-default wallpaper, or recently opened Office files. If there is no human activity, the machine is suspected to be a virtualized machine and/or sandbox. Other items used to detect a user: mouse clicks (single/double), DialogBox, scrolling, color of background pixel, change in foreground window [[5]](#5).", + "name": "Human User Check" + }, + { + "definition": "Different aspects of the hardware are inspected to determine whether the machine has modern characteristics. A machine with substandard specifications indicates a virtual environment: \n * *Total physical memory*: most modern machines have at leave 4 GB of memory. (GlobalMemoryStatusEx) [[5]](#5).\n * *Drive size*: most modern machines have at least 80 GB disks. May use DeviceloControl (IOCTL_DISK_GET_LENGTH_INFO) or GetDiskFreeSpaceEx (TotalNumberOfBytes) [[5]](#5).\n * *USB drive*: checks whether there is a potential USB drive; if not a virtual environment is suspected.\n * *Printer*: checks whether there is a potential connected printer or default Windows printers; if not a virtual environment is suspected.\n * *Processor count*: checks number of processors; single CPU machines are suspect.\n * *Keyboard layout*\n * *Software*: checks whether software is relatively current.", + "name": "Modern Specs Check" + }, + { + "definition": "Malware may check for hardware characteristics unique to being virtualized, allowing the malware to detect the virtual environment. Items checked include:\n * *BIOS*: characteristics of the BIOS, such as version, can indicate virtualization.\n * *I/O Communication Port*: VMware uses virtual I/O ports for communication between the virtual machine and the host operating system to support functionality like copy and paste between the two systems. The port can be queried and compared with a magic number VMXh to identify the use of VMware.\n * *CPU Name*\n * *CPU Location*: When an Operating System is virtualized, the CPU is relocated. [[2]](#2)\n * *MAC Address*: VMware uses specific virtual MAC address that can be detected. The usual MAC address used started with the following numbers: \"00:0C:29\", \"00:1C:14\", \"00:50:56\", \"00:05:69\". Virtualbox uses specific virtual MAC address that can be detected by Malware. The usual MAC address used started with the following numbers: 08:00:27. [[2]](#2)", + "name": "Unique Hardware/Firmware Check" + }, + { + "definition": "The execution of certain x86 instructions will result in different values when executed inside of a VM instead of on bare metal. Accordingly, these can be used to detect the execution of the malware in a VM. [[2]](#2)\n * *SIDT (red pill)*: Red Pill is an anti-VM technique that executes the SIDT instruction to grab the value of the IDTR register. The virtual machine monitor must relocate the guest's IDTR to avoid conflict with the host's IDTR. Since the virtual machine monitor is not notified when the virtual machine runs the SIDT instruction, the IDTR for the virtual machine is returned.\n * *SGDT/SLDT (no pill)*: The No Pill technique relies on the fact that the LDT structure is assigned to a processor not an Operating System. The LDT location on a host machine will be zero and on a virtual machine will be non-zero.\n * *SMSW*\n * *STR*\n * *CPUID*: Checking the CPU ID found within the registry can provide information to system type.\n * *IN*\n * *RDTSC*\n * *VMCPUID*\n * *VPCEXT*", + "name": "x86 Instruction Testing" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b2c99aaa-a0e3-439d-92a3-402768d7282f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.236Z", + "modified": "2020-02-05T20:28:15.236Z", + "name": "Software Discovery", + "description": "Malware may try to identify all software and applications installed on the device.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/sw-discover.md", + "external_id": "T1518" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1518", + "external_id": "T1518" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1418", + "external_id": "T1418" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--4799cdef-cff0-476b-adaa-685b8277ef7c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.451Z", + "modified": "2020-02-05T20:28:15.451Z", + "name": "Credentials in Files", + "description": "Malware may search local file system and remote file shares for files containing passwords.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/credential-access/credentials-in-files.md", + "external_id": "T1081" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1081/", + "external_id": "T1081" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--309cdc6a-244e-43a6-bc1a-40ea4b8a999c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.220Z", + "modified": "2020-02-05T20:28:15.220Z", + "name": "System Owner/User Discovery", + "description": "Malware may try to identify the users of the system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/system-owner-discover.md", + "external_id": "T1033" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1033", + "external_id": "T1033" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--92557c19-d2a7-4b25-b77c-34954e99d3a8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.390Z", + "modified": "2020-02-05T20:28:15.390Z", + "name": "Process Injection", + "description": "Malware may execute code in the address space of a separate process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/process-inject.md", + "external_id": "E1055" + }, + { + "source_name": "external_source", + "description": "Ashkan Hosseini, *Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques*, July 2017.", + "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "external_source", + "url": "https://github.com/LordNoteworthy/al-khaser" + }, + { + "source_name": "external_source", + "url": "https://citizenlab.ca/2016/04/between-hong-kong-and-burma/" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1055", + "external_id": "T1055" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Injects code using the Shell_TRyaWnd technique.", + "name": "Shell_TrayWnd" + }, + { + "definition": "Malware creates a thread using CreateRemoteThread (or NtCreateThreadEx, RtlCreateUserThread) and LoadLibrary. The path to the malware's malicious dynamic-link library (DLL) is written in the virtual address space of another process; the malware ensures the remote process loads it by creating a remote thread in the target process. This is one of the most common process injection methods. [[1]](#1)", + "name": "CreateRemoteThread" + }, + { + "definition": "Malware copies its malicious code into an existing open process and causes it to execute via shellcode or by calling CreateRemoteThread (instead of passing the address of the LoadLibrary) [[1]](#1)", + "name": "PE Injection" + }, + { + "definition": "Malware targets an existing thread of a process, avoiding noisy process or thread creations operations. [[1]](#1)", + "name": "Thread Execution Hijacking" + }, + { + "definition": "Malware can leverage hooking functionality to have its malicious DLL loaded upon an event getting triggered in a specific thread, which is usually done by calling SetWindowsHookEx to install a hook routine into the hook chain. [[1]](#1)", + "name": "SetWindowsHooksEx" + }, + { + "definition": "Malware may leverage Asynchronous Procedure Calls (APC) to force another thread to execute its code by attaching it to the APC Queue of the target thread (using QueueUserAPC / NtQueueApcThread); also called AtomBombing [[1]](#1), [[3]](#3).", + "name": "APC Injection" + }, + { + "definition": "GetThreadContext / SetThreadContext [[3]](#3).", + "name": "RunPE" + }, + { + "definition": "Malware may insert the location of its malicious library under a registry key (e.g., Appinit_DLL, AppCertDlls, IFEO) to have another process load its library. [[1]](#1)", + "name": "Registry Modification" + }, + { + "definition": "", + "name": "Extra Window Memory Injection (EWMI)" + }, + { + "definition": "Malware may use shims to target an executable (shims are a way of hooking into APIs and targeting specific executables and are provided by Microsoft for backward compatibility, allowing developers to apply program fixes without rewriting code) [[1]](#1).", + "name": "Shims" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--fb4f9ec2-9c0e-4b28-9af7-b2bd4c69ff65", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.441Z", + "modified": "2020-02-05T20:28:15.441Z", + "name": "Sudo", + "description": "Malware may take advantage of the sudoers file in Linux or macOS for privilege escalation.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/privilege-escalation/sudo.md", + "external_id": "T1169" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1169", + "external_id": "T1169" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--43f3997b-88e5-4a2e-9b59-6af0892a89b2", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.192Z", + "modified": "2020-02-05T20:28:15.192Z", + "name": "Sandbox Detection", + "description": "Detects whether the malware instance is being executed inside an instrumented sandbox environment (e.g., Cuckoo Sandbox). If so, conditional execution selects a benign execution path.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/detect-sandbox.md", + "external_id": "M0007" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" + }, + { + "source_name": "external_source", + "url": "http://labs.lastline.com/exposing-rombertik-turning-the-tables-on-evasive-malware" + }, + { + "source_name": "external_source", + "url": "https://github.com/LordNoteworthy/al-khaser" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Checks clipboard data which can be used to detect whether execution is inside a sandbox.", + "name": "Check Clipboard Data" + }, + { + "definition": "Sandboxes create files on the file system. Malware can check the different folders to find sandbox artifacts.", + "name": "Check Files" + }, + { + "definition": "Detects whether there is any \"user\" activity on the machine, such as the movement of the mouse cursor, non-default wallpaper, or recently opened Office files. If there is no human activity, the machine is suspected to be a virtualized machine and/or sandbox. Other items used to detect a user: mouse clicks (single/double), DialogBox, scrolling, color of background pixel [[3]](#3).", + "name": "Human User Check" + }, + { + "definition": "Testing for the name of a particular DLL that is known to be injected by a sandbox for API hooking is a common way of detecting sandbox environments. This can be achieved through the kernel32!GetModuleHandle API call and other means.", + "name": "Injected DLL Testing" + }, + { + "definition": "Checking for a particular product key/ID associated with a sandbox environment (commonly associated with the Windows host OS used in the environment) can be used to detect whether a malware instance is being executed in a particular sandbox. This can be achieved through several means, including testing for the Key/ID in the Windows registry.", + "name": "Product Key/ID Testing" + }, + { + "definition": "Sandboxes aren't used in the same manner as a typical user environment, so most of the time the screen resolution stays at the minimum 800x600 or lower. No one is actually working on a such small screen. Malware could potentially detect the screen resolution to determine if it's a user machine or a sandbox.", + "name": "Screen Resolution Testing" + }, + { + "definition": "Malware may check its own characteristics to determine whether it's running in a sandbox. For example, a malicious Office document might check its file name or VB project name.", + "name": "Self Check" + }, + { + "definition": "Calling GetSystemTime or equiv and only executing code if the current date/hour/minute/second passes some check. Often this is for running only after or only until a specific date. This behavior can be mitigated in non-automated analysis environments.", + "name": "Timing/Date Checks" + }, + { + "definition": "Comparing single GetTickCount with some value to see if system has been started at least *X* amount ago. This behavior can be mitigated in non-automated analysis environments.", + "name": "Timing/Uptime Check" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b255fae3-82ad-4a9d-a76a-3301e0c3caed", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.300Z", + "modified": "2020-02-05T20:28:15.300Z", + "name": "Install Additional Program", + "description": "Installs another, different program on the system. The additional program can be any secondary module; examples include backdoors, malicious drivers, kernel modules, and OS X Apps.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/install-prog.md", + "external_id": "M0023" + }, + { + "source_name": "external_source", + "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" + }, + { + "source_name": "external_source", + "url": "https://www.fortinet.com/blog/threat-research/deep-analysis-of-driver-based-mitm-malware-itranslator.html" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--f54dfa9e-e208-4695-81e8-478d887dba7c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.217Z", + "modified": "2020-02-05T20:28:15.217Z", + "name": "Process Discovery", + "description": "Malware may try to get information about running processes.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/process-discover.md", + "external_id": "T1057" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1057", + "external_id": "T1057" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--11d90b50-17e9-45f5-84aa-05899a63714e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.354Z", + "modified": "2020-02-05T20:28:15.354Z", + "name": "Obfuscated Files or Information", + "description": "Malware may make files or information difficult to discover or analyze by encoding, encrypting, or otherwise obfuscating the content. In addition, a malware sample itself can be encoded or encrypted (i.e., encoding/encryption is a code characteristic).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/obfuscate-files.md", + "external_id": "E1027" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1027", + "external_id": "T1027" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "", + "name": "Encoding" + }, + { + "definition": "* *Standard Encryption*: A standard algorithm, such as Rijndael/AES, DES, RC4, is used to encrypt an executable file. Encryption hinders static analysis of malware code. Also known as **Code Encryption in File**.\n * *Standard Encryption of Code*: A standard encryption algorithm is used to encrypt a file's executable code, but not necessarily the file's data. \n * *Standard Encryption of Data*: A standard encryption algorithm is used to encrypt a file's data, but not necessarily the file's code. \n * *Custom Encryption*: A custom algorithm is used to encrypt an executable file. Encryption hinders static analysis of malware code. Also known as **Code Encryption in File**.\n * *Custom Encryption of Code*: A custom encryption algorithm is used to encrypt a file's executable code, but not necessarily the file's data.\n * *Custom Encryption of Data*: A custom encryption algorithm is used to encrypt a file's data, but not necessarily the file's code.", + "name": "Encryption" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b24b9670-5ac7-4982-972c-0691b9a81d0c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.421Z", + "modified": "2020-02-05T20:28:15.421Z", + "name": "Modify Trusted Execution Environment", + "description": "Malware may run code in the Android Trusted Execution Environment.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/mod-trust-exe-environ.md", + "external_id": "T1399" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1399", + "external_id": "T1399" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--1bcad6e7-bdb9-4cb1-acd2-12c3ef0d16a6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.399Z", + "modified": "2020-02-05T20:28:15.399Z", + "name": "TimeStomp", + "description": "Malware may modify the timestamps of a file to mimic files in the same folder and avoid detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/timestomp.md", + "external_id": "T1099" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1099", + "external_id": "T1099" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--5e8c37e7-530d-4da6-a520-83a39fc52d7a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.361Z", + "modified": "2020-02-05T20:28:15.361Z", + "name": "Rootkit Behavior", + "description": "Behaviors of a rootkit: \"A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that is not otherwise allowed and often masks its existence or the existence of other software.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/rootkit-behavior.md", + "external_id": "E1014" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Rootkit" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1014", + "external_id": "T1014" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Hides the usage of any kernel modules by the malware instance.", + "name": "Hide Kernel Modules" + }, + { + "definition": "Hides any system services that the malware instance creates or injects itself into.", + "name": "Hide Services" + }, + { + "definition": "Hides one or more threads that belong to the malware instance.", + "name": "Hide Threads" + }, + { + "definition": "Hides the usage of userspace libraries by the malware instance.", + "name": "Hide Userspace Libraries" + }, + { + "definition": "Prevents the API hooks installed by the malware instance from being removed.", + "name": "Prevent API Unhooking" + }, + { + "definition": "Prevents access to the Windows registry, including to the entire registry and/or to particular registry keys/values.", + "name": "Prevent Registry Access" + }, + { + "definition": "Prevent Windows registry keys and/or values associated with the malware instance from being deleted from a system.", + "name": "Prevent Registry Deletion" + }, + { + "definition": "Prevents access to the file system, including to specific files and/or directories associated with the malware instance.", + "name": "Prevent File Access" + }, + { + "definition": "Prevents files and/or directories associated with the malware instance from being deleted from a system.", + "name": "Prevent File Deletion" + }, + { + "definition": "Prevents access to system memory where the malware instance may be storing code or data.", + "name": "Prevent Memory Access" + }, + { + "definition": "Prevents other software from hooking native system APIs.", + "name": "Prevent Native API Hooking" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--c20a6281-74cb-41fe-8575-ca053579b768", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.274Z", + "modified": "2020-02-05T20:28:15.274Z", + "name": "Execution through Module Load", + "description": "Malware may use the Windows module loader to execute code on a system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/execution-via-module-load.md", + "external_id": "T1129" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1129", + "external_id": "T1129" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--e9f915ef-38e5-4c6a-a885-c26073023fe5", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.109Z", + "modified": "2020-02-05T20:28:15.109Z", + "name": "Exploitation of Remote Services", + "description": "Malware may exploit a vulnerability in a program, service, or operating system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/lateral-movement/exploit-remote-services.md", + "external_id": "T1210" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1210", + "external_id": "T1210" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--e7f6dd03-80ee-4721-baed-949bd060ed48", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.144Z", + "modified": "2020-02-05T20:28:15.144Z", + "name": "Access Call Log", + "description": "Malware gathers call log data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/access-call-log.md", + "external_id": "T1433" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1433/", + "external_id": "T1433" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--5a7483f3-b636-4f12-8925-21be3e0f3676", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.152Z", + "modified": "2020-02-05T20:28:15.152Z", + "name": "Executable Code Virtualization", + "description": "Original executable code is virtualized by translating the code into a special format that only a special virtual machine (VM) can run; the VM uses a customized virtual instruction set. A \"stub\" function calls the VM when the code is run. Virtualized code makes static analysis and reverse engineering more difficult; dumped code won’t run without the VM.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-static-analysis/exe-code-virtualize.md", + "external_id": "M0008" + }, + { + "source_name": "external_source", + "url": "https://github.com/xiaoweime/WProtect" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "multiple virtual machines with different architectures (CISC, RISC, etc.) can be used inside of a single executable in order to make reverse engineering even more difficult.", + "name": "Multiple VMs" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--fb7a6e89-4943-47a3-980f-d22c9f394d40", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.157Z", + "modified": "2020-02-05T20:28:15.157Z", + "name": "Software Packing", + "description": "This code characteristic - Software Packing - can make static and behavioral analysis difficult and includes packing with a software protectors, such as Themida and Armadillo [[1]](#1). Methods related to anti-analysis are below.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-static-analysis/software-packing.md", + "external_id": "E1045" + }, + { + "source_name": "external_source", + "description": "Ange Albertini, Packers, 5 April 2010,", + "url": "https://gironsec.com/code/packers.pdf" + }, + { + "source_name": "external_source", + "description": "Jiang Ming et al, Towards Paving the Way for Large-Scale Windows Malware Analysis: Generic Binary Unpacking with Orders-of-Magnitude Performance Boost, October 2018,", + "url": "https://dl.acm.org/citation.cfm?id=3243771." + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1045/", + "external_id": "T1045" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "the malware is packed by one packer, the result is packed, etc.", + "name": "Nested Packing" + }, + { + "definition": "Uses a standard algorithm, such as UPX or LZMA, to compress an executable file.", + "name": "Standard Compression" + }, + { + "definition": "Uses a standard algorithm to compress the opcode mnemonics.", + "name": "Standard Compression of Code" + }, + { + "definition": "Uses a standard algorithm to compress strings and variables (executable file data).", + "name": "Standard Compression of Data" + }, + { + "definition": "Uses a custom algorithm to compress an executable file.", + "name": "Custom Compression" + }, + { + "definition": "Uses a custom algorithm to compress opcode mnemonics.", + "name": "Custom Compression of Code" + }, + { + "definition": "Uses a custom algorithm to compress strings and variables (executable file data).", + "name": "Custom Compression of Data" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b297f2d1-8322-4153-8e4c-ecc411302a79", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.422Z", + "modified": "2020-02-05T20:28:15.422Z", + "name": "Masquerading", + "description": "Malware may change the name or location of files to avoid detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/masquerading.md", + "external_id": "T1036" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1036", + "external_id": "T1036" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--01051bb2-6339-4556-8363-3b94ba289ec1", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.298Z", + "modified": "2020-02-05T20:28:15.298Z", + "name": "Send Email", + "description": "Sends an email message from the system on which the malware is executing to one or more recipients, mostly commonly for the purpose of spamming or for distributing a malicious attachment or URL (malspamming).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/send-email.md", + "external_id": "M0020" + }, + { + "source_name": "external_source", + "url": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Gamut-Spambot-Analysis/" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Bagle_(computer_worm)" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1193", + "external_id": "T1193" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1192", + "external_id": "T1192" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--1a9f1c1d-2273-469c-98da-063594baa0d4", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.178Z", + "modified": "2020-02-05T20:28:15.178Z", + "name": "Execution Guardrails", + "description": "Malware may use execution guardrails (environmental conditions) to constrain execution. This behavior is related to the [Evade Dynamic Analysis](https://github.com/MBCProject/mbc-markdown/tree/master/anti-behavioral-analysis/evade-dynamic-analysis.md) behavior that obstructs dynamic analysis in a sandbox, emulator, or virtual machine.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/execution-guardrails.md", + "external_id": "E1480" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1480/", + "external_id": "T1480" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Parts of the code and/or data is encrypted or otherwise relies on data external to the file itself. For example, malware that contains code that is encrypted with a key that is downloaded from a server; malware that only runs if certain other software is installed on the system. Also see Environmental Keys Method.", + "name": "Deposited Keys" + }, + { + "definition": "Malware reads certain attributes of the system (BIOS version string, hostname, MAC address, etc.) and encrypts/decrypts portions of its code or data using those attributes as input, thus preventing itself from being run on an unintended system (e.g., sandbox, emulator, etc.). Also see Deposited Keys Method.", + "name": "Environmental Keys" + }, + { + "definition": "This Windows API call is used to get the GUID on a system drive. Malware compares it to a previous (targeted) GUID value and only executes maliciously if they match. This behavior can be mitigated in non-automated analysis environments.", + "name": "GetVolumeInformation" + }, + { + "definition": "Compare a previously computed host fingerprint(e.g., based on installed applications) to the current system's to determine if the malware instance is still executing on the same system. If not, execution stops, making debugging or sandbox analysis more difficult.", + "name": "Host Fingerprint Check" + }, + { + "definition": "Code and/or data is encrypted until the underlying system satisfies a preselected condition unknown to the analyst (this is a form of Deposited Keys).", + "name": "Secure Triggers" + }, + { + "definition": "Presence check to allow the program to run (ex: dongle, CD/DVD, key, file, network, etc.). If the token is specific to a hardware element (ex: disk, OS, CPU, NIC MAC, etc.), it is considered fingerprinting.", + "name": "Token Check" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a02e6e5e-2750-4ec8-af17-90088bb8f961", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.225Z", + "modified": "2020-02-05T20:28:15.225Z", + "name": "Account Discovery", + "description": "Malware may try to get names of local system or domain accounts.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/account-discover.md", + "external_id": "T1087" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1087", + "external_id": "T1087" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--de4972da-8a7d-4d60-96e7-0c3d7d4fc394", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.381Z", + "modified": "2020-02-05T20:28:15.381Z", + "name": "File Permissions Modification", + "description": "Malware may modify file permissions to evade detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/file-permission-mod.md", + "external_id": "T1222" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1222", + "external_id": "T1222" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7178682e-9591-4ebe-a24e-25b7b2ee07a5", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.188Z", + "modified": "2020-02-05T20:28:15.188Z", + "name": "Debugger Detection", + "description": "Malware detects whether it's being executed inside a debugger. If so, conditional execution selects a benign execution path.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/detect-debugger.md", + "external_id": "M0001" + }, + { + "source_name": "external_source", + "description": "Alexander Antukh, \"Anti-debugging Techniques Cheat Sheet,\" 19 January 2015.", + "url": "http://antukh.com/blog/2015/01/19/malware-techniques-cheat-sheet." + }, + { + "source_name": "external_source", + "description": "Joshua Cannell, Malwarebytes Labs, \"Five Anti-Analysis Tricks that sometimes Fool Analysts,\" 31 March 2016.", + "url": "https://blog.malwarebytes.com/threat-analysis/2014/09/five-anti-debugging-tricks-that-sometimes-fool-analysts." + }, + { + "source_name": "external_source", + "description": "Peter Ferrie, \"The 'Ultimate' Anti-Debugging Reference,\" 4 May 2011.", + "url": "https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf." + }, + { + "source_name": "external_source", + "description": "Atif Mushtaq, FireEye, \"The Dead Giveaways of VM-Aware Malware,\" 27 January 2011.", + "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html." + }, + { + "source_name": "external_source", + "description": "Ayoub Faouzi (LordNoteworthy), Al-Khaser v0.79.", + "url": "https://github.com/LordNoteworthy/al-khaser" + }, + { + "source_name": "external_source", + "description": "Nicolas Falliere, Symantec, \"Windows Anti-Debug Reference,\" 11 September 2007.", + "url": "https://www.symantec.com/connect/articles/windows-anti-debug-reference." + }, + { + "source_name": "external_source", + "description": "Anti Debugging Tricks, Al-Khaser.", + "url": "https://github.com/LordNoteworthy/al-khaser/wiki/Anti-Debugging-Tricks" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "module bounds based [[7]](#7)", + "name": "API Hook Detection" + }, + { + "definition": "The kernel32!CheckRemoteDebuggerPresent function calls NtQueryInformationProcess with ProcessInformationClass parameter set to 7 (ProcessDebugPort constant).", + "name": "CheckRemoteDebuggerPresent" + }, + { + "definition": "(NtClose); If an invalid handle is passed to the CloseHandle function and a debugger is present, then an EXCEPTION_INVALID_HANDLE (0xC0000008) exception will be raised. [[7]](#7)", + "name": "CloseHandle" + }, + { + "definition": "Malware may detect a debugger by its artifact (window title, device driver, exports, etc.).", + "name": "Debugger Artifacts" + }, + { + "definition": "(SEH/GetThreadContext); Debug registers will indicate the presence of a debugger. See [[7]](#7) for details.", + "name": "Hardware Breakpoints" + }, + { + "definition": "If int 0x2d is mishandled by the debugger, it can cause a single-byte instruction to be inadvertently skipped, which can be detected by malware.", + "name": "Interrupt 0x2d" + }, + { + "definition": "[[7]](#7)", + "name": "Interrupt 1" + }, + { + "definition": "The kernel32!IsDebuggerPresent API function call checks the PEB BeingDebugged flag to see if the calling process is being debugged. It returns 1 if the process is being debugged, 0 otherwise. This is one of the most common ways of debugger detection.", + "name": "IsDebuggerPresent" + }, + { + "definition": "(PAGE_GUARD); Guard pages trigger an exception the first time they are accessed and can be used to detect a debugger. See [[7]](#7) for details.", + "name": "Memory Breakpoints" + }, + { + "definition": "[[7]](#7)", + "name": "Memory Write Watching" + }, + { + "definition": "Malware may spawn a monitoring thread to detect tampering, breakpoints, etc.", + "name": "Monitoring Thread" + }, + { + "definition": "Calling NtQueryInformationProcess with its ProcessInformationClass parameter set to 0x07 (ProcessDebugPort constant) will cause the system to set ProcessInformation to -1 if the process is being debugged. Calling with ProcessInformationClass set to 0x0E (ProcessDebugFlags) or 0x11 (ProcessDebugObject) are used similarly. Testing \"ProcessDebugPort\" is equivalent to using the kernel32!CheckRemoteDebuggerPresent API call (see next method).", + "name": "NtQueryInformationProcess" + }, + { + "definition": "The ObjectTypeInformation and ObjectAllTypesInformation flags are checked for debugger detection.", + "name": "NtQueryObject" + }, + { + "definition": "Calling this API with a fake class length or thread handle can indicate whether it is hooked. After calling NtSetInformationThread properly, the HideThreadFromDebugger flag is checked with the NtQueryInformationThread API. [[7]](#7)", + "name": "NtSetInformationThread" + }, + { + "definition": "[[7]](#7)", + "name": "NtYieldExecution/SwitchToThread" + }, + { + "definition": "(GetLastError); The OutputDebugString function will demonstrate different behavior depending whether or not a debugger is present. See [[7]](#7) for details.", + "name": "OutputDebugString" + }, + { + "definition": "[[7]](#7)", + "name": "Page Exception Breakpoint Detection" + }, + { + "definition": "(Explorer.exe); Executing an application by a debugger will result in the parent process being the debugger process rather than the shell process (Explorer.exe) or the command line. Malware checks its parent process; if it's not explorer.exe, it's assumed to be a debugger. [[7]](#7)", + "name": "Parent Process" + }, + { + "definition": "The Process Environment Block (PEB) is a Windows data structure associated with each process that contains several fields, such as \"BeingDebugged,\" \"NtGlobalFlag,\" and \"IsDebugged\". Testing the value of this PEB field of a particular process can indicate whether the process is being debugged. Testing \"BeingDebugged\" is equivalent to using the kernel32!IsDebuggerPresent API call (see next method).", + "name": "Process Environment Block" + }, + { + "definition": "[[7]](#7)", + "name": "Process Jobs" + }, + { + "definition": "Process heaps are affected by debuggers. Malware can detect a debugger by checking heap header fields such as Flags (debugger present if value greater than 2) or ForceFlags (debugger present if value greater than 0).", + "name": "ProcessHeap" + }, + { + "definition": "Malware may call RtlAdjustPrivilege to detect if a debugger is attached (or to prevent a debugger from attaching).", + "name": "RtlAdjustPrivilege" + }, + { + "definition": "(Csrss.exe); Using the OpenProcess function on the csrss.exe process can detect a debugger. [[7]](#7)", + "name": "SeDebugPrivilege" + }, + { + "definition": "(Protected Handle);", + "name": "SetHandleInformation" + }, + { + "definition": "(INT3/0xCC)", + "name": "Software Breakpoints" + }, + { + "definition": "Similar to the anti-exploitation method of the same name, malware may try to detect mucking with values on the stack.", + "name": "Stack Canary" + }, + { + "definition": "Malware may access information in the Thread Information Block (TIB) for debug detection or process obfuscation detection. The TIB can be accessed as an offset of the segment register (e.g., fs:[20h]).", + "name": "TIB Aware" + }, + { + "definition": "Malware may compare time between two points to detect unusual execution, such as the (relative) massive delays introduced by debugging.", + "name": "Timing/Delay Checks" + }, + { + "definition": "[[7]](#7)", + "name": "TLS Callbacks" + }, + { + "definition": "The UnhandledExceptionFilter function is called if no registered exception handlers exist, but it will not be reached if a debugger is present. See [[7]](#7) for details.", + "name": "UnhandledExceptionFilter" + }, + { + "definition": "WudfIsAnyDebuggerPresent, WudfIsKernelDebuggerPresent, WudfIsUserDebuggerPresent", + "name": "WudfIsAnyDebuggerPresent" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--3681ae81-1115-418d-a4f7-b6240b602852", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.257Z", + "modified": "2020-02-05T20:28:15.257Z", + "name": "Standard Application Layer Protocol", + "description": "Malware may use a standard application layer protocol (e.g., HTTP) to blend with usual traffic.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/std-app-protocol.md", + "external_id": "T1071" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1071/", + "external_id": "T1071" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a370131c-c76d-49a1-ac77-c1ca7f1b3ee2", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.448Z", + "modified": "2020-02-05T20:28:15.448Z", + "name": "Credential Dumping", + "description": "Malware may obtain account login and password information.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/credential-access/credential-dump.md", + "external_id": "T1003" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1003/", + "external_id": "T1003" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--c376d9bb-5e45-42f5-95ce-b57d6ce417b8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.224Z", + "modified": "2020-02-05T20:28:15.224Z", + "name": "System Network Configuration Discovery", + "description": "Malware may try to find details about the system's network configuration.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/system-network-config-discover.md", + "external_id": "T1016" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1016", + "external_id": "T1016" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a95f6808-9551-426a-8eaa-7794164d10e7", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.123Z", + "modified": "2020-02-05T20:28:15.123Z", + "name": "Screen Capture", + "description": "Malware takes screen captures.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/screen-capture.md", + "external_id": "T1113" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1113/", + "external_id": "T1113" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--4dd2b47e-6753-4cbc-bfbd-336ed1dd4838", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.436Z", + "modified": "2020-02-05T20:28:15.436Z", + "name": "Exploitation for Privilege Escalation", + "description": "Malware may exploit a software vulnerability to escalate privileges.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/privilege-escalation/exploit-priv-escalate.md", + "external_id": "T1068" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1068", + "external_id": "T1068" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--4b89d6b6-fd08-4b39-bb01-b472ae95b93d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.121Z", + "modified": "2020-02-05T20:28:15.121Z", + "name": "Email Collection", + "description": "Malware targets user email for collection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/email-collect.md", + "external_id": "T1114" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1114/", + "external_id": "T1114" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--ecee9e53-6ad7-4459-a02a-66bfc9e6caed", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.119Z", + "modified": "2020-02-05T20:28:15.119Z", + "name": "Data from Network Shared Drive", + "description": "Malware collects from remote systems via shared network drives that are accessible from the compromised system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/data-network-share.md", + "external_id": "T1039" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1039/", + "external_id": "T1039" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--dcf577a4-f3c7-4abe-90f3-0e2cfeba0e2d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.242Z", + "modified": "2020-02-05T20:28:15.242Z", + "name": "Fallback Channels", + "description": "Malware may contain a secondary command and control server or may communicate over a backup channel.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/fallback-channels.md", + "external_id": "T1008" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1008/", + "external_id": "T1008" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a03b6507-fed8-416a-8425-0761f5f7f754", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.294Z", + "modified": "2020-02-05T20:28:15.294Z", + "name": "Scheduled Task", + "description": "Malware may use the Windows Task Scheduler to schedule programs or scripts to be executed at a date and time.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/scheduled-task.md", + "external_id": "T1053" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1053/", + "external_id": "T1053" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--91b54219-5f02-4c6d-aaec-7bfb45e22cc4", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.316Z", + "modified": "2020-02-05T20:28:15.316Z", + "name": "AppInit DLLs", + "description": "Malware may abuse DLLs specified in the registry AppInit_DLLs value to load and run malicious DLLs.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/appinit-dlls.md", + "external_id": "T1103" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1103/", + "external_id": "T1103" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--99960d3e-e9f8-47e9-9293-a18eb5b068af", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.323Z", + "modified": "2020-02-05T20:28:15.323Z", + "name": "Startup Items", + "description": "Malware may add an entry to the macOS StartupItems directory to enable persistence. Because StartupItems run during the bootup phase of macOS, they will run as root, enabling privilege escalation.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/startup-items.md", + "external_id": "T1165" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1165", + "external_id": "T1165" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--bfa0510e-ffed-49a3-a66a-cef073dd488e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.162Z", + "modified": "2020-02-05T20:28:15.162Z", + "name": "Disassembler Evasion", + "description": "Malware code evades disassembly in a recursive or linear disassembler. Some methods apply to both types of disassemblers; others apply to one type and not the other.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-static-analysis/evade-disassembler.md", + "external_id": "M0012" + }, + { + "source_name": "external_source", + "url": "http://staff.ustc.edu.cn/~bjhua/courses/security/2014/readings/anti-disas.pdf" + }, + { + "source_name": "external_source", + "url": "http://www.kernelhacking.com/rodrigo/docs/blackhat2012-paper.pdf" + }, + { + "source_name": "external_source", + "url": "https://isc.sans.edu/diary/Malicious+VBA+Office+Document+Without+Source+Code/24870" + }, + { + "source_name": "external_source", + "url": "https://boingboing.net/2019/05/05/p-code-r-us.html" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Simple number or string arguments to API calls are calculated at runtime, making linear disassembly more difficult.", + "name": "Argument Obfuscation" + }, + { + "definition": "Conditional jumps are sometimes used to confuse disassembly engines, resulting in the wrong instruction boundaries and thus wrong mnemonic and operands; identified by instructions *jmp/jcc to a label+#* (e.g., JNE loc_401345fe+2).", + "name": "Conditional Misdirection" + }, + { + "definition": "Explicit use of computed values for control flow, often many times in the same basic block or function.", + "name": "Value Dependent Jumps" + }, + { + "definition": "Variables, often strings, are broken into multiple parts and store out of order, in different memory ranges, or both. They must then be recomposed before use.", + "name": "Variable Recomposition" + }, + { + "definition": "Typically, VBA source code is compiled into p-code, which is stored with compressed sourced code in the OLE file with VBA macros. VBA Stomping - when the VBA source code is removed and only the p-code remains - makes analysis much harder. See [[3]](#3) for an analysis of a VBA-Stomped malicious VBA Office document. See [[4]](#4) for information on Evil Clippy, a tool that creates malicious MS Office documents.", + "name": "VBA Stomping" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b8f24e74-d267-4783-be19-13cb060aaa2d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.459Z", + "modified": "2020-02-05T20:28:15.459Z", + "name": "Hooking", + "description": "Malware alters API behavior or redirects execution to a malicious API version for a variety of purposes. Malware may use hooking to load and execute code within the context of another process, hiding execution and gaining elevated privileges and access to the process's memory. Methods related to anti-behavioral analysis are below. For example, hooking can be used to prevent memory dumps - see also [Memory Dump Obstruction](https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/memory-dump-obstruct.md).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/credential-access/hooking.md", + "external_id": "E1179" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/" + }, + { + "source_name": "external_source", + "url": "https://docs.microsoft.com/en-us/windows/win32/winmsg/about-hooks?redirectedfrom=MSDN#hook-procedures" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1179/", + "external_id": "T1179" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Patching this function to always return NULL prevents drivers from getting information about the physical address space layout, preventing memory dumps. [[1]](#1)", + "name": "Patch MmGetPhysicalMemoryRanges" + }, + { + "definition": "Prevents memory dumps by preventing mapping of memory into the kernel's virtual address space. [[1]](#1)", + "name": "Hook memory mapping APIs" + }, + { + "definition": "Intercepts and executes designated code in response to events such as messages, keystrokes, and mouse inputs. [[3]](#3)", + "name": "Hook procedures" + }, + { + "definition": "", + "name": "Import Address Hooking (IAT) Hooking" + }, + { + "definition": "overwrites the first bytes in an API function to redirect code flow.", + "name": "Inline Hooking" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--98511ebd-51ae-451e-8d14-b73f23640191", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.272Z", + "modified": "2020-02-05T20:28:15.272Z", + "name": "Send Poisoned Text Message", + "description": "A malicious attachment is sent via spam SMS or MMS messages. When the user clicks the link, malware is installed.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/send-poison-text-msg.md", + "external_id": "M0021" + }, + { + "source_name": "external_source", + "url": "https://us.norton.com/internetsecurity-emerging-threats-mazar-bot-malware-invades-and-erases-android-devices.html" + }, + { + "source_name": "external_source", + "url": "https://www.player.one/new-android-sms-malware-can-completely-own-your-phone-just-one-text-how-avoid-mazar-512363" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--83754954-2d7e-48d5-9f88-034dc202ed48", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.494Z", + "modified": "2020-02-05T20:28:15.494Z", + "name": "Spamming", + "description": "Malware may use a victim machine to create and send spam.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/spamming.md", + "external_id": "M0039" + }, + { + "source_name": "external_source", + "url": "https://techcrunch.com/2019/07/12/trickbot-spam-millions-emails/" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--1341c511-1ecc-489b-902a-8a80577d2758", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.312Z", + "modified": "2020-02-05T20:28:15.312Z", + "name": "Change Default File Association", + "description": "Malware may change the file association selections (stored in the Windows Registry) to execute arbitrary commands.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/change-default-file-assoc.md", + "external_id": "T1042" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1042", + "external_id": "T1042" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--56e8ece2-1e82-4c12-9b8d-79bd23c33936", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.472Z", + "modified": "2020-02-05T20:28:15.472Z", + "name": "Firmware Corruption", + "description": "Malware may corrupt the flash memory contents of system BIOS or other system device firmware to render them inoperable or unable to boot.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/firmware-corruption.md", + "external_id": "T1495" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1495/", + "external_id": "T1495" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--19965f2f-3091-4611-b5da-4f5351319b63", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.130Z", + "modified": "2020-02-05T20:28:15.130Z", + "name": "Man in the Browser", + "description": "Malware leverages vulnerabilities and functionality in browser software to change content, modify behavior, and intercept information.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/man-in-browser.md", + "external_id": "T1185" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1185/", + "external_id": "T1185" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--28fb8dbd-1aae-42f1-aba5-f9062e7003ee", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.269Z", + "modified": "2020-02-05T20:28:15.269Z", + "name": "Multi-hop Proxy", + "description": "Malware may chain together multiple proxies to disguise the source of malicious C2 traffic.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/multihop-proxy.md", + "external_id": "T1188" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1188/", + "external_id": "T1188" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--9a5d9d87-44f6-42c5-ad27-0434a97ce7d6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.470Z", + "modified": "2020-02-05T20:28:15.470Z", + "name": "Disk Structure Wipe", + "description": "Disk data structures are corrupted or wiped, making the system unable to boot.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/disk-structure-wipe.md", + "external_id": "T1487" + }, + { + "source_name": "external_source", + "url": "http://www.darkreading.com/attacks-breaches/disk-wiping-shamoon-malware-resurfaces-with-file-erasing-malware-in-tow/d/d-id/1333509" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1487/", + "external_id": "T1487" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--4f74271a-79f0-4fbc-87ee-43abd69fd74e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.328Z", + "modified": "2020-02-05T20:28:15.328Z", + "name": "Shutdown Event", + "description": "Malware can register the shutdown event triggered by WinLogon to allow a malicious DLL to execute every time the machine shuts down: when the machine is shutdown the malware will be loaded into memory; then it will download the primary malware and reinfect the machine. The malware will also lie dormant during incident reporting processes. To check whether malware has registered for login events, check the registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify. If a subkey with any name exists and it has a \"shutdown\" value then the dll in the \"DLLName\" key will be launched during the shutdown process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/shutdown-event.md", + "external_id": "M0035" + }, + { + "source_name": "external_source", + "url": "https://isc.sans.edu/diary/Wipe+the+drive!++Stealthy+Malware+Persistence+-+Part+4/15460" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--0202a028-471b-47c1-9723-0457934a50f3", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.498Z", + "modified": "2020-02-05T20:28:15.498Z", + "name": "Compromise Data Integrity", + "description": "Data stored on the file system of a compromised system is manipulated to compromise its integrity.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/compromise-data.md", + "external_id": "M0016" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1492/", + "external_id": "T1492" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--787fd5df-098b-4def-a02c-b840072a2962", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.296Z", + "modified": "2020-02-05T20:28:15.296Z", + "name": "Service Execution", + "description": "Malware may execute code via interaction with Windows services (e.g., Service Control Manager).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/service-exe.md", + "external_id": "T1035" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1035", + "external_id": "T1035" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--f538e66c-fab9-4a8b-b547-a206e4ddfe1b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.321Z", + "modified": "2020-02-05T20:28:15.321Z", + "name": "Create Account", + "description": "Malware may create a local system or domain account for persistence.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/create-account.md", + "external_id": "T1136" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1136", + "external_id": "T1136" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--552f53bd-52e8-4c09-aa98-26ca8b9ef2da", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.392Z", + "modified": "2020-02-05T20:28:15.392Z", + "name": "HISTCONTROL", + "description": "Malware may configure this environment variable to hide its activity.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/histcontrol.md", + "external_id": "T1148" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1148", + "external_id": "T1148" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--8bce1da7-4e1f-49f9-bafe-3fbeb32413fb", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.241Z", + "modified": "2020-02-05T20:28:15.241Z", + "name": "Multi-Stage Channels", + "description": "Malware may create multiple stages for command and control, making detection more difficult.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/multi-stage-channels.md", + "external_id": "T1104" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1104/", + "external_id": "T1104" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--52aeeef7-8531-4bc9-969f-274798c4cc13", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.286Z", + "modified": "2020-02-05T20:28:15.286Z", + "name": "Exploit Software", + "description": "Software is exploited - either because of a vulnerability or through its designed features - to gain access for malware. In general, exploitation may be done by a human attacker, but MBC focuses on software exploits implemented in code. Malware-specific details are below.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/exploit-software.md", + "external_id": "E1203" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/cybercrime/2018/05/samsam-ransomware-need-know/" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1203", + "external_id": "T1203" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "", + "name": "Remote Desktop Protocols (RDP)" + }, + { + "definition": "", + "name": "Java-based Web Servers" + }, + { + "definition": "", + "name": "File Transfer Protocol (FTP) Servers" + }, + { + "definition": "", + "name": "Red Hat JBoss Enterprise Products" + }, + { + "definition": "Use Sysinternals tools for additional command line functionality.", + "name": "Sysinternals" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b4df4bd2-7208-4948-b649-7a5267f27e2e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.263Z", + "modified": "2020-02-05T20:28:15.263Z", + "name": "Remote Access Tools", + "description": "Malware may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/remote-access-tools.md", + "external_id": "T1219" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1219/", + "external_id": "T1219" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--82b3164a-89f4-423b-bc38-a6d942493658", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.108Z", + "modified": "2020-02-05T20:28:15.108Z", + "name": "Pass the Hash", + "description": "Malware may capture valid password hashes, which are then used for authentication, enabling lateral movement.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/lateral-movement/pass-the-hash.md", + "external_id": "T1075" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1075", + "external_id": "T1075" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--3ff14e42-f7c6-4f9f-a0e1-43afcd06778f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.111Z", + "modified": "2020-02-05T20:28:15.111Z", + "name": "Replication Through Removable Media", + "description": "Malware may move onto systems, including air-gapped systems, by copying themselves to removable media.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/lateral-movement/replicate-remove-media.md", + "external_id": "T1091" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1091", + "external_id": "T1091" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--484c88bd-1dac-4774-8411-63aaed416ac3", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.357Z", + "modified": "2020-02-05T20:28:15.357Z", + "name": "Component Object Model Hijacking", + "description": "Malware hijacks a component object model (COM) object to execute itself or other malicious code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/component-hijack.md", + "external_id": "T1122" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1122", + "external_id": "T1122" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--5f63251a-e426-493e-9dd6-3b562c0e7157", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.223Z", + "modified": "2020-02-05T20:28:15.223Z", + "name": "Application Window Discovery", + "description": "Malware may try to get a list of open application windows.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/app-window-discover.md", + "external_id": "T1010" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1010", + "external_id": "T1010" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--f92667e4-d874-4fee-afac-f4770cf6cede", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.228Z", + "modified": "2020-02-05T20:28:15.228Z", + "name": "Analysis Tool Discovery", + "description": "Malware can employ various means to detect whether analysis tools are present or running on the system on which it is executing. Note that analysis tools are used to *analyze* malware whereas security software (see [Security Software Discovery](https://github.com/MBCProject/mbc-markdown/blob/master/discovery/security-sw-discover.md)) aims to *detect/mitigate* malware on a system or network.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/analysis-tool-discover.md", + "external_id": "M0013" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Malware can scan for the process name associated with common analysis tools: \n * Debuggers: OllyDBG / ImmunityDebugger / WinDbg / IDA Pro\n * SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns)\n * PCAP Utilities: Wireshark / Dumpcap\n * Process Utilities: ProcessHacker / SysAnalyzer / HookExplorer / SysInspector\n * PE Utilities: ImportREC / PETools / LordPE\n * Sandboxes: Joe Sandbox, etc.", + "name": "Process detection" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--eebc4347-09b3-4871-8f16-db2e1cbfe135", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.355Z", + "modified": "2020-02-05T20:28:15.355Z", + "name": "Hidden Window", + "description": "Malware may use a macOS/OS X tag to prevent its application icron from appearing in the Dock to avoid detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/hidden-window.md", + "external_id": "T1143" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1143", + "external_id": "T1143" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--c87a9a20-73bb-4dd1-8531-2f7c246a4660", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.338Z", + "modified": "2020-02-05T20:28:15.338Z", + "name": "Exfiltration Over Alternative Protocol", + "description": "Malware may exfiltrate data with protocol different that the main C2 protocol or channel.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "exfiltration" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/exfiltration/exfil-over-alternative-protocol.md", + "external_id": "T1048" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1048/", + "external_id": "T1048" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--1afb3ce1-57db-46ae-9c89-5b8f36011b7b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.159Z", + "modified": "2020-02-05T20:28:15.159Z", + "name": "Call Graph Generation Evasion", + "description": "Malware code evades accurate call graph generation during disassembly. Call graphs are used by malware similarity tools and algorithms ([[1]](#1), [[4]](#4)), as well as for malware detection [[2]](#2).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-static-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-static-analysis/evade-call-graph.md", + "external_id": "M0010" + }, + { + "source_name": "external_source", + "description": "K. Blokhin, D. Mentis, J. Saxe, \"Malware Similarity Identification Using Call Graph Based System Call Subsequence Features,\" 2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops, July 2013.", + "url": "https://www.researchgate.net/publication/269326967_Malware_Similarity_Identification_Using_Call_Graph_Based_System_Call_Subsequence_Features" + }, + { + "source_name": "external_source", + "description": "P. Deshpande, M. Stamp, \"Metamorphic Malware Detection Using Function Call Graph Analysis,\" MIS Review Vol. 21, Nos. 1/2, September(2015)/March(2016).", + "url": "https://pdfs.semanticscholar.org/8db2/69106ea6e1f59e4dac0889665dd3336ee9b1.pdf" + }, + { + "source_name": "external_source", + "url": "http://fumalwareanalysis.blogspot.com/2012/01/malware-analysis-tutorial-10-tricks-for.html" + }, + { + "source_name": "external_source", + "description": "S. Shang, N. Zheng, J. Xu, M. Xu, H. Zhang, \"Detecting Malware Variants via Function-call Graph Similarity,\" IEEE 2010 5th International Conference on Malicious and Unwanted Software, 2010.", + "url": "http://seclab.hdu.edu.cn/static/uploads/paper/10-05.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "two layer jumping confuses tools plotting call graphs. [[3]](#3)", + "name": "Two-layer Function Return" + }, + { + "definition": "invokes ntdll.dll functions without using an export table; an encoded translation table on the stack is used instead. [[3]](#3)", + "name": "Invoke NTDLL System Calls via Encoded Table" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--e7b72976-3e0e-4957-ac09-33a204c4d4b5", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.418Z", + "modified": "2020-02-05T20:28:15.418Z", + "name": "BITS Jobs", + "description": "Malware may abuse Windows Background Intelligent Transfer Service (BITS) to download and/or execute malicious code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/bits-jobs.md", + "external_id": "T1197" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1197", + "external_id": "T1197" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--670148f0-5ad0-4dff-ba2a-753933c624d9", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.252Z", + "modified": "2020-02-05T20:28:15.252Z", + "name": "Standard Non-Application Layer Protocol", + "description": "Malware may use a standard non-application layer protocol (e.g., ICMP) because such protocols may be less commonly monitored, enabling communication to be hidden.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/std-non-app-protocol.md", + "external_id": "T1095" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1095/", + "external_id": "T1095" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--e7aa19e5-50c9-4a10-ab07-d774e2a38166", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.426Z", + "modified": "2020-02-05T20:28:15.426Z", + "name": "Configuration Modification", + "description": "Malware may install malicious configuration settings or may modify existing configuration settings. This MBC behavior extends the related ATT&CK technique to all platforms and to the Persistence objective.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/config-mod.md", + "external_id": "E1478" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1478", + "external_id": "T1478" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--9f7dd003-9dbd-4fcf-96e0-eda3246828db", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.211Z", + "modified": "2020-02-05T20:28:15.211Z", + "name": "Domain Trust Discovery", + "description": "Malware may attempt to gather information on domain trust relationships that might be used to identify lateral movement opportunities.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/domain-trust-discover.md", + "external_id": "T1482" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1482", + "external_id": "T1482" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--b7333931-5e93-46cf-ab22-c2c6ff9a8986", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.262Z", + "modified": "2020-02-05T20:28:15.262Z", + "name": "Port Knocking", + "description": "Malware may hide open ports.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/port-knocking.md", + "external_id": "T1205" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1205/", + "external_id": "T1205" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--3e66b2bf-cc28-4635-ac06-4ea0f1ad8122", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.292Z", + "modified": "2020-02-05T20:28:15.292Z", + "name": "AppleScript", + "description": "Malware may use AppleScript for execution or lateral movement.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/applescript.md", + "external_id": "T1155" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1155", + "external_id": "T1155" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--d0bfadad-c04b-4eed-b9aa-f11d3e84bc6c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.383Z", + "modified": "2020-02-05T20:28:15.383Z", + "name": "DCShadow", + "description": "Malware may use DCShadow, a method of manipulating Active Directory (AD) data, to register a rogue domain controller, which may be able to inject and replicate changes into the AD infrastructure for any domain object (e.g., credentials and keys).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/dcshadow.md", + "external_id": "T1207" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1207", + "external_id": "T1207" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--f48a693f-aeb3-4e68-99e3-01c56e223272", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.434Z", + "modified": "2020-02-05T20:28:15.434Z", + "name": "Application Shimming", + "description": "Malware may use Windows Application Compatibility Infrastructure/Framework (application shim) to elevate privileges or install programs.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "privilege-escalation" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/privilege-escalation/app-shimming.md", + "external_id": "T1138" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1138", + "external_id": "T1138" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--82e0ca52-1f6e-475f-89cf-9817a5e4cc60", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.127Z", + "modified": "2020-02-05T20:28:15.127Z", + "name": "Video Capture", + "description": "Malware captures video recordings.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/video-capture.md", + "external_id": "T1125" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1125/", + "external_id": "T1125" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--9188ea31-fa9e-4fad-949b-f705e0fabd20", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.172Z", + "modified": "2020-02-05T20:28:15.172Z", + "name": "Debugger Evasion", + "description": "Behaviors that make debugging difficult.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/evade-debugger.md", + "external_id": "M0002" + }, + { + "source_name": "external_source", + "url": "https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.synack.com/2016/02/17/analyzing-the-anti-analysis-logic-of-an-adware-installer/" + }, + { + "source_name": "external_source", + "url": "http://phishme.com/dridex-code-breaking-modify-the-malware-to-bypass-the-vm-bypass/" + }, + { + "source_name": "external_source", + "url": "http://antukh.com/blog/2015/01/19/malware-techniques-cheat-sheet/" + }, + { + "source_name": "external_source", + "url": "http://unprotect.tdgt.org/index.php/Unprotect_Project" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Block interrupt (via hooking) 1 and/or 3 to prevent debuggers from working.", + "name": "Block Interrupts" + }, + { + "definition": "Intentionally clearing software or hardware breakpoints.", + "name": "Break Point Clearing" + }, + { + "definition": "Move or copy the first bytes / instructions of the original code elsewhere. AKA stolen bytes or code splicing. For example, a packer may incorporate the first few instructions of the original EntryPoint (EP) into its unpacking stub before the tail transition in order to confuse automated unpackers and novice analysts. This can make it harder for rebuilding and may bypass breakpoints if set prematurely.", + "name": "Byte Stealing" + }, + { + "definition": "Changinging this value during run time can prevent some debuggers from attaching. Also confuses some unpackers and dumpers.", + "name": "Change SizeOfImage" + }, + { + "definition": "Check that the unpacking code is unmodified. Variation exists where unpacking code is part of the \"key\" used to unpack, therefore any Software Breakpoints during debugging causes unpacking to completely fail or result in malformed unpacked code.", + "name": "Code Integrity Check" + }, + { + "definition": "Using exception handling (SEH) to cause flow of program to non-obvious paths.", + "name": "Exception Misdirection" + }, + { + "definition": "CALL to a POP; finds base of code or data, often the packed version of the code; also used often in obfuscated/packed shellcode.", + "name": "Get Base Indirectly" + }, + { + "definition": "Encrypt blocks of code individually and decrypt temporarily only upon execution.", + "name": "Guard Pages" + }, + { + "definition": "modification of interrupt vector or descriptor tables.", + "name": "Hook Interrupt" + }, + { + "definition": "Add obfuscation between imports calls and APIs.", + "name": "Import Obfuscation" + }, + { + "definition": "variation of static linking where full API code inserted everywhere it would have been called.", + "name": "Inlining" + }, + { + "definition": "Use SEH or other methods to break out of a loop instead of a conditional jump.", + "name": "Loop Escapes" + }, + { + "definition": "Instead of unpacking into a pre-defined section/segment (ex: .text) of the binary, use malloc() / VirtualAlloc() to create a new segment. This makes keeping track of memory locations across different runs more difficult, as there is no guarantee that malloc/VirtualAlloc will assign the same address range each time.", + "name": "Malloc Use" + }, + { + "definition": "Any part of the header is changed or erased.", + "name": "Modify PE Header" + }, + { + "definition": "int3 with code replacement table; debugs itself.", + "name": "Nanomites" + }, + { + "definition": "LoadLibrary API calls or direct access of kernel32 via PEB (fs[0]) pointers, used to rebuild IAT or just obfuscate library use.", + "name": "Obfuscate Library Use" + }, + { + "definition": "Use several parallel threads to make analysis harder.", + "name": "Parallel Threads" + }, + { + "definition": "Take advantage of pipelining in modern processors to misdirect debugging, emulation, or static analysis tools. An unpacker can assume a certain number of opcodes will be cached and then proceed to overwrite them in memory, causing a debugger/emulator/analyzer to follow different code than is normally executed.", + "name": "Pipeline Misdirection" + }, + { + "definition": "Prevents debugger from attaching to process or to break until after the code of interest has been executed", + "name": "Pre-Debug" + }, + { + "definition": "relocate API code in separate buffer (calls don’t lead to imported DLLs).", + "name": "Relocate API Code" + }, + { + "definition": "Overwrite the RET address on the stack or the code at the RET address. Variation seen that writes to the start-up code or main module that called the malware's WinMain or DllMain.", + "name": "Return Obfuscation" + }, + { + "definition": "Calling RtlAdjustPrivilege to either prevent a debugger from attaching or to detect if a debugger is attached.", + "name": "RtlAdjustPrivilege" + }, + { + "definition": "Some analysis tools cannot handle binaries with misaligned sections.", + "name": "Section Misalignment" + }, + { + "definition": "Debug itself to prevent another debugger to be attached.", + "name": "Self-Debugging" + }, + { + "definition": "UnmapViewOfFile() on itself", + "name": "Self-Unmapping" + }, + { + "definition": "Copy locally the whole content of API code.", + "name": "Static Linking" + }, + { + "definition": "A variation of \"byte stealing\" where the first few instructions or bytes of an API are executed in user code, allowing the IAT to point into the middle of an API function. This confuses IAT rebuilders such as ImpRec and Scylla and may bypass breakpoints.", + "name": "Stolen API Code" + }, + { + "definition": "Erase or corrupt specific file parts to prevent rebuilding (header, packer stub, etc.).", + "name": "Tampering" + }, + { + "definition": "Setting dwMilliseconds in WaitForSingleObject to a small number will timeout the thread before the analyst can step through and analyze the code executing in the thread. Modifying this via patch, register, or stack to the value `0xFFFFFFFF`, the **INFINITE** constant circumvents this anti-debugging technique.", + "name": "Thread Timeout" + }, + { + "definition": "The unpacking code relies on use of int 1 or int 3, or it uses the interrupt vector table as part of the decryption \"key\".", + "name": "Use Interrupts" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--71c969b3-1c87-4c02-aa1b-56d111547b1a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.227Z", + "modified": "2020-02-05T20:28:15.227Z", + "name": "Network Sniffing", + "description": "Malware captures information sent over a wired or wireless connection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/network-sniff.md", + "external_id": "T1040" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1040/", + "external_id": "T1040" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--e9a06bb6-c6e9-4718-9434-f6b737eee9e8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.288Z", + "modified": "2020-02-05T20:28:15.288Z", + "name": "Command-Line Interface", + "description": "Malware may use command-line interfaces to execute programs on a system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "execution" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/command-line.md", + "external_id": "T1059" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1059", + "external_id": "T1059" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--af19022e-d8be-4cd2-a4b6-fb1c3a6a0f13", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.195Z", + "modified": "2020-02-05T20:28:15.195Z", + "name": "Capture Evasion", + "description": "Malware has characteristics enabling it to evade capture from the infected system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "anti-behavioral-analysis" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/evade-capture.md", + "external_id": "M0036" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Malware is never written to disk (e.g., RAT plugins received from the controller are never written to disk).", + "name": "Memory-only Payload" + }, + { + "definition": "Decryption key is stored external to the executable or never touches the disk.", + "name": "Encrypted Payloads" + }, + { + "definition": "Multiple stages of loaders are used with an encoded payload.", + "name": "Multiple Stages of Loaders" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--db4db0bf-8914-4cf2-b128-6fc458eceef0", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.131Z", + "modified": "2020-02-05T20:28:15.131Z", + "name": "Audio Capture", + "description": "Malware leverages system's peripheral devices to capture audio.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "collection" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/audio-capture.md", + "external_id": "T1123" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1123/", + "external_id": "T1123" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7d617afd-819d-4588-9b22-38470d5b338c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.480Z", + "modified": "2020-02-05T20:28:15.480Z", + "name": "Denial of Service", + "description": "Malware may make a network unavailable, for example, by launching a network-based denial of service (DoS) attack.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/denial-of-service.md", + "external_id": "M0033" + }, + { + "source_name": "external_source", + "url": "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1498/", + "external_id": "T1498" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--425dafb4-d71e-4c13-b900-b93c4316d07f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.461Z", + "modified": "2020-02-05T20:28:15.461Z", + "name": "Private Keys", + "description": "Malware may gather private keys from compromised systems.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "credential-access" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/credential-access/private-keys.md", + "external_id": "T1145" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1145/", + "external_id": "T1145" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--d410c87e-8b82-47d9-8f43-15ea0e908e52", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.487Z", + "modified": "2020-02-05T20:28:15.487Z", + "name": "Manipulate Network Traffic", + "description": "Malware intercepts and manipulates network traffic, typically accessing or modifying data, going to or originating from the system on which the malware instance is executing. Also known as a Man-in-the-Middle attack.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/manipulate-network-traffic.md", + "external_id": "M0019" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection/" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1493/", + "external_id": "T1493" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--e7dcd590-8f60-4f7d-bb91-ec2863e56e2a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.314Z", + "modified": "2020-02-05T20:28:15.314Z", + "name": "Registry Run Keys / Startup Folder", + "description": "Malware may add an entry to the Windows Registry run keys or startup folder to enable persistence.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/registry-run-startup.md", + "external_id": "E1060" + }, + { + "source_name": "external_source", + "url": "https://threatvector.cylance.com/en_us/home/windows-registry-persistence-part-2-the-run-keys-and-search-order.html" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1060", + "external_id": "T1060" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--c63442e8-94ac-422a-af1a-f51279f2c9ae", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.327Z", + "modified": "2020-02-05T20:28:15.327Z", + "name": "Shortcut Modification", + "description": "Malware may use shortcuts or symbolic links to open files or execute programs.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/shortcut-mod.md", + "external_id": "T1023" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1023/", + "external_id": "T1023" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--ab3bb771-c300-4480-87c0-0e5c55ec81d1", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.463Z", + "modified": "2020-02-05T20:28:15.463Z", + "name": "Remote Access", + "description": "Malware may provide an attacker with potentially full access to a system via a remote network connection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/remote-access.md", + "external_id": "M0022" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Remote_access_trojan" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/DarkComet" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_methods": [ + { + "definition": "Malware may create a reverse shell. For example, malware can invoke cmd.exe and create three pipes (stdin, stdout, stderr) to forward data between cmd.exe and an adversary.", + "name": "Reverse Shell" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--278e7645-17ac-4bd3-9849-56060cab2e81", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.486Z", + "modified": "2020-02-05T20:28:15.486Z", + "name": "Destroy Hardware", + "description": "Destroys a physical piece of hardware. For example, malware may cause hardware to overheat.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/destroy-hardware.md", + "external_id": "M0017" + }, + { + "source_name": "external_source", + "url": "https://www.bbc.com/timelines/zc6fbk7" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--068759bf-7db6-431f-aeeb-01f6034eae22", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.349Z", + "modified": "2020-02-05T20:28:15.349Z", + "name": "Indirect Command Execution", + "description": "Malware may may use Windows utilities to execute commands.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/indirect-command.md", + "external_id": "T1202" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1202", + "external_id": "T1202" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--d21cffb9-b381-47f4-9428-950873cccf21", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.324Z", + "modified": "2020-02-05T20:28:15.324Z", + "name": "Backdoor", + "description": "Malware achieves persistence via a backdoor. Installation of a backdoor is covered by the [Remote Access](https://github.com/MBCProject/mbc-markdown/blob/master/impact/remote-access.md) under the [Impact](https://github.com/MBCProject/mbc-markdown/tree/master/impact) objective.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/backdoor.md", + "external_id": "M0037" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--a483c23a-a85a-4068-a570-8fc45493e2bc", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.363Z", + "modified": "2020-02-05T20:28:15.363Z", + "name": "Access Token Manipulation", + "description": "Malware manipulates access tokens to make a running process appear as thought it belongs to someone other than the user who started the process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/access-token.md", + "external_id": "T1134" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1134", + "external_id": "T1134" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--0bfe651c-26b6-49c0-9b50-51ddc7090c98", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.245Z", + "modified": "2020-02-05T20:28:15.245Z", + "name": "Remote File Copy", + "description": "Malware may copy files from one system to another.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "lateral-movement" + }, + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/remote-file-copy.md", + "external_id": "E1105" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1105/", + "external_id": "T1105" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--db081b29-8422-45c1-a622-a5405fe78a58", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.330Z", + "modified": "2020-02-05T20:28:15.330Z", + "name": "Modify Existing Service", + "description": "Malware may modify an existing service to gain persistence. Modification may include disabling a service.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "persistence" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/modify-service.md", + "external_id": "E1031" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1031", + "external_id": "T1031" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--568d881b-70b4-4b37-97ba-045c34335b1f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.373Z", + "modified": "2020-02-05T20:28:15.373Z", + "name": "Install Root Certificate", + "description": "Malware may install a root certificate to avoid warning prompts during certificate-enabled connections.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "defense-evasion" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/install-root-cert.md", + "external_id": "T1130" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1130", + "external_id": "T1130" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--748576ac-427c-460a-98fd-ab14c2b4f65a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.484Z", + "modified": "2020-02-05T20:28:15.484Z", + "name": "Data Destruction", + "description": "Data, system files, or other files are destroyed. Individual files are selected, as opposed to wiping an entire sector.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "impact" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/data-destruction.md", + "external_id": "E1485" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1485/", + "external_id": "T1485" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1447/", + "external_id": "T1447" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--869a8bc4-8a40-470c-8a6b-35d80635bd09", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.210Z", + "modified": "2020-02-05T20:28:15.210Z", + "name": "Device Type Discovery", + "description": "Android malware may get device type information through the android.os.Build class.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "discovery" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/device-type-discover.md", + "external_id": "T1419" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1419", + "external_id": "T1419" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--9c2ea49a-ea29-47b4-acca-087733a71b2c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.250Z", + "modified": "2020-02-05T20:28:15.250Z", + "name": "Data Encoding", + "description": "Malware encodes its command and control information using a standard system such as Unicode, Base64, etc.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mbc", + "phase_name": "command-and-control" + } + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/data-encode.md", + "external_id": "T1132" + }, + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1132/", + "external_id": "T1132" + } + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "created": "2020-01-01T00:00:00.000Z", + "spec_version": "2.1", + "description": "The Malware Behavior Catalog (MBC) is a catalog of malware objectives and behaviors, created to support malware analysis-oriented use cases, such as labeling, similarity analysis, and standardized reporting.", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "external_references": [ + { + "source_name": "mitre-mbc", + "external_id": "mbc", + "url": "https://github.com/MBCProject" + } + ], + "id": "x-mitre-matrix--d5eae189-586e-4f87-bf4f-51fa251f0ba6", + "modified": "2020-01-01T00:00:00.000Z", + "name": "MBC", + "tactic_refs": [ + "x-mitre-tactic--97051199-043f-4e26-b548-beeccdd7be3e", + "x-mitre-tactic--1f99e060-c0e8-449c-8629-216ef75d7828", + "x-mitre-tactic--69c52ee6-8372-40be-8efc-200896493343", + "x-mitre-tactic--225d85b5-6806-4760-a9d7-b5e38ca66153", + "x-mitre-tactic--eb6166b0-f3c9-4124-aeb9-662941baa19e", + "x-mitre-tactic--9f09f947-5fc6-455f-b7eb-504c2ba972aa", + "x-mitre-tactic--5ca03153-2bfb-4540-acad-4eb54f188589", + "x-mitre-tactic--f95436cf-2e09-4541-b88a-f3fb6ec3b63b", + "x-mitre-tactic--d2f87328-9fe0-4f81-800e-ea1058f49906", + "x-mitre-tactic--911377e6-b712-4754-a865-3e2989512b9a", + "x-mitre-tactic--9b3422b7-bc43-4b28-8d51-ba68782a9da2", + "x-mitre-tactic--d896bd1c-d0e9-4281-9755-9b76a7c963d3", + "x-mitre-tactic--4fd027ac-dddc-4744-aa72-d1b4598d9898", + "x-mitre-tactic--389367d2-9dea-4ffe-b794-cfeaba83bcf6" + ], + "type": "x-mitre-matrix", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--eee42dbc-18ca-4db7-9115-672245d8893d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.155Z", + "modified": "2020-02-05T20:28:16.155Z", + "name": "GotBotKR", + "description": "Modified version of a publicly available backdoor name GoBot2. Modifications are mainly evasion techniques specific to South Korea.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/gotbotkr.md", + "external_id": "X0027" + }, + { + "source_name": "external_source", + "url": "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" + } + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2019" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.148Z", + "modified": "2020-02-05T20:28:16.148Z", + "name": "WebCobra", + "description": "Cryptojacking malware.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/webcobra.md", + "external_id": "X0023" + }, + { + "source_name": "external_source", + "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" + }, + { + "source_name": "external_source", + "url": "https://www.forbes.com/sites/rachelwolfson/2018/11/13/cryptojacking-on-the-rise-webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/#16f5542cc336" + } + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2018" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--135968d7-8b5f-492e-9423-9c98bc4d9d06", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.176Z", + "modified": "2020-02-05T20:28:16.176Z", + "name": "Locky Bart", + "description": "Locky Bart is ransomware.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/locky-bart.md", + "external_id": "X0011" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/" + } + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2017" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--8e60252b-1708-4809-8384-ca8937936aff", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.175Z", + "modified": "2020-02-05T20:28:16.175Z", + "name": "Bagle", + "description": "A mass-mailing computer worm affecting Microsoft Windows.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/bagle.md", + "external_id": "X0001" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Bagle_(computer_worm)" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/malware/worm_bagle.u" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Bagle_(computer_worm)" + } + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2004" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--e042c0eb-4540-4f41-87c4-a57510c7d4ed", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.165Z", + "modified": "2020-02-05T20:28:16.165Z", + "name": "Conficker", + "description": "A worm targeting Microsoft Windows operations systems.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/conficker.md", + "external_id": "X0003" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Conficker" + }, + { + "source_name": "external_source", + "url": "http://www.csl.sri.com/users/vinod/papers/Conficker/" + } + ], + "x_mitre_aliases": [ + "Downup", + "Downadup", + "Kido" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2008" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--901ac923-57ee-4d6a-b14a-ae64e3225b8c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.151Z", + "modified": "2020-02-05T20:28:16.151Z", + "name": "DNSChanger", + "description": "Used to change DNS settings to generate fraudulent advertising revenue.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/dnschanger.md", + "external_id": "X0005" + }, + { + "source_name": "external_source", + "url": "https://www.huffingtonpost.com/2011/11/09/click-hijack-hackers-online-ad-scam_n_1084497.html" + } + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2011" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--6cfae3aa-e8ee-4f11-aebd-b2ea95d60c27", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.156Z", + "modified": "2020-02-05T20:28:16.156Z", + "name": "Redhip", + "description": "An information stealer.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/redhip.md", + "external_id": "X0015" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html" + } + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2011" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--0823d7b2-2870-4bb8-9818-a31108708c93", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.174Z", + "modified": "2020-02-05T20:28:16.174Z", + "name": "Terminator", + "description": "A remote access tool (RAT).", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/terminator.md", + "external_id": "X0021" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf" + } + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2013" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--a8688d54-9b39-4fad-bff9-b7bf8c5c146f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.168Z", + "modified": "2020-02-05T20:28:16.168Z", + "name": "Stuxnet", + "description": "A malicious worm targeting SCADA systems.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/stuxnet.md", + "external_id": "X0019" + }, + { + "source_name": "external_source", + "url": "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf" + }, + { + "source_name": "external_source", + "url": "https://www.bbc.com/timelines/zc6fbk7" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/Stuxnet" + } + ], + "x_mitre_aliases": [ + "Rootkit.Tmphider", + "W32.Temphid" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2010" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--2106d331-215f-45ce-8899-3c11a4c47a8c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.159Z", + "modified": "2020-02-05T20:28:16.159Z", + "name": "YiSpecter", + "description": "YiSpecter is Apple iOS malware that can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to a C2 server. It uses tricks to hide its icons from iOS’s SpringBoard, which prevents the user from finding and deleting it. The components also use the same name and logos of system apps to trick iOS power users.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/yispecter.md", + "external_id": "X0024" + }, + { + "source_name": "external_source", + "url": "http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + } + ], + "x_mitre_platform": [ + "iOS" + ], + "x_mitre_year": "2015" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--ab86ee1d-8789-4357-aff2-d6fec9434952", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.164Z", + "modified": "2020-02-05T20:28:16.164Z", + "name": "SYNful Knock", + "description": "A modification of the router's firmware images used to maintain persistence.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/synful-knock.md", + "external_id": "X0020" + }, + { + "source_name": "external_source", + "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html" + } + ], + "x_mitre_platform": [ + "Cisco" + ], + "x_mitre_year": "2015" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--dc90c5ae-c90c-4733-a9c4-c3a2a6bea3e1", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.150Z", + "modified": "2020-02-05T20:28:16.150Z", + "name": "BlackEnergy", + "description": "An HTTP-based botnet used mostly for DDoS attacks.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/blackenergy.md", + "external_id": "X0002" + }, + { + "source_name": "external_source", + "url": "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf" + } + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2007" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--9168de31-46b0-4c9f-9e20-77e77e78a0ab", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.154Z", + "modified": "2020-02-05T20:28:16.154Z", + "name": "Geneio", + "description": "Geneio is a byproduct of the DYLD_PRINT_TIFILE vulnerability. Geneio can gain access to the MAC Keychain and persist until removed by the user.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/geneio.md", + "external_id": "X0007" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.org/mac/2015/08/genieo-installer-tricks-keychain/" + }, + { + "source_name": "external_source", + "url": "https://support.norton.com/sp/en/us/home/current/solutions/v103415336_EndUserProfile_en_us" + }, + { + "source_name": "external_source", + "url": "https://www.symantec.com/security_response/writeup.jsp?docid=2014-071013-3137-99" + } + ], + "x_mitre_platform": [ + "OS X" + ], + "x_mitre_year": "2015" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--682044ae-1d33-445d-80d1-d923fade2663", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.157Z", + "modified": "2020-02-05T20:28:16.157Z", + "name": "Shamoon", + "description": "Data wiping malware.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/shamoon.md", + "external_id": "X0018" + }, + { + "source_name": "external_source", + "url": "http://www.darkreading.com/attacks-breaches/disk-wiping-shamoon-malware-resurfaces-with-file-erasing-malware-in-tow/d/d-id/1333509" + } + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2012" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--a0008d7c-30f1-43f7-a798-50552e1fa282", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.153Z", + "modified": "2020-02-05T20:28:16.153Z", + "name": "UP007 Malware Family", + "description": "Description.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/up007.md", + "external_id": "X0011" + }, + { + "source_name": "external_source", + "url": "https://citizenlab.ca/2016/04/between-hong-kong-and-burma/" + } + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2016" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--bf2e37d0-29cf-43ef-82d1-f970a128e6bf", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.163Z", + "modified": "2020-02-05T20:28:16.163Z", + "name": "Kraken", + "description": "A family of bots.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/kraken.md", + "external_id": "X0010" + }, + { + "source_name": "external_source", + "url": "http://blog.threatexpert.com/2008/04/kraken-changes-tactics.html" + } + ], + "x_mitre_aliases": [ + "Bobax" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2008" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.161Z", + "modified": "2020-02-05T20:28:16.161Z", + "name": "Poison-Ivy", + "description": "Remote Access Trojan (RAT).", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/poison-ivy.md", + "external_id": "X0014" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy" + } + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2005" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--8c3f24a7-b0ca-4934-9374-b73508cd1be1", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.170Z", + "modified": "2020-02-05T20:28:16.170Z", + "name": "Kovter", + "description": "A trojan that performs click-fraud.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/kovter.md", + "external_id": "X0009" + }, + { + "source_name": "external_source", + "url": "https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan" + } + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2016" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--8d5ffd62-8943-4426-8191-f66ab5881da8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.167Z", + "modified": "2020-02-05T20:28:16.167Z", + "name": "Ursnif", + "description": "A banking trojan that uses malware macros to evade sandbox detection. Variant of Gozi.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/ursnif.md", + "external_id": "X0022" + }, + { + "source_name": "external_source", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" + } + ], + "x_mitre_aliases": [ + "Dreambot", + "Gozi" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2016" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--1114f1d1-94fb-4499-b1b3-980de47dbd11", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.178Z", + "modified": "2020-02-05T20:28:16.178Z", + "name": "Hupigon", + "description": "A family of backdoors.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/hupigon.md", + "external_id": "X0008" + }, + { + "source_name": "external_source", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HUPIGON" + } + ], + "x_mitre_aliases": [ + "Delf", + "Emerleox", + "Logsnif", + "Graybird", + "Pcclient" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2013" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.152Z", + "modified": "2020-02-05T20:28:16.152Z", + "name": "TrickBot", + "description": "Trojan spyware program that has mainly been used for targeting banking sites. TrickBot is written in the C++ programming language.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/trickbot.md", + "external_id": "X0025" + } + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2016" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--19f41321-fc57-475f-b7d5-ef5285f4b489", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.172Z", + "modified": "2020-02-05T20:28:16.172Z", + "name": "MazarBot", + "description": "Targets Android phones via a poisoned text message.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/mazarbot.md", + "external_id": "X0012" + }, + { + "source_name": "external_source", + "url": "https://us.norton.com/internetsecurity-emerging-threats-mazar-bot-malware-invades-and-erases-android-devices.html" + }, + { + "source_name": "external_source", + "url": "https://www.player.one/new-android-sms-malware-can-completely-own-your-phone-just-one-text-how-avoid-mazar-512363" + } + ], + "x_mitre_platform": [ + "Android" + ], + "x_mitre_year": "2016" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--f79355e1-6d17-4d9a-83f7-6d3a985bddb4", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.149Z", + "modified": "2020-02-05T20:28:16.149Z", + "name": "SearchAwesome", + "description": "Adware that intercepts encrypted web traffic to inject ads.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/searchawesome.md", + "external_id": "X0017" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection/" + } + ], + "x_mitre_platform": [ + "Mac OSX" + ], + "x_mitre_year": "2018" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--cb0b4776-cbd6-417c-b6c1-51f67f44d5b1", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.173Z", + "modified": "2020-02-05T20:28:16.173Z", + "name": "Mebromi", + "description": "A BIOS bootkit.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/mebromi.md", + "external_id": "X0013" + }, + { + "source_name": "external_source", + "url": "https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/" + } + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2011" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--92c8c384-839c-40a2-b58d-3af2ee3f1938", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.145Z", + "modified": "2020-02-05T20:28:16.145Z", + "name": "Gamut", + "description": "A spamming botnet.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/gamut.md", + "external_id": "X0006" + }, + { + "source_name": "external_source", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/" + } + ], + "x_mitre_aliases": [ + "Bobax" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2014" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--1d8cb82f-6d6c-4726-aa93-e2a84e3e644e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.160Z", + "modified": "2020-02-05T20:28:16.160Z", + "name": "SamSam", + "description": "Ransomware.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/samsam.md", + "external_id": "X0016" + }, + { + "source_name": "external_source", + "url": "https://www.us-cert.gov/ncas/alerts/AA18-337A" + }, + { + "source_name": "external_source", + "url": "https://blog.malwarebytes.com/cybercrime/2018/05/samsam-ransomware-need-know/" + } + ], + "x_mitre_aliases": [ + "MSIL/Samas.A", + "Samas", + "Samsa" + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2015" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--7d15a1bf-98dc-4da5-9867-15cba30ed3cc", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.169Z", + "modified": "2020-02-05T20:28:16.169Z", + "name": "Heriplor Trojan", + "description": "This Trojan is associated with the Energetic Bear group [[1]](#1).", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/heriplor.md", + "external_id": "X0025" + }, + { + "source_name": "external_source", + "url": "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html" + } + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2012-2019" + }, + { + "type": "malware", + "spec_version": "2.1", + "id": "malware--b3fd453e-0c69-46ab-9138-e8eca8585173", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.146Z", + "modified": "2020-02-05T20:28:16.146Z", + "name": "Dark Comet", + "description": "A Remote Access Trojan (RAT) that allows a user to control the system via a GUI. It has many features which allows a user to use it as administrative remote help tool; however, DarkComet has many features which can be used maliciously. DarkComet is commonly used to spy on the victims by taking screen captures, key-logging, or password stealing.", + "malware_types": [ + "unknown" + ], + "is_family": true, + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/xample-malware/dark-comet.md", + "external_id": "X0004" + }, + { + "source_name": "external_source", + "url": "https://en.wikipedia.org/wiki/DarkComet" + } + ], + "x_mitre_platform": [ + "Windows" + ], + "x_mitre_year": "2008" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--943fd319-6d73-41b0-a01f-b45474c5be87", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.263Z", + "modified": "2020-02-05T20:28:16.263Z", + "relationship_type": "uses", + "description": "An MBR bootkit and a BIOS bootkit targeting Award BIOS.", + "source_ref": "malware--cb0b4776-cbd6-417c-b6c1-51f67f44d5b1", + "target_ref": "attack-pattern--e9f0d1de-13f3-499a-a0ee-32fe37912720", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--0838a352-fc2b-4276-b695-d1a1d0a47b75", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.261Z", + "modified": "2020-02-05T20:28:16.261Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--a7ea0b40-a316-43db-9dcf-1ae03eda94a6", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--3fea9f25-65a5-4bc3-924d-34a3f310f722", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.259Z", + "modified": "2020-02-05T20:28:16.259Z", + "relationship_type": "uses", + "description": "After the Poison-Ivy server is running on the target machine, the attacker uses a Windows GUI client to control the target computer.", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--ab3bb771-c300-4480-87c0-0e5c55ec81d1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--e21d1d26-eade-424b-a7ac-f720826591df", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.258Z", + "modified": "2020-02-05T20:28:16.258Z", + "relationship_type": "uses", + "description": "Redhip detects all publicly available automated malware analysis workbenches (ThreatExpert, JoeBox, etc.).", + "source_ref": "malware--6cfae3aa-e8ee-4f11-aebd-b2ea95d60c27", + "target_ref": "attack-pattern--43f3997b-88e5-4a2e-9b59-6af0892a89b2", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--6cfc5694-2afb-4727-9af1-3bdf4688947e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.261Z", + "modified": "2020-02-05T20:28:16.261Z", + "relationship_type": "uses", + "description": "Uses a domain name generator.", + "source_ref": "malware--bf2e37d0-29cf-43ef-82d1-f970a128e6bf", + "target_ref": "attack-pattern--51fb196e-4be8-4b21-ba5b-fce4d7de6767", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--80a8579e-8f8a-45f1-b745-6254f77b1a8b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.262Z", + "modified": "2020-02-05T20:28:16.262Z", + "relationship_type": "uses", + "description": "Conficker A has routine that causes the process to suicide if the keyboard language layout is set to Ukrainian.", + "source_ref": "malware--e042c0eb-4540-4f41-87c4-a57510c7d4ed", + "target_ref": "attack-pattern--d77057dc-8454-4a4c-9dd4-3da26ae009be", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--1b7ca247-1884-4cc7-88cf-3569d401b335", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.260Z", + "modified": "2020-02-05T20:28:16.260Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--db081b29-8422-45c1-a622-a5405fe78a58", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b7bcccb7-045a-4b97-9b07-f63afb868095", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.262Z", + "modified": "2020-02-05T20:28:16.262Z", + "relationship_type": "uses", + "description": "Modification of the router's firmware image that can be used to maintain persistence within a victim's network.", + "source_ref": "malware--ab86ee1d-8789-4357-aff2-d6fec9434952", + "target_ref": "attack-pattern--cec46ca6-08c3-46d6-b37f-92c50fe689bb", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--8d7e7aeb-c462-4051-aff0-4f526ccfa699", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.252Z", + "modified": "2020-02-05T20:28:16.252Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--1665b6e5-769a-4abb-9de1-4719ac6ce727", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--8dece164-935e-4939-9fbe-483f3baedc4a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.261Z", + "modified": "2020-02-05T20:28:16.261Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--e7dcd590-8f60-4f7d-bb91-ec2863e56e2a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--8fce710f-5023-4a45-ac3a-c4ace1c7d0dd", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.251Z", + "modified": "2020-02-05T20:28:16.251Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--fbe0f011-0dbb-4a6e-a860-32120311f74b", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--9b7fde5e-600c-4214-9714-1247c4ea5260", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.253Z", + "modified": "2020-02-05T20:28:16.253Z", + "relationship_type": "uses", + "description": "Prevents the infected system from installing anti-virus software updates.", + "source_ref": "malware--901ac923-57ee-4d6a-b14a-ae64e3225b8c", + "target_ref": "attack-pattern--a5cd65d0-eee1-463e-a003-04f3a71bb813", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--3ccc155b-01ca-4b82-aece-60801b8c42c4", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.255Z", + "modified": "2020-02-05T20:28:16.255Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--b8f24e74-d267-4783-be19-13cb060aaa2d", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--7c232b17-6421-4459-bbca-410f7660a760", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.262Z", + "modified": "2020-02-05T20:28:16.262Z", + "relationship_type": "uses", + "description": "Uses API Hashing Method.", + "source_ref": "malware--7d15a1bf-98dc-4da5-9867-15cba30ed3cc", + "target_ref": "attack-pattern--17717ca4-3713-496e-87d7-13a95a6b1790", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--f5d16822-4a48-4d9c-944e-67ef45a59d48", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.262Z", + "modified": "2020-02-05T20:28:16.262Z", + "relationship_type": "uses", + "description": "Stores malware files in the Registry instead of the hard drive.", + "source_ref": "malware--8c3f24a7-b0ca-4934-9374-b73508cd1be1", + "target_ref": "attack-pattern--ca41dedd-dddb-45bb-bbf7-ef5a17b1b4f5", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--31972647-852d-41bc-951c-5063826362b7", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.255Z", + "modified": "2020-02-05T20:28:16.255Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--0bfe651c-26b6-49c0-9b50-51ddc7090c98", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--97175b7c-fb76-4aa4-bcbf-89c5ab1d44b9", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.252Z", + "modified": "2020-02-05T20:28:16.252Z", + "relationship_type": "uses", + "description": "Launches distributed denial of service attacks that can target more than one IP address per hostname.", + "source_ref": "malware--dc90c5ae-c90c-4733-a9c4-c3a2a6bea3e1", + "target_ref": "attack-pattern--7d617afd-819d-4588-9b22-38470d5b338c", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--3707f258-e5c2-4cf0-90ec-19fb4baf018c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.256Z", + "modified": "2020-02-05T20:28:16.256Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--17717ca4-3713-496e-87d7-13a95a6b1790", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--abc3029d-06b2-4048-a14d-2ef0a1bf8ea3", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.252Z", + "modified": "2020-02-05T20:28:16.252Z", + "relationship_type": "uses", + "description": "Most security products hook some APIs to monitor the behavior of malware. To avoid being found by this technique, WebCobra loads ntdll.dll and user32.dll as data files in memory and overwrites the first 8 bytes of those functions, which unhooks the APIs.", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--a5cd65d0-eee1-463e-a003-04f3a71bb813", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b7947355-7dfc-4ef4-9f62-efb0c755a48f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.256Z", + "modified": "2020-02-05T20:28:16.256Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--c376d9bb-5e45-42f5-95ce-b57d6ce417b8", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--6b15a47c-add7-407e-866c-455b82eb5206", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.256Z", + "modified": "2020-02-05T20:28:16.256Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--01051bb2-6339-4556-8363-3b94ba289ec1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b43c677a-dd98-4545-8e4e-118ae78050ff", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.257Z", + "modified": "2020-02-05T20:28:16.257Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--a7ea0b40-a316-43db-9dcf-1ae03eda94a6", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--3d70b808-f176-4620-aa53-fcc439081994", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.259Z", + "modified": "2020-02-05T20:28:16.259Z", + "relationship_type": "uses", + "description": "Can download and install arbitrary iOS apps.", + "source_ref": "malware--2106d331-215f-45ce-8899-3c11a4c47a8c", + "target_ref": "attack-pattern--b255fae3-82ad-4a9d-a76a-3301e0c3caed", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--679a082a-d6b4-4478-a4d5-1a8dc972b211", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.264Z", + "modified": "2020-02-05T20:28:16.264Z", + "relationship_type": "uses", + "description": "Gathers information from the victim's machine to create an encryption key.", + "source_ref": "malware--135968d7-8b5f-492e-9423-9c98bc4d9d06", + "target_ref": "attack-pattern--7a0a5840-aed7-48bf-abcb-89056c1ba932", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--a7588119-f565-4489-9512-db956975c1f5", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.253Z", + "modified": "2020-02-05T20:28:16.253Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--4799cdef-cff0-476b-adaa-685b8277ef7c", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--2972cdc6-b3ca-4e3e-83e4-13dd1bf87b26", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.260Z", + "modified": "2020-02-05T20:28:16.260Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--031beb01-79db-43f5-a901-1e32a4b79628", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--dbd0c7c0-889e-4742-9f47-793d7ece67dc", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.251Z", + "modified": "2020-02-05T20:28:16.251Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--7a0a5840-aed7-48bf-abcb-89056c1ba932", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--e1580aaa-d87b-4528-bcd6-148cf44bdb8f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.261Z", + "modified": "2020-02-05T20:28:16.261Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--5e8c37e7-530d-4da6-a520-83a39fc52d7a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--e28f5300-c580-49dd-99fb-cd32aaf69be8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.263Z", + "modified": "2020-02-05T20:28:16.263Z", + "relationship_type": "uses", + "description": "Sets \"2019\" as Windows' startup folder by modifying a registry value.", + "source_ref": "malware--0823d7b2-2870-4bb8-9818-a31108708c93", + "target_ref": "attack-pattern--e7dcd590-8f60-4f7d-bb91-ec2863e56e2a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--fde7d5f5-6e64-469f-a3d0-5f06e337374a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.264Z", + "modified": "2020-02-05T20:28:16.264Z", + "relationship_type": "uses", + "description": "The malicious executable deletes itself after it has dropped other executable files.", + "source_ref": "malware--0823d7b2-2870-4bb8-9818-a31108708c93", + "target_ref": "attack-pattern--1665b6e5-769a-4abb-9de1-4719ac6ce727", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--ac6d1a10-221a-49aa-9f6a-84a528d565d1", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.256Z", + "modified": "2020-02-05T20:28:16.256Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--1c4e8b61-bdb4-4ff5-bbf2-10dda4b276da", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b082f098-c65c-433d-a9f1-6634c2a07f57", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.251Z", + "modified": "2020-02-05T20:28:16.251Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--6c58676d-57be-4bbc-a9b2-54a11098ca12", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--39372d95-3507-4917-ae07-6275ee827aba", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.264Z", + "modified": "2020-02-05T20:28:16.264Z", + "relationship_type": "uses", + "description": "Bagle uses its own SMTP engine to mass-mail itself as an attachment from an infected computer.", + "source_ref": "malware--8e60252b-1708-4809-8384-ca8937936aff", + "target_ref": "attack-pattern--01051bb2-6339-4556-8363-3b94ba289ec1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--bfec970e-c03a-4732-857b-e636c78d01e0", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.252Z", + "modified": "2020-02-05T20:28:16.252Z", + "relationship_type": "uses", + "description": "Injects miner code into a running process.", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--92557c19-d2a7-4b25-b77c-34954e99d3a8", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--f74ca922-715f-431d-a2c8-f22d299306aa", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.255Z", + "modified": "2020-02-05T20:28:16.255Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--031beb01-79db-43f5-a901-1e32a4b79628", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--5b129221-9159-488d-8460-c966b836328f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.253Z", + "modified": "2020-02-05T20:28:16.253Z", + "relationship_type": "uses", + "description": "Alters DNS server settings to route to a rogue DNS server for the purpose of click hijacking.", + "source_ref": "malware--901ac923-57ee-4d6a-b14a-ae64e3225b8c", + "target_ref": "attack-pattern--c5e52bb6-425f-416a-afb7-58d67093ef9c", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--8358a935-9460-42a9-bfbc-31653fb1a3e5", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.255Z", + "modified": "2020-02-05T20:28:16.255Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--19965f2f-3091-4611-b5da-4f5351319b63", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--2b7bf5d7-79d6-4ba8-a1dc-ac58cc738c90", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.259Z", + "modified": "2020-02-05T20:28:16.259Z", + "relationship_type": "uses", + "description": "A 2018 variant includes a component that erases files and then wipes the master boot record, preventing file recovery.", + "source_ref": "malware--682044ae-1d33-445d-80d1-d923fade2663", + "target_ref": "attack-pattern--748576ac-427c-460a-98fd-ab14c2b4f65a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--ad5b898c-6553-46a7-99dc-f51dcdef9b45", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.250Z", + "modified": "2020-02-05T20:28:16.250Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--7917db1d-3be0-4a58-b706-00c62379a7b2", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--0d5cdb32-036b-4814-8d02-11f4f352a41b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.263Z", + "modified": "2020-02-05T20:28:16.263Z", + "relationship_type": "uses", + "description": "Performs click-fraud.", + "source_ref": "malware--8c3f24a7-b0ca-4934-9374-b73508cd1be1", + "target_ref": "attack-pattern--c5e52bb6-425f-416a-afb7-58d67093ef9c", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--1a213e38-6637-4d70-996c-0d25fe9e265c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.259Z", + "modified": "2020-02-05T20:28:16.259Z", + "relationship_type": "uses", + "description": "SamSam is ransomware.", + "source_ref": "malware--1d8cb82f-6d6c-4726-aa93-e2a84e3e644e", + "target_ref": "attack-pattern--4ea52273-1834-4df1-8bc7-6ee8738748a2", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b28c0897-acb5-4205-8210-eb7c1d420789", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.253Z", + "modified": "2020-02-05T20:28:16.253Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--8f470860-de90-44e9-b88f-4b188918bb7c", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--928e6604-a7d3-436c-a7fe-97f1ca278a5d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.260Z", + "modified": "2020-02-05T20:28:16.260Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--893190c4-3228-4d10-854b-cd8469fb9172", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--1e87f811-e730-4637-a3f8-a67371159204", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.261Z", + "modified": "2020-02-05T20:28:16.261Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--fabff5fa-5d64-4167-9f95-6e25c35002ff", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b2442af2-272c-42e5-94b6-ac52bbbd1a5c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.259Z", + "modified": "2020-02-05T20:28:16.259Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--5f63251a-e426-493e-9dd6-3b562c0e7157", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--00861a6a-98ef-40f5-9924-c94c7c5da687", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.257Z", + "modified": "2020-02-05T20:28:16.257Z", + "relationship_type": "uses", + "description": "GotBotKR installs two instances of itself.", + "source_ref": "malware--eee42dbc-18ca-4db7-9115-672245d8893d", + "target_ref": "attack-pattern--f42d3d87-e374-4114-bc93-a52cae45e3d0", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--461ef403-0bd0-49cd-88bc-5bfc426e6b23", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.262Z", + "modified": "2020-02-05T20:28:16.262Z", + "relationship_type": "uses", + "description": "Stuxnet made the centrifuges at Iran's nuclear plant spin dangerously fast for 15 minutes, before returning to normal speed. About a month later, it slowed the centrifuges down for 50 minutes. This was repeated for several months, and over time the strain destroyed the machines.", + "source_ref": "malware--a8688d54-9b39-4fad-bff9-b7bf8c5c146f", + "target_ref": "attack-pattern--278e7645-17ac-4bd3-9849-56060cab2e81", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--08df9329-0616-4d5d-a3fb-841d730e9dda", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.263Z", + "modified": "2020-02-05T20:28:16.263Z", + "relationship_type": "uses", + "description": "A Trojan downloader.", + "source_ref": "malware--cb0b4776-cbd6-417c-b6c1-51f67f44d5b1", + "target_ref": "attack-pattern--b255fae3-82ad-4a9d-a76a-3301e0c3caed", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--416b4a88-11a1-4632-941b-ade357252d0d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.255Z", + "modified": "2020-02-05T20:28:16.255Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--e7dcd590-8f60-4f7d-bb91-ec2863e56e2a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--a867e78a-e15d-40be-9cf1-6f746531eb44", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.251Z", + "modified": "2020-02-05T20:28:16.251Z", + "relationship_type": "uses", + "description": "Executes differently depending on whether it's running on an x86 or x64 system.", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--d77057dc-8454-4a4c-9dd4-3da26ae009be", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--d4df8105-8510-4675-a9c8-bbcd6bbacd53", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.252Z", + "modified": "2020-02-05T20:28:16.252Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--11d90b50-17e9-45f5-84aa-05899a63714e", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--baaa5c93-f948-4e2c-81ca-6f33a86409c3", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.252Z", + "modified": "2020-02-05T20:28:16.252Z", + "relationship_type": "uses", + "description": "Intercepts encrypted web traffic to inject adds.", + "source_ref": "malware--f79355e1-6d17-4d9a-83f7-6d3a985bddb4", + "target_ref": "attack-pattern--d410c87e-8b82-47d9-8f43-15ea0e908e52", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--cb13515b-a198-41ab-ac0b-8be56c0f099f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.264Z", + "modified": "2020-02-05T20:28:16.264Z", + "relationship_type": "uses", + "description": "Code virtualization is added to the Locky Bart binary using WPProtect.", + "source_ref": "malware--135968d7-8b5f-492e-9423-9c98bc4d9d06", + "target_ref": "attack-pattern--5a7483f3-b636-4f12-8925-21be3e0f3676", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--e2aff5f4-7996-4332-b538-2b936ac8f229", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.253Z", + "modified": "2020-02-05T20:28:16.253Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--a49e3ab1-4f38-49b4-8bb2-5bf5778ae503", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--1b4fce12-c45c-4fab-bfb7-0be41a5bf1b9", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.258Z", + "modified": "2020-02-05T20:28:16.258Z", + "relationship_type": "uses", + "description": "Redhip detects VMWare, Virtual PC and Virtual Box. It also detects VM environments in general by considering timing lapses.", + "source_ref": "malware--6cfae3aa-e8ee-4f11-aebd-b2ea95d60c27", + "target_ref": "attack-pattern--91907ea3-beed-40bd-b4d6-1875893568a6", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--de086192-07b7-4aa9-a479-c1098d63d9ed", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.254Z", + "modified": "2020-02-05T20:28:16.254Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--05f6625b-7291-4a4b-8ec1-4044efa6cb2e", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--1dd10259-f49a-4d1a-b62f-6de3835552c4", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.257Z", + "modified": "2020-02-05T20:28:16.257Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--929e0835-9197-42d0-9a00-95b7b4e13dcb", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--44515a0f-4716-40ef-b5d5-177849ce6987", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.251Z", + "modified": "2020-02-05T20:28:16.251Z", + "relationship_type": "uses", + "description": "Learns about security software.", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--03b4fd1e-96db-4c28-b9c7-18ef0510c129", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--9277a5c2-8988-46dc-87d2-20359be28def", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.254Z", + "modified": "2020-02-05T20:28:16.254Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--7f7f9c9f-db90-4294-91ad-d1c9da04e9d8", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--4ced5121-d085-49b3-b6ab-311ca722b46a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.254Z", + "modified": "2020-02-05T20:28:16.254Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--4b89d6b6-fd08-4b39-bb01-b472ae95b93d", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--e1f2529b-4a72-460e-b1a7-3fb7852b99e7", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.251Z", + "modified": "2020-02-05T20:28:16.251Z", + "relationship_type": "uses", + "description": "Drops software that mines for cryptocurrency: Cryptonight or Claymore's Zcash miner, depending on system architecture.", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--422b0025-9286-4a11-812d-5494dab28d9a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--8ce0a9c1-7392-4877-b6ed-6023f0dcacec", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.253Z", + "modified": "2020-02-05T20:28:16.253Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--731ecd6a-9782-4272-84f3-f4d5ff3732e0", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--464326e8-1ec2-425b-9557-bd00281078d6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.254Z", + "modified": "2020-02-05T20:28:16.254Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--37e2cfce-37c2-4a5a-a98e-3bf5b4cd9db6", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--9ff32dae-46f3-4061-82b9-e7197b4ae30d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.259Z", + "modified": "2020-02-05T20:28:16.259Z", + "relationship_type": "uses", + "description": "Redhip samples are packed with different custom packers.", + "source_ref": "malware--6cfae3aa-e8ee-4f11-aebd-b2ea95d60c27", + "target_ref": "attack-pattern--fb7a6e89-4943-47a3-980f-d22c9f394d40", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--0a294da3-8126-46ed-8d67-c8a900292db6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.250Z", + "modified": "2020-02-05T20:28:16.250Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--f54dfa9e-e208-4695-81e8-478d887dba7c", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--76c22659-341c-4ef5-9dd9-dee2d9f9b96a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.250Z", + "modified": "2020-02-05T20:28:16.250Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--a1f1b921-b815-4311-93c2-6c98a333fd5d", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--0271a731-326d-4b76-a995-452be084fc08", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.261Z", + "modified": "2020-02-05T20:28:16.261Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--92557c19-d2a7-4b25-b77c-34954e99d3a8", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--2a8e2dc1-0eec-478f-b471-3dfb2c13251b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.257Z", + "modified": "2020-02-05T20:28:16.257Z", + "relationship_type": "uses", + "description": "GotBotKR monitors whether the first instance is still active.", + "source_ref": "malware--eee42dbc-18ca-4db7-9115-672245d8893d", + "target_ref": "attack-pattern--f54dfa9e-e208-4695-81e8-478d887dba7c", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--4d63f713-2d38-40c3-a744-bd12bbd8499b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.260Z", + "modified": "2020-02-05T20:28:16.260Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--11d90b50-17e9-45f5-84aa-05899a63714e", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--90c677fd-2dab-4eda-9b84-d8028de953de", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.260Z", + "modified": "2020-02-05T20:28:16.260Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--e9a06bb6-c6e9-4718-9434-f6b737eee9e8", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--182afaab-258e-4066-b106-3403de92e242", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.255Z", + "modified": "2020-02-05T20:28:16.255Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--11d90b50-17e9-45f5-84aa-05899a63714e", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--913ac448-0c3d-4856-90a4-6273865eb381", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.263Z", + "modified": "2020-02-05T20:28:16.263Z", + "relationship_type": "uses", + "description": "Intercepts data coming into and going out of device.", + "source_ref": "malware--19f41321-fc57-475f-b7d5-ef5285f4b489", + "target_ref": "attack-pattern--d410c87e-8b82-47d9-8f43-15ea0e908e52", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--3c6be01e-c2de-4835-b120-59da1e07d50e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.263Z", + "modified": "2020-02-05T20:28:16.263Z", + "relationship_type": "uses", + "description": "Installs a backdoor.", + "source_ref": "malware--19f41321-fc57-475f-b7d5-ef5285f4b489", + "target_ref": "attack-pattern--b255fae3-82ad-4a9d-a76a-3301e0c3caed", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--126606a9-73e6-4a96-8088-d571c892d327", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.264Z", + "modified": "2020-02-05T20:28:16.264Z", + "relationship_type": "uses", + "description": "Gathers information from the victim's machine to create an encryption key.", + "source_ref": "malware--135968d7-8b5f-492e-9423-9c98bc4d9d06", + "target_ref": "attack-pattern--f54dfa9e-e208-4695-81e8-478d887dba7c", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--5b69f0d0-62e7-4f27-acce-41d1d0ed417c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.257Z", + "modified": "2020-02-05T20:28:16.257Z", + "relationship_type": "uses", + "source_ref": "malware--a0008d7c-30f1-43f7-a798-50552e1fa282", + "target_ref": "attack-pattern--92557c19-d2a7-4b25-b77c-34954e99d3a8", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b53918d6-524a-408a-b79f-ccd56bd6950e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.254Z", + "modified": "2020-02-05T20:28:16.254Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--b176779c-a4df-49a4-993e-e424a114b73a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--9ea77314-a832-4920-9716-35381b728892", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.254Z", + "modified": "2020-02-05T20:28:16.254Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--7917db1d-3be0-4a58-b706-00c62379a7b2", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--510fcbf4-e832-43d7-8628-26724bdc4539", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.257Z", + "modified": "2020-02-05T20:28:16.257Z", + "relationship_type": "uses", + "description": "GotBotKR reinstalls its running instance if it is removed.", + "source_ref": "malware--eee42dbc-18ca-4db7-9115-672245d8893d", + "target_ref": "attack-pattern--b255fae3-82ad-4a9d-a76a-3301e0c3caed", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--f758c224-450b-42b0-b54a-d0d4dcb41ac6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.263Z", + "modified": "2020-02-05T20:28:16.263Z", + "relationship_type": "uses", + "description": "The Terminator rat evades a sandbox by not executing until after a reboot. Most sandboxes don't reboot during an analysis.", + "source_ref": "malware--0823d7b2-2870-4bb8-9818-a31108708c93", + "target_ref": "attack-pattern--43f3997b-88e5-4a2e-9b59-6af0892a89b2", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--5f9c9726-82c0-4876-937d-52e66ef739db", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.252Z", + "modified": "2020-02-05T20:28:16.252Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--05f6625b-7291-4a4b-8ec1-4044efa6cb2e", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--643e9a29-3802-4725-8fd8-ebd05f804502", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.264Z", + "modified": "2020-02-05T20:28:16.264Z", + "relationship_type": "uses", + "description": "Encrypts files for ransom without any connection to the Internet.", + "source_ref": "malware--135968d7-8b5f-492e-9423-9c98bc4d9d06", + "target_ref": "attack-pattern--4ea52273-1834-4df1-8bc7-6ee8738748a2", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--41619001-1af7-4b97-babd-9c21c827e1d2", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.250Z", + "modified": "2020-02-05T20:28:16.250Z", + "relationship_type": "uses", + "description": "Learns about the system so it can drop compatible miner software.", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--f7136ba2-6455-48f4-90df-63f8f43ae0f4", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--2d589d43-d781-43ae-853a-7a04078f4160", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.260Z", + "modified": "2020-02-05T20:28:16.260Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--4c235631-ef76-4afc-9386-e1d9be003c44", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--64c5969c-f0b7-4d5e-97e5-a0ba0d9eb235", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.251Z", + "modified": "2020-02-05T20:28:16.251Z", + "relationship_type": "uses", + "description": "Downloads and executes Claymore's Zcash miner from a remote server.", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--b255fae3-82ad-4a9d-a76a-3301e0c3caed", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--70293730-edee-424a-aaaf-19f18a2ebd02", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.260Z", + "modified": "2020-02-05T20:28:16.260Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--101d8709-b8d4-4604-a835-b122f1ecb227", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--ec166b67-9034-406a-9df3-cc026fa58801", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.254Z", + "modified": "2020-02-05T20:28:16.254Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--a5cd65d0-eee1-463e-a003-04f3a71bb813", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--1712108b-3fb2-4c60-a384-6386ba7022bb", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.250Z", + "modified": "2020-02-05T20:28:16.250Z", + "relationship_type": "uses", + "description": "Allows an attacker to control the system via a GUI.", + "source_ref": "malware--b3fd453e-0c69-46ab-9138-e8eca8585173", + "target_ref": "attack-pattern--ab3bb771-c300-4480-87c0-0e5c55ec81d1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--29b956ba-bbd9-4f8b-b695-52e25c9ea4cf", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.255Z", + "modified": "2020-02-05T20:28:16.255Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--92557c19-d2a7-4b25-b77c-34954e99d3a8", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--a9c1d8df-3732-4e6e-a7bf-6be0821fae73", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.258Z", + "modified": "2020-02-05T20:28:16.258Z", + "relationship_type": "uses", + "description": "Redhip uses general approaches to detecting user level debuggers (e.g., Process Environment Block 'Being Debugged' field), as well as specific checks for kernel level debuggers like SOFICE.", + "source_ref": "malware--6cfae3aa-e8ee-4f11-aebd-b2ea95d60c27", + "target_ref": "attack-pattern--9188ea31-fa9e-4fad-949b-f705e0fabd20", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--941e3c16-3412-46d6-86e1-55372dbc3fcd", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.261Z", + "modified": "2020-02-05T20:28:16.261Z", + "relationship_type": "uses", + "description": "Dumping Kraken's c.dll module from the heap of its own process is tricky because its PE-header is wiped out.", + "source_ref": "malware--bf2e37d0-29cf-43ef-82d1-f970a128e6bf", + "target_ref": "attack-pattern--ebf911df-6135-42a8-a9f5-76676f546d4a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--80dcb928-b50d-4ee7-8c26-369660f041de", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.251Z", + "modified": "2020-02-05T20:28:16.251Z", + "relationship_type": "uses", + "description": "From the command line, drops and unzips a password-protected Cabinet archive file.", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--e9a06bb6-c6e9-4718-9434-f6b737eee9e8", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--5efcecab-ca74-4c8f-a884-68f8709b072b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.261Z", + "modified": "2020-02-05T20:28:16.261Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--0bfe651c-26b6-49c0-9b50-51ddc7090c98", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--6dfe86f6-1818-4108-aca9-e49c819192b4", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.260Z", + "modified": "2020-02-05T20:28:16.260Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--7f7f9c9f-db90-4294-91ad-d1c9da04e9d8", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--6a361003-f6c0-430e-8db6-5f8f2ac422ee", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.257Z", + "modified": "2020-02-05T20:28:16.257Z", + "relationship_type": "uses", + "description": "Geneio installs the browser extension *~/Library/Safari/Extensions/Omnibar.safariextz*. It also creates the app files listed in the description above.", + "source_ref": "malware--9168de31-46b0-4c9f-9e20-77e77e78a0ab", + "target_ref": "attack-pattern--b255fae3-82ad-4a9d-a76a-3301e0c3caed", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--6108db13-e957-41b2-a22c-c1abf26df815", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.265Z", + "modified": "2020-02-05T20:28:16.265Z", + "relationship_type": "uses", + "description": "Hupigon drops the file \"Systen.dll\" and adds the registry entry: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\BITS DllName = \"%System%\\Systen.dll\".", + "source_ref": "malware--1114f1d1-94fb-4499-b1b3-980de47dbd11", + "target_ref": "attack-pattern--e7dcd590-8f60-4f7d-bb91-ec2863e56e2a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--a3218798-6c62-458a-8f6b-0fcd127ca4e8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.257Z", + "modified": "2020-02-05T20:28:16.257Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--2f098b48-391a-4869-acba-b10ba07a4522", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--4438daa4-c88a-40ba-92e3-d80343538108", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.264Z", + "modified": "2020-02-05T20:28:16.264Z", + "relationship_type": "uses", + "description": "Some variants look for an unnamed mutex to ensure only one copy of itself is running on a system.", + "source_ref": "malware--8e60252b-1708-4809-8384-ca8937936aff", + "target_ref": "attack-pattern--1ab23a6a-e131-4321-be30-7f3f3861dac0", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--2bfea226-1e7f-452b-ac36-8a26d7750c44", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.253Z", + "modified": "2020-02-05T20:28:16.253Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--a02e6e5e-2750-4ec8-af17-90088bb8f961", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--57a27587-537b-48d4-ace1-dc1d07321776", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.256Z", + "modified": "2020-02-05T20:28:16.256Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--f7136ba2-6455-48f4-90df-63f8f43ae0f4", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--daaf4264-4102-4737-a69a-d68e315479ac", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.250Z", + "modified": "2020-02-05T20:28:16.250Z", + "relationship_type": "uses", + "description": "Gamut probes the infected system's SMTP port 25 by sending a test SMTP transaction to mail.ru and hotmail.com. If port 25 is open, the bot requests the spam template and email list, which it uses to send spam.", + "source_ref": "malware--92c8c384-839c-40a2-b58d-3af2ee3f1938", + "target_ref": "attack-pattern--01051bb2-6339-4556-8363-3b94ba289ec1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--6c01abcc-9ec4-4294-b39b-c3aad259c796", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.252Z", + "modified": "2020-02-05T20:28:16.252Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--91907ea3-beed-40bd-b4d6-1875893568a6", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--12a31d2d-43a3-4be5-8506-f33663f8779f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.262Z", + "modified": "2020-02-05T20:28:16.262Z", + "relationship_type": "uses", + "description": "Ursnif uses malware macros to evade sandbox detection.", + "source_ref": "malware--8d5ffd62-8943-4426-8191-f66ab5881da8", + "target_ref": "attack-pattern--43f3997b-88e5-4a2e-9b59-6af0892a89b2", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--1b3ebeae-0af7-4fa9-b6b3-21def04888a4", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.256Z", + "modified": "2020-02-05T20:28:16.256Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--3681ae81-1115-418d-a4f7-b6240b602852", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--0b197be9-3d5f-4637-ba41-f0e340e89c2c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.254Z", + "modified": "2020-02-05T20:28:16.254Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--9f7dd003-9dbd-4fcf-96e0-eda3246828db", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--03ea3cb9-b2c8-4b14-a2e2-eb0c0a49703b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.258Z", + "modified": "2020-02-05T20:28:16.258Z", + "relationship_type": "uses", + "description": "Redhip uses general approaches to detecting user level debuggers (e.g., Process Environment Block 'Being Debugged' field), as well as specific checks for kernel level debuggers like SOFICE.", + "source_ref": "malware--6cfae3aa-e8ee-4f11-aebd-b2ea95d60c27", + "target_ref": "attack-pattern--7178682e-9591-4ebe-a24e-25b7b2ee07a5", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b7c12079-a65e-4901-8849-59f138da35e6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.262Z", + "modified": "2020-02-05T20:28:16.262Z", + "relationship_type": "uses", + "description": "Uses a domain name generator.", + "source_ref": "malware--e042c0eb-4540-4f41-87c4-a57510c7d4ed", + "target_ref": "attack-pattern--51fb196e-4be8-4b21-ba5b-fce4d7de6767", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--53a75251-5474-4d56-bc67-116adc9cf33b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.256Z", + "modified": "2020-02-05T20:28:16.256Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--a03b6507-fed8-416a-8425-0761f5f7f754", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "type": "marking-definition", + "spec_version": "2.1", + "id": "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3", + "created": "2020-01-01T00:00:00.000Z", + "definition_type": "statement", + "definition": { + "statement": "Copyright (c) 2020, The MITRE Corporation. All rights reserved." + } + }, + { + "created": "2020-02-05T20:28:15.056Z", + "spec_version": "2.1", + "description": "Behaviors that enable propagation through a compromised system or infected files. The malware may move actively (e.g., gain access to a machine directly) or passively (e.g., send malicious email).", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "external_references": [ + { + "source_name": "mitre-mbc", + "external_id": "M9011", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/lateral-movement/README.md" + } + ], + "id": "x-mitre-tactic--1f99e060-c0e8-449c-8629-216ef75d7828", + "modified": "2020-02-05T20:28:15.056Z", + "name": "Lateral Movement", + "type": "x-mitre-tactic", + "x_mitre_shortname": "lateral-movement", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "created": "2020-02-05T20:28:15.054Z", + "spec_version": "2.1", + "description": "The following malware behaviors have been theorized. Proof-of-concept code has been created for some, but there are no in-the-wild examples of the behavior. Therefore, they are not appropriate for inclusion in the MBC.", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/theoretical-behaviors/README.md" + } + ], + "id": "x-mitre-tactic--97051199-043f-4e26-b548-beeccdd7be3e", + "modified": "2020-02-05T20:28:15.054Z", + "name": "Theoretical Behaviors", + "type": "x-mitre-tactic", + "x_mitre_shortname": "theoretical-behaviors", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "created": "2020-02-05T20:28:15.074Z", + "spec_version": "2.1", + "description": "Behaviors to obtain credential access, allowing it or its underlying threat actor to assume control of an account, with the associated system and network permissions.", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "external_references": [ + { + "source_name": "mitre-mbc", + "external_id": "M9005", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/credential-access/README.md" + } + ], + "id": "x-mitre-tactic--4fd027ac-dddc-4744-aa72-d1b4598d9898", + "modified": "2020-02-05T20:28:15.074Z", + "name": "Credential Access", + "type": "x-mitre-tactic", + "x_mitre_shortname": "credential-access", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "created": "2020-02-05T20:28:15.064Z", + "spec_version": "2.1", + "description": "Behaviors malware may use to communicate with systems under its control within a target network. There are many ways malware can establish command and control with various levels of covertness, depending on system configuration and network topology. Behaviors may relate to C2 servers or a bot that is part of a botnet.", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "external_references": [ + { + "source_name": "mitre-mbc", + "external_id": "M9004", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/README.md" + } + ], + "id": "x-mitre-tactic--5ca03153-2bfb-4540-acad-4eb54f188589", + "modified": "2020-02-05T20:28:15.064Z", + "name": "Command and Control", + "type": "x-mitre-tactic", + "x_mitre_shortname": "command-and-control", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "created": "2020-02-05T20:28:15.062Z", + "spec_version": "2.1", + "description": "Behaviors that aim to gain knowledge about the system and internal network.", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "external_references": [ + { + "source_name": "mitre-mbc", + "external_id": "M9007", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/README.md" + } + ], + "id": "x-mitre-tactic--9f09f947-5fc6-455f-b7eb-504c2ba972aa", + "modified": "2020-02-05T20:28:15.062Z", + "name": "Discovery", + "type": "x-mitre-tactic", + "x_mitre_shortname": "discovery", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "created": "2020-02-05T20:28:15.068Z", + "spec_version": "2.1", + "description": "Behaviors that steal data from the system on which it executes. This includes stored data (e.g., files) as well as data input into applications (e.g., web browser).", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "external_references": [ + { + "source_name": "mitre-mbc", + "external_id": "M9010", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/exfiltration/README.md" + } + ], + "id": "x-mitre-tactic--911377e6-b712-4754-a865-3e2989512b9a", + "modified": "2020-02-05T20:28:15.068Z", + "name": "Exfiltration", + "type": "x-mitre-tactic", + "x_mitre_shortname": "exfiltration", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "created": "2020-02-05T20:28:15.072Z", + "spec_version": "2.1", + "description": "Behaviors that aim to obtain a higher level of permission.", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "external_references": [ + { + "source_name": "mitre-mbc", + "external_id": "M9013", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/privilege-escalation/README.md" + } + ], + "id": "x-mitre-tactic--d896bd1c-d0e9-4281-9755-9b76a7c963d3", + "modified": "2020-02-05T20:28:15.072Z", + "name": "Privilege Escalation", + "type": "x-mitre-tactic", + "x_mitre_shortname": "privilege-escalation", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "created": "2020-02-05T20:28:15.071Z", + "spec_version": "2.1", + "description": "Behaviors that evade detection or avoid other defenses.", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "external_references": [ + { + "source_name": "mitre-mbc", + "external_id": "M9006", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/README.md" + } + ], + "id": "x-mitre-tactic--9b3422b7-bc43-4b28-8d51-ba68782a9da2", + "modified": "2020-02-05T20:28:15.071Z", + "name": "Defense Evasion", + "type": "x-mitre-tactic", + "x_mitre_shortname": "defense-evasion", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "created": "2020-02-05T20:28:15.067Z", + "spec_version": "2.1", + "description": "Malware aims to remain on a system regardless of system events.", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "external_references": [ + { + "source_name": "mitre-mbc", + "external_id": "M9012", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/README.md" + } + ], + "id": "x-mitre-tactic--d2f87328-9fe0-4f81-800e-ea1058f49906", + "modified": "2020-02-05T20:28:15.067Z", + "name": "Persistence", + "type": "x-mitre-tactic", + "x_mitre_shortname": "persistence", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "created": "2020-02-05T20:28:15.065Z", + "spec_version": "2.1", + "description": "Behaviors that execute code on a system to achieve a variety of goals.", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "external_references": [ + { + "source_name": "mitre-mbc", + "external_id": "M9009", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/README.md" + } + ], + "id": "x-mitre-tactic--f95436cf-2e09-4541-b88a-f3fb6ec3b63b", + "modified": "2020-02-05T20:28:15.065Z", + "name": "Execution", + "type": "x-mitre-tactic", + "x_mitre_shortname": "execution", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "created": "2020-02-05T20:28:15.061Z", + "spec_version": "2.1", + "description": "Behaviors that prevent, obstruct, or evade behavioral analysis (sandbox, debugger, etc). Because the underlying methods differ, separate \"detection\" and \"evasion\" behaviors are defined for some anti-behavioral analysis areas (e.g., anti-debugger). \n\nTwo primary resources for anti-behavioral analysis behaviors are [[1]](#1) and [[2]](#2).", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "external_references": [ + { + "source_name": "external_source", + "description": "Unprotect Project, a database about malware self-defense and protection.", + "url": "http://unprotect.tdgt.org/index.php/Unprotect_Project" + }, + { + "source_name": "external_source", + "description": "InDepthUnpacking, course content for teaching malware anti-analysis techniques and mitigations, with emphasis on packers.", + "url": "https://github.com/knowmalware/InDepthUnpacking" + }, + { + "source_name": "mitre-mbc", + "external_id": "M9001", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/README.md" + } + ], + "id": "x-mitre-tactic--eb6166b0-f3c9-4124-aeb9-662941baa19e", + "modified": "2020-02-05T20:28:15.061Z", + "name": "Anti-Behavioral Analysis", + "type": "x-mitre-tactic", + "x_mitre_shortname": "anti-behavioral-analysis", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "created": "2020-02-05T20:28:15.058Z", + "spec_version": "2.1", + "description": "Behaviors that identify and gather information, such as sensitive files, from a target network prior to exfiltration. This objective includes locations on a system or network where the malware may look for information to exfiltrate.", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "external_references": [ + { + "source_name": "mitre-mbc", + "external_id": "M9003", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/README.md" + } + ], + "id": "x-mitre-tactic--69c52ee6-8372-40be-8efc-200896493343", + "modified": "2020-02-05T20:28:15.058Z", + "name": "Collection", + "type": "x-mitre-tactic", + "x_mitre_shortname": "collection", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "created": "2020-02-05T20:28:15.060Z", + "spec_version": "2.1", + "description": "Behaviors and code characteristics that prevent static analysis or make it more difficult. Simple static analysis identifies features such as embedded strings, header information, hash values, and file metadata (e.g., creation date). More involved static analysis involves the disassembly of the binary code.\n\nTwo primary resources for anti-static analysis behaviors are [[1]](#1) and [[2]](#2).", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "external_references": [ + { + "source_name": "external_source", + "description": "Unprotect Project, a database about malware self-defense and protection.", + "url": "http://unprotect.tdgt.org/index.php/Unprotect_Project" + }, + { + "source_name": "external_source", + "description": "InDepthUnpacking, course content for teaching malware anti-analysis techniques and mitigations, with emphasis on packers.", + "url": "https://github.com/knowmalware/InDepthUnpacking" + }, + { + "source_name": "mitre-mbc", + "external_id": "M9002", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-static-analysis/README.md" + } + ], + "id": "x-mitre-tactic--225d85b5-6806-4760-a9d7-b5e38ca66153", + "modified": "2020-02-05T20:28:15.060Z", + "name": "Anti-Static Analysis", + "type": "x-mitre-tactic", + "x_mitre_shortname": "anti-static-analysis", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + }, + { + "created": "2020-02-05T20:28:15.076Z", + "spec_version": "2.1", + "description": "Behaviors that enable malware to achieve its mission of manipulating, interrupting, or destroying systems and/or data.", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "external_references": [ + { + "source_name": "mitre-mbc", + "external_id": "M9008", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/README.md" + } + ], + "id": "x-mitre-tactic--389367d2-9dea-4ffe-b794-cfeaba83bcf6", + "modified": "2020-02-05T20:28:15.076Z", + "name": "Impact", + "type": "x-mitre-tactic", + "x_mitre_shortname": "impact", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--00861a6a-98ef-40f5-9924-c94c7c5da687.json b/relationship/relationship--00861a6a-98ef-40f5-9924-c94c7c5da687.json new file mode 100644 index 00000000..f1f68c2c --- /dev/null +++ b/relationship/relationship--00861a6a-98ef-40f5-9924-c94c7c5da687.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--21ac54d6-2229-47b3-b8ad-7a0717bb7584", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--00861a6a-98ef-40f5-9924-c94c7c5da687", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.257Z", + "modified": "2020-02-05T20:28:16.257Z", + "relationship_type": "uses", + "description": "GotBotKR installs two instances of itself.", + "source_ref": "malware--eee42dbc-18ca-4db7-9115-672245d8893d", + "target_ref": "attack-pattern--f42d3d87-e374-4114-bc93-a52cae45e3d0", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--0271a731-326d-4b76-a995-452be084fc08.json b/relationship/relationship--0271a731-326d-4b76-a995-452be084fc08.json new file mode 100644 index 00000000..2ca27e65 --- /dev/null +++ b/relationship/relationship--0271a731-326d-4b76-a995-452be084fc08.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--323b740e-9dc8-405f-8148-18516a69e828", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--0271a731-326d-4b76-a995-452be084fc08", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.261Z", + "modified": "2020-02-05T20:28:16.261Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--92557c19-d2a7-4b25-b77c-34954e99d3a8", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--03ea3cb9-b2c8-4b14-a2e2-eb0c0a49703b.json b/relationship/relationship--03ea3cb9-b2c8-4b14-a2e2-eb0c0a49703b.json new file mode 100644 index 00000000..7bab896a --- /dev/null +++ b/relationship/relationship--03ea3cb9-b2c8-4b14-a2e2-eb0c0a49703b.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--3e46ac45-83b6-47a8-a671-d584a3dc96e9", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--03ea3cb9-b2c8-4b14-a2e2-eb0c0a49703b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.258Z", + "modified": "2020-02-05T20:28:16.258Z", + "relationship_type": "uses", + "description": "Redhip uses general approaches to detecting user level debuggers (e.g., Process Environment Block 'Being Debugged' field), as well as specific checks for kernel level debuggers like SOFICE.", + "source_ref": "malware--6cfae3aa-e8ee-4f11-aebd-b2ea95d60c27", + "target_ref": "attack-pattern--7178682e-9591-4ebe-a24e-25b7b2ee07a5", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--0838a352-fc2b-4276-b695-d1a1d0a47b75.json b/relationship/relationship--0838a352-fc2b-4276-b695-d1a1d0a47b75.json new file mode 100644 index 00000000..53916e2a --- /dev/null +++ b/relationship/relationship--0838a352-fc2b-4276-b695-d1a1d0a47b75.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--41d00905-ae8f-43b4-bd24-276585a152a8", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--0838a352-fc2b-4276-b695-d1a1d0a47b75", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.261Z", + "modified": "2020-02-05T20:28:16.261Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--a7ea0b40-a316-43db-9dcf-1ae03eda94a6", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--08df9329-0616-4d5d-a3fb-841d730e9dda.json b/relationship/relationship--08df9329-0616-4d5d-a3fb-841d730e9dda.json new file mode 100644 index 00000000..bdad69ab --- /dev/null +++ b/relationship/relationship--08df9329-0616-4d5d-a3fb-841d730e9dda.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--cbdfe9fc-c930-4ae1-af24-2feffe5c0a37", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--08df9329-0616-4d5d-a3fb-841d730e9dda", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.263Z", + "modified": "2020-02-05T20:28:16.263Z", + "relationship_type": "uses", + "description": "A Trojan downloader.", + "source_ref": "malware--cb0b4776-cbd6-417c-b6c1-51f67f44d5b1", + "target_ref": "attack-pattern--b255fae3-82ad-4a9d-a76a-3301e0c3caed", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--0a294da3-8126-46ed-8d67-c8a900292db6.json b/relationship/relationship--0a294da3-8126-46ed-8d67-c8a900292db6.json new file mode 100644 index 00000000..41317006 --- /dev/null +++ b/relationship/relationship--0a294da3-8126-46ed-8d67-c8a900292db6.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--b441ff2d-27ff-410a-8710-1535e54113f6", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--0a294da3-8126-46ed-8d67-c8a900292db6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.250Z", + "modified": "2020-02-05T20:28:16.250Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--f54dfa9e-e208-4695-81e8-478d887dba7c", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--0b197be9-3d5f-4637-ba41-f0e340e89c2c.json b/relationship/relationship--0b197be9-3d5f-4637-ba41-f0e340e89c2c.json new file mode 100644 index 00000000..0c79e2c1 --- /dev/null +++ b/relationship/relationship--0b197be9-3d5f-4637-ba41-f0e340e89c2c.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--b88af701-3bf5-4be7-99cf-83a77a848d42", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--0b197be9-3d5f-4637-ba41-f0e340e89c2c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.254Z", + "modified": "2020-02-05T20:28:16.254Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--9f7dd003-9dbd-4fcf-96e0-eda3246828db", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--0d5cdb32-036b-4814-8d02-11f4f352a41b.json b/relationship/relationship--0d5cdb32-036b-4814-8d02-11f4f352a41b.json new file mode 100644 index 00000000..af8ad315 --- /dev/null +++ b/relationship/relationship--0d5cdb32-036b-4814-8d02-11f4f352a41b.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--aa76f708-07c0-4b40-94a0-ef2e1568b3b9", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--0d5cdb32-036b-4814-8d02-11f4f352a41b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.263Z", + "modified": "2020-02-05T20:28:16.263Z", + "relationship_type": "uses", + "description": "Performs click-fraud.", + "source_ref": "malware--8c3f24a7-b0ca-4934-9374-b73508cd1be1", + "target_ref": "attack-pattern--c5e52bb6-425f-416a-afb7-58d67093ef9c", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--126606a9-73e6-4a96-8088-d571c892d327.json b/relationship/relationship--126606a9-73e6-4a96-8088-d571c892d327.json new file mode 100644 index 00000000..b3ae3bc8 --- /dev/null +++ b/relationship/relationship--126606a9-73e6-4a96-8088-d571c892d327.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--6e8499b2-097c-4ccf-bb3a-f62d142e623d", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--126606a9-73e6-4a96-8088-d571c892d327", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.264Z", + "modified": "2020-02-05T20:28:16.264Z", + "relationship_type": "uses", + "description": "Gathers information from the victim's machine to create an encryption key.", + "source_ref": "malware--135968d7-8b5f-492e-9423-9c98bc4d9d06", + "target_ref": "attack-pattern--f54dfa9e-e208-4695-81e8-478d887dba7c", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--12a31d2d-43a3-4be5-8506-f33663f8779f.json b/relationship/relationship--12a31d2d-43a3-4be5-8506-f33663f8779f.json new file mode 100644 index 00000000..bc5e45f4 --- /dev/null +++ b/relationship/relationship--12a31d2d-43a3-4be5-8506-f33663f8779f.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--0a4d966c-823c-46b2-a93c-ff56adf48ac7", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--12a31d2d-43a3-4be5-8506-f33663f8779f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.262Z", + "modified": "2020-02-05T20:28:16.262Z", + "relationship_type": "uses", + "description": "Ursnif uses malware macros to evade sandbox detection.", + "source_ref": "malware--8d5ffd62-8943-4426-8191-f66ab5881da8", + "target_ref": "attack-pattern--43f3997b-88e5-4a2e-9b59-6af0892a89b2", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--1712108b-3fb2-4c60-a384-6386ba7022bb.json b/relationship/relationship--1712108b-3fb2-4c60-a384-6386ba7022bb.json new file mode 100644 index 00000000..eb8676a9 --- /dev/null +++ b/relationship/relationship--1712108b-3fb2-4c60-a384-6386ba7022bb.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--864174f1-853a-403b-b298-507bc31b035f", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--1712108b-3fb2-4c60-a384-6386ba7022bb", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.250Z", + "modified": "2020-02-05T20:28:16.250Z", + "relationship_type": "uses", + "description": "Allows an attacker to control the system via a GUI.", + "source_ref": "malware--b3fd453e-0c69-46ab-9138-e8eca8585173", + "target_ref": "attack-pattern--ab3bb771-c300-4480-87c0-0e5c55ec81d1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--182afaab-258e-4066-b106-3403de92e242.json b/relationship/relationship--182afaab-258e-4066-b106-3403de92e242.json new file mode 100644 index 00000000..107e36d6 --- /dev/null +++ b/relationship/relationship--182afaab-258e-4066-b106-3403de92e242.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--682c1f53-01ea-4f54-978f-0979bf395113", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--182afaab-258e-4066-b106-3403de92e242", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.255Z", + "modified": "2020-02-05T20:28:16.255Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--11d90b50-17e9-45f5-84aa-05899a63714e", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--1a213e38-6637-4d70-996c-0d25fe9e265c.json b/relationship/relationship--1a213e38-6637-4d70-996c-0d25fe9e265c.json new file mode 100644 index 00000000..3d9914d0 --- /dev/null +++ b/relationship/relationship--1a213e38-6637-4d70-996c-0d25fe9e265c.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--954e3179-e55f-42fe-96ee-7bd842491f09", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--1a213e38-6637-4d70-996c-0d25fe9e265c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.259Z", + "modified": "2020-02-05T20:28:16.259Z", + "relationship_type": "uses", + "description": "SamSam is ransomware.", + "source_ref": "malware--1d8cb82f-6d6c-4726-aa93-e2a84e3e644e", + "target_ref": "attack-pattern--4ea52273-1834-4df1-8bc7-6ee8738748a2", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--1b3ebeae-0af7-4fa9-b6b3-21def04888a4.json b/relationship/relationship--1b3ebeae-0af7-4fa9-b6b3-21def04888a4.json new file mode 100644 index 00000000..e7049cae --- /dev/null +++ b/relationship/relationship--1b3ebeae-0af7-4fa9-b6b3-21def04888a4.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--0b9fd75e-82df-4280-ab65-1c411b9c3d2b", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--1b3ebeae-0af7-4fa9-b6b3-21def04888a4", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.256Z", + "modified": "2020-02-05T20:28:16.256Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--3681ae81-1115-418d-a4f7-b6240b602852", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--1b4fce12-c45c-4fab-bfb7-0be41a5bf1b9.json b/relationship/relationship--1b4fce12-c45c-4fab-bfb7-0be41a5bf1b9.json new file mode 100644 index 00000000..2c33c499 --- /dev/null +++ b/relationship/relationship--1b4fce12-c45c-4fab-bfb7-0be41a5bf1b9.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--e532c9ec-126e-4307-9f19-4553466393bb", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--1b4fce12-c45c-4fab-bfb7-0be41a5bf1b9", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.258Z", + "modified": "2020-02-05T20:28:16.258Z", + "relationship_type": "uses", + "description": "Redhip detects VMWare, Virtual PC and Virtual Box. It also detects VM environments in general by considering timing lapses.", + "source_ref": "malware--6cfae3aa-e8ee-4f11-aebd-b2ea95d60c27", + "target_ref": "attack-pattern--91907ea3-beed-40bd-b4d6-1875893568a6", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--1b7ca247-1884-4cc7-88cf-3569d401b335.json b/relationship/relationship--1b7ca247-1884-4cc7-88cf-3569d401b335.json new file mode 100644 index 00000000..5cbc8e37 --- /dev/null +++ b/relationship/relationship--1b7ca247-1884-4cc7-88cf-3569d401b335.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--f3617de1-a467-482b-b93a-c063bfd2bc55", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--1b7ca247-1884-4cc7-88cf-3569d401b335", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.260Z", + "modified": "2020-02-05T20:28:16.260Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--db081b29-8422-45c1-a622-a5405fe78a58", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--1dd10259-f49a-4d1a-b62f-6de3835552c4.json b/relationship/relationship--1dd10259-f49a-4d1a-b62f-6de3835552c4.json new file mode 100644 index 00000000..399f75a8 --- /dev/null +++ b/relationship/relationship--1dd10259-f49a-4d1a-b62f-6de3835552c4.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--22e40c5c-a576-4a85-a79c-30afd316a230", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--1dd10259-f49a-4d1a-b62f-6de3835552c4", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.257Z", + "modified": "2020-02-05T20:28:16.257Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--929e0835-9197-42d0-9a00-95b7b4e13dcb", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--1e87f811-e730-4637-a3f8-a67371159204.json b/relationship/relationship--1e87f811-e730-4637-a3f8-a67371159204.json new file mode 100644 index 00000000..bb8aa3bf --- /dev/null +++ b/relationship/relationship--1e87f811-e730-4637-a3f8-a67371159204.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--f6f96ecc-91de-481f-90e7-d517f146403b", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--1e87f811-e730-4637-a3f8-a67371159204", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.261Z", + "modified": "2020-02-05T20:28:16.261Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--fabff5fa-5d64-4167-9f95-6e25c35002ff", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--2972cdc6-b3ca-4e3e-83e4-13dd1bf87b26.json b/relationship/relationship--2972cdc6-b3ca-4e3e-83e4-13dd1bf87b26.json new file mode 100644 index 00000000..6e83a5bc --- /dev/null +++ b/relationship/relationship--2972cdc6-b3ca-4e3e-83e4-13dd1bf87b26.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--e9e931cd-af44-48a9-aa97-085fee2545ff", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--2972cdc6-b3ca-4e3e-83e4-13dd1bf87b26", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.260Z", + "modified": "2020-02-05T20:28:16.260Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--031beb01-79db-43f5-a901-1e32a4b79628", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--29b956ba-bbd9-4f8b-b695-52e25c9ea4cf.json b/relationship/relationship--29b956ba-bbd9-4f8b-b695-52e25c9ea4cf.json new file mode 100644 index 00000000..02edbee4 --- /dev/null +++ b/relationship/relationship--29b956ba-bbd9-4f8b-b695-52e25c9ea4cf.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--cac42550-4b6f-4e40-badf-b4f536ef5680", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--29b956ba-bbd9-4f8b-b695-52e25c9ea4cf", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.255Z", + "modified": "2020-02-05T20:28:16.255Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--92557c19-d2a7-4b25-b77c-34954e99d3a8", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--2a8e2dc1-0eec-478f-b471-3dfb2c13251b.json b/relationship/relationship--2a8e2dc1-0eec-478f-b471-3dfb2c13251b.json new file mode 100644 index 00000000..48b2f515 --- /dev/null +++ b/relationship/relationship--2a8e2dc1-0eec-478f-b471-3dfb2c13251b.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--809b1fc6-0f82-47ca-bc93-42dfde17ec06", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--2a8e2dc1-0eec-478f-b471-3dfb2c13251b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.257Z", + "modified": "2020-02-05T20:28:16.257Z", + "relationship_type": "uses", + "description": "GotBotKR monitors whether the first instance is still active.", + "source_ref": "malware--eee42dbc-18ca-4db7-9115-672245d8893d", + "target_ref": "attack-pattern--f54dfa9e-e208-4695-81e8-478d887dba7c", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--2b7bf5d7-79d6-4ba8-a1dc-ac58cc738c90.json b/relationship/relationship--2b7bf5d7-79d6-4ba8-a1dc-ac58cc738c90.json new file mode 100644 index 00000000..032a999f --- /dev/null +++ b/relationship/relationship--2b7bf5d7-79d6-4ba8-a1dc-ac58cc738c90.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--82caa671-eb68-47f1-8658-ad65eb7a93ec", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--2b7bf5d7-79d6-4ba8-a1dc-ac58cc738c90", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.259Z", + "modified": "2020-02-05T20:28:16.259Z", + "relationship_type": "uses", + "description": "A 2018 variant includes a component that erases files and then wipes the master boot record, preventing file recovery.", + "source_ref": "malware--682044ae-1d33-445d-80d1-d923fade2663", + "target_ref": "attack-pattern--748576ac-427c-460a-98fd-ab14c2b4f65a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--2bfea226-1e7f-452b-ac36-8a26d7750c44.json b/relationship/relationship--2bfea226-1e7f-452b-ac36-8a26d7750c44.json new file mode 100644 index 00000000..f83eb953 --- /dev/null +++ b/relationship/relationship--2bfea226-1e7f-452b-ac36-8a26d7750c44.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--a945038a-5a63-40fc-8468-8c52463ad234", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--2bfea226-1e7f-452b-ac36-8a26d7750c44", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.253Z", + "modified": "2020-02-05T20:28:16.253Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--a02e6e5e-2750-4ec8-af17-90088bb8f961", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--2d589d43-d781-43ae-853a-7a04078f4160.json b/relationship/relationship--2d589d43-d781-43ae-853a-7a04078f4160.json new file mode 100644 index 00000000..53795a78 --- /dev/null +++ b/relationship/relationship--2d589d43-d781-43ae-853a-7a04078f4160.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--374420b8-4ea0-4785-b4e9-4de964b0f80f", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--2d589d43-d781-43ae-853a-7a04078f4160", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.260Z", + "modified": "2020-02-05T20:28:16.260Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--4c235631-ef76-4afc-9386-e1d9be003c44", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--31972647-852d-41bc-951c-5063826362b7.json b/relationship/relationship--31972647-852d-41bc-951c-5063826362b7.json new file mode 100644 index 00000000..9f334147 --- /dev/null +++ b/relationship/relationship--31972647-852d-41bc-951c-5063826362b7.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--53203939-7ec3-43dd-a1e3-c09c5e5e8cde", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--31972647-852d-41bc-951c-5063826362b7", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.255Z", + "modified": "2020-02-05T20:28:16.255Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--0bfe651c-26b6-49c0-9b50-51ddc7090c98", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--3707f258-e5c2-4cf0-90ec-19fb4baf018c.json b/relationship/relationship--3707f258-e5c2-4cf0-90ec-19fb4baf018c.json new file mode 100644 index 00000000..4932f4d5 --- /dev/null +++ b/relationship/relationship--3707f258-e5c2-4cf0-90ec-19fb4baf018c.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--2af5ab41-092d-41a3-ab12-ede57eebd500", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--3707f258-e5c2-4cf0-90ec-19fb4baf018c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.256Z", + "modified": "2020-02-05T20:28:16.256Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--17717ca4-3713-496e-87d7-13a95a6b1790", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--39372d95-3507-4917-ae07-6275ee827aba.json b/relationship/relationship--39372d95-3507-4917-ae07-6275ee827aba.json new file mode 100644 index 00000000..32b39087 --- /dev/null +++ b/relationship/relationship--39372d95-3507-4917-ae07-6275ee827aba.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--a8aec901-b636-47c8-90bd-16bfccd213af", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--39372d95-3507-4917-ae07-6275ee827aba", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.264Z", + "modified": "2020-02-05T20:28:16.264Z", + "relationship_type": "uses", + "description": "Bagle uses its own SMTP engine to mass-mail itself as an attachment from an infected computer.", + "source_ref": "malware--8e60252b-1708-4809-8384-ca8937936aff", + "target_ref": "attack-pattern--01051bb2-6339-4556-8363-3b94ba289ec1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--3c6be01e-c2de-4835-b120-59da1e07d50e.json b/relationship/relationship--3c6be01e-c2de-4835-b120-59da1e07d50e.json new file mode 100644 index 00000000..e9421d85 --- /dev/null +++ b/relationship/relationship--3c6be01e-c2de-4835-b120-59da1e07d50e.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--4bac9046-28c0-4d2c-8b92-0d984aa3c476", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--3c6be01e-c2de-4835-b120-59da1e07d50e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.263Z", + "modified": "2020-02-05T20:28:16.263Z", + "relationship_type": "uses", + "description": "Installs a backdoor.", + "source_ref": "malware--19f41321-fc57-475f-b7d5-ef5285f4b489", + "target_ref": "attack-pattern--b255fae3-82ad-4a9d-a76a-3301e0c3caed", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--3ccc155b-01ca-4b82-aece-60801b8c42c4.json b/relationship/relationship--3ccc155b-01ca-4b82-aece-60801b8c42c4.json new file mode 100644 index 00000000..d3ee8c53 --- /dev/null +++ b/relationship/relationship--3ccc155b-01ca-4b82-aece-60801b8c42c4.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--4b90e501-101a-4028-be5b-8ff9aa56e0e6", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--3ccc155b-01ca-4b82-aece-60801b8c42c4", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.255Z", + "modified": "2020-02-05T20:28:16.255Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--b8f24e74-d267-4783-be19-13cb060aaa2d", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--3d70b808-f176-4620-aa53-fcc439081994.json b/relationship/relationship--3d70b808-f176-4620-aa53-fcc439081994.json new file mode 100644 index 00000000..d42d2725 --- /dev/null +++ b/relationship/relationship--3d70b808-f176-4620-aa53-fcc439081994.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--723b3525-6905-4598-a85e-1cd96132af9e", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--3d70b808-f176-4620-aa53-fcc439081994", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.259Z", + "modified": "2020-02-05T20:28:16.259Z", + "relationship_type": "uses", + "description": "Can download and install arbitrary iOS apps.", + "source_ref": "malware--2106d331-215f-45ce-8899-3c11a4c47a8c", + "target_ref": "attack-pattern--b255fae3-82ad-4a9d-a76a-3301e0c3caed", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--3fea9f25-65a5-4bc3-924d-34a3f310f722.json b/relationship/relationship--3fea9f25-65a5-4bc3-924d-34a3f310f722.json new file mode 100644 index 00000000..3986f5de --- /dev/null +++ b/relationship/relationship--3fea9f25-65a5-4bc3-924d-34a3f310f722.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--2ec07cf5-d9fe-4827-94e8-db8f183f50a0", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--3fea9f25-65a5-4bc3-924d-34a3f310f722", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.259Z", + "modified": "2020-02-05T20:28:16.259Z", + "relationship_type": "uses", + "description": "After the Poison-Ivy server is running on the target machine, the attacker uses a Windows GUI client to control the target computer.", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--ab3bb771-c300-4480-87c0-0e5c55ec81d1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--41619001-1af7-4b97-babd-9c21c827e1d2.json b/relationship/relationship--41619001-1af7-4b97-babd-9c21c827e1d2.json new file mode 100644 index 00000000..23f6e372 --- /dev/null +++ b/relationship/relationship--41619001-1af7-4b97-babd-9c21c827e1d2.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--f8d32501-7189-43e1-935f-7ae0e7786fd2", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--41619001-1af7-4b97-babd-9c21c827e1d2", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.250Z", + "modified": "2020-02-05T20:28:16.250Z", + "relationship_type": "uses", + "description": "Learns about the system so it can drop compatible miner software.", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--f7136ba2-6455-48f4-90df-63f8f43ae0f4", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--416b4a88-11a1-4632-941b-ade357252d0d.json b/relationship/relationship--416b4a88-11a1-4632-941b-ade357252d0d.json new file mode 100644 index 00000000..8bcd7a67 --- /dev/null +++ b/relationship/relationship--416b4a88-11a1-4632-941b-ade357252d0d.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--fbef08d9-b6de-4bc6-9b33-56d79f1f9973", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--416b4a88-11a1-4632-941b-ade357252d0d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.255Z", + "modified": "2020-02-05T20:28:16.255Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--e7dcd590-8f60-4f7d-bb91-ec2863e56e2a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--4438daa4-c88a-40ba-92e3-d80343538108.json b/relationship/relationship--4438daa4-c88a-40ba-92e3-d80343538108.json new file mode 100644 index 00000000..dbe99be3 --- /dev/null +++ b/relationship/relationship--4438daa4-c88a-40ba-92e3-d80343538108.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--b9a8d4fe-9e6e-4383-9d48-e113592d1707", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--4438daa4-c88a-40ba-92e3-d80343538108", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.264Z", + "modified": "2020-02-05T20:28:16.264Z", + "relationship_type": "uses", + "description": "Some variants look for an unnamed mutex to ensure only one copy of itself is running on a system.", + "source_ref": "malware--8e60252b-1708-4809-8384-ca8937936aff", + "target_ref": "attack-pattern--1ab23a6a-e131-4321-be30-7f3f3861dac0", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--44515a0f-4716-40ef-b5d5-177849ce6987.json b/relationship/relationship--44515a0f-4716-40ef-b5d5-177849ce6987.json new file mode 100644 index 00000000..7e358c3f --- /dev/null +++ b/relationship/relationship--44515a0f-4716-40ef-b5d5-177849ce6987.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--2556e1a7-f1f3-48be-9650-1770f5691582", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--44515a0f-4716-40ef-b5d5-177849ce6987", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.251Z", + "modified": "2020-02-05T20:28:16.251Z", + "relationship_type": "uses", + "description": "Learns about security software.", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--03b4fd1e-96db-4c28-b9c7-18ef0510c129", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--461ef403-0bd0-49cd-88bc-5bfc426e6b23.json b/relationship/relationship--461ef403-0bd0-49cd-88bc-5bfc426e6b23.json new file mode 100644 index 00000000..f1faf74c --- /dev/null +++ b/relationship/relationship--461ef403-0bd0-49cd-88bc-5bfc426e6b23.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--450fd7dc-264a-4fd5-8091-e681967dae32", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--461ef403-0bd0-49cd-88bc-5bfc426e6b23", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.262Z", + "modified": "2020-02-05T20:28:16.262Z", + "relationship_type": "uses", + "description": "Stuxnet made the centrifuges at Iran's nuclear plant spin dangerously fast for 15 minutes, before returning to normal speed. About a month later, it slowed the centrifuges down for 50 minutes. This was repeated for several months, and over time the strain destroyed the machines.", + "source_ref": "malware--a8688d54-9b39-4fad-bff9-b7bf8c5c146f", + "target_ref": "attack-pattern--278e7645-17ac-4bd3-9849-56060cab2e81", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--464326e8-1ec2-425b-9557-bd00281078d6.json b/relationship/relationship--464326e8-1ec2-425b-9557-bd00281078d6.json new file mode 100644 index 00000000..9e251ff6 --- /dev/null +++ b/relationship/relationship--464326e8-1ec2-425b-9557-bd00281078d6.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--6ccc9996-3df1-48e9-8672-5d5256b1a774", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--464326e8-1ec2-425b-9557-bd00281078d6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.254Z", + "modified": "2020-02-05T20:28:16.254Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--37e2cfce-37c2-4a5a-a98e-3bf5b4cd9db6", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--4ced5121-d085-49b3-b6ab-311ca722b46a.json b/relationship/relationship--4ced5121-d085-49b3-b6ab-311ca722b46a.json new file mode 100644 index 00000000..4016df10 --- /dev/null +++ b/relationship/relationship--4ced5121-d085-49b3-b6ab-311ca722b46a.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--d1503492-7d4c-4fe6-8536-2603b320e38e", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--4ced5121-d085-49b3-b6ab-311ca722b46a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.254Z", + "modified": "2020-02-05T20:28:16.254Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--4b89d6b6-fd08-4b39-bb01-b472ae95b93d", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--4d63f713-2d38-40c3-a744-bd12bbd8499b.json b/relationship/relationship--4d63f713-2d38-40c3-a744-bd12bbd8499b.json new file mode 100644 index 00000000..22fa28de --- /dev/null +++ b/relationship/relationship--4d63f713-2d38-40c3-a744-bd12bbd8499b.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--67c31ffc-f6e1-4cff-82ca-51a925fa99f0", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--4d63f713-2d38-40c3-a744-bd12bbd8499b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.260Z", + "modified": "2020-02-05T20:28:16.260Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--11d90b50-17e9-45f5-84aa-05899a63714e", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--510fcbf4-e832-43d7-8628-26724bdc4539.json b/relationship/relationship--510fcbf4-e832-43d7-8628-26724bdc4539.json new file mode 100644 index 00000000..d2392f90 --- /dev/null +++ b/relationship/relationship--510fcbf4-e832-43d7-8628-26724bdc4539.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--6b5151dd-5894-4616-98d6-85e3830b76ff", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--510fcbf4-e832-43d7-8628-26724bdc4539", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.257Z", + "modified": "2020-02-05T20:28:16.257Z", + "relationship_type": "uses", + "description": "GotBotKR reinstalls its running instance if it is removed.", + "source_ref": "malware--eee42dbc-18ca-4db7-9115-672245d8893d", + "target_ref": "attack-pattern--b255fae3-82ad-4a9d-a76a-3301e0c3caed", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--53a75251-5474-4d56-bc67-116adc9cf33b.json b/relationship/relationship--53a75251-5474-4d56-bc67-116adc9cf33b.json new file mode 100644 index 00000000..3700f90a --- /dev/null +++ b/relationship/relationship--53a75251-5474-4d56-bc67-116adc9cf33b.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--ccf1d071-8429-4c63-a7e3-3ff7628ed0cf", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--53a75251-5474-4d56-bc67-116adc9cf33b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.256Z", + "modified": "2020-02-05T20:28:16.256Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--a03b6507-fed8-416a-8425-0761f5f7f754", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--57a27587-537b-48d4-ace1-dc1d07321776.json b/relationship/relationship--57a27587-537b-48d4-ace1-dc1d07321776.json new file mode 100644 index 00000000..71a8cd05 --- /dev/null +++ b/relationship/relationship--57a27587-537b-48d4-ace1-dc1d07321776.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--5c411706-acd2-4414-9a90-11504e46247a", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--57a27587-537b-48d4-ace1-dc1d07321776", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.256Z", + "modified": "2020-02-05T20:28:16.256Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--f7136ba2-6455-48f4-90df-63f8f43ae0f4", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--5b129221-9159-488d-8460-c966b836328f.json b/relationship/relationship--5b129221-9159-488d-8460-c966b836328f.json new file mode 100644 index 00000000..c961a4a3 --- /dev/null +++ b/relationship/relationship--5b129221-9159-488d-8460-c966b836328f.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--f180bf04-6d7c-4721-ae05-834285041cba", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--5b129221-9159-488d-8460-c966b836328f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.253Z", + "modified": "2020-02-05T20:28:16.253Z", + "relationship_type": "uses", + "description": "Alters DNS server settings to route to a rogue DNS server for the purpose of click hijacking.", + "source_ref": "malware--901ac923-57ee-4d6a-b14a-ae64e3225b8c", + "target_ref": "attack-pattern--c5e52bb6-425f-416a-afb7-58d67093ef9c", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--5b69f0d0-62e7-4f27-acce-41d1d0ed417c.json b/relationship/relationship--5b69f0d0-62e7-4f27-acce-41d1d0ed417c.json new file mode 100644 index 00000000..4e5b2f68 --- /dev/null +++ b/relationship/relationship--5b69f0d0-62e7-4f27-acce-41d1d0ed417c.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--9b85a1a2-aede-4ccc-925a-4f6ebd180183", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--5b69f0d0-62e7-4f27-acce-41d1d0ed417c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.257Z", + "modified": "2020-02-05T20:28:16.257Z", + "relationship_type": "uses", + "source_ref": "malware--a0008d7c-30f1-43f7-a798-50552e1fa282", + "target_ref": "attack-pattern--92557c19-d2a7-4b25-b77c-34954e99d3a8", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--5efcecab-ca74-4c8f-a884-68f8709b072b.json b/relationship/relationship--5efcecab-ca74-4c8f-a884-68f8709b072b.json new file mode 100644 index 00000000..4bd955af --- /dev/null +++ b/relationship/relationship--5efcecab-ca74-4c8f-a884-68f8709b072b.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--07ec64df-ce31-4a36-a35d-118f801719d6", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--5efcecab-ca74-4c8f-a884-68f8709b072b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.261Z", + "modified": "2020-02-05T20:28:16.261Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--0bfe651c-26b6-49c0-9b50-51ddc7090c98", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--5f9c9726-82c0-4876-937d-52e66ef739db.json b/relationship/relationship--5f9c9726-82c0-4876-937d-52e66ef739db.json new file mode 100644 index 00000000..c505c955 --- /dev/null +++ b/relationship/relationship--5f9c9726-82c0-4876-937d-52e66ef739db.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--e44be6d9-3c9e-4861-9a97-286ce0444c3b", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--5f9c9726-82c0-4876-937d-52e66ef739db", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.252Z", + "modified": "2020-02-05T20:28:16.252Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--05f6625b-7291-4a4b-8ec1-4044efa6cb2e", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--6108db13-e957-41b2-a22c-c1abf26df815.json b/relationship/relationship--6108db13-e957-41b2-a22c-c1abf26df815.json new file mode 100644 index 00000000..28f3720d --- /dev/null +++ b/relationship/relationship--6108db13-e957-41b2-a22c-c1abf26df815.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--03b2b62b-6d79-447b-b42b-e2252a2aa37f", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--6108db13-e957-41b2-a22c-c1abf26df815", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.265Z", + "modified": "2020-02-05T20:28:16.265Z", + "relationship_type": "uses", + "description": "Hupigon drops the file \"Systen.dll\" and adds the registry entry: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\BITS DllName = \"%System%\\Systen.dll\".", + "source_ref": "malware--1114f1d1-94fb-4499-b1b3-980de47dbd11", + "target_ref": "attack-pattern--e7dcd590-8f60-4f7d-bb91-ec2863e56e2a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--643e9a29-3802-4725-8fd8-ebd05f804502.json b/relationship/relationship--643e9a29-3802-4725-8fd8-ebd05f804502.json new file mode 100644 index 00000000..04654afb --- /dev/null +++ b/relationship/relationship--643e9a29-3802-4725-8fd8-ebd05f804502.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--5f26c232-27df-45ec-9633-905544c425d8", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--643e9a29-3802-4725-8fd8-ebd05f804502", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.264Z", + "modified": "2020-02-05T20:28:16.264Z", + "relationship_type": "uses", + "description": "Encrypts files for ransom without any connection to the Internet.", + "source_ref": "malware--135968d7-8b5f-492e-9423-9c98bc4d9d06", + "target_ref": "attack-pattern--4ea52273-1834-4df1-8bc7-6ee8738748a2", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--64c5969c-f0b7-4d5e-97e5-a0ba0d9eb235.json b/relationship/relationship--64c5969c-f0b7-4d5e-97e5-a0ba0d9eb235.json new file mode 100644 index 00000000..113643e8 --- /dev/null +++ b/relationship/relationship--64c5969c-f0b7-4d5e-97e5-a0ba0d9eb235.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--8c0ddd8b-db8c-4787-8dd1-4924fb28c5c3", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--64c5969c-f0b7-4d5e-97e5-a0ba0d9eb235", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.251Z", + "modified": "2020-02-05T20:28:16.251Z", + "relationship_type": "uses", + "description": "Downloads and executes Claymore's Zcash miner from a remote server.", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--b255fae3-82ad-4a9d-a76a-3301e0c3caed", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--679a082a-d6b4-4478-a4d5-1a8dc972b211.json b/relationship/relationship--679a082a-d6b4-4478-a4d5-1a8dc972b211.json new file mode 100644 index 00000000..c3775431 --- /dev/null +++ b/relationship/relationship--679a082a-d6b4-4478-a4d5-1a8dc972b211.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--dd9cbda4-a9ee-4d55-918a-7846a571167e", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--679a082a-d6b4-4478-a4d5-1a8dc972b211", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.264Z", + "modified": "2020-02-05T20:28:16.264Z", + "relationship_type": "uses", + "description": "Gathers information from the victim's machine to create an encryption key.", + "source_ref": "malware--135968d7-8b5f-492e-9423-9c98bc4d9d06", + "target_ref": "attack-pattern--7a0a5840-aed7-48bf-abcb-89056c1ba932", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--6a361003-f6c0-430e-8db6-5f8f2ac422ee.json b/relationship/relationship--6a361003-f6c0-430e-8db6-5f8f2ac422ee.json new file mode 100644 index 00000000..0375da22 --- /dev/null +++ b/relationship/relationship--6a361003-f6c0-430e-8db6-5f8f2ac422ee.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--56a3358c-6458-4604-8023-894c5829a2d6", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--6a361003-f6c0-430e-8db6-5f8f2ac422ee", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.257Z", + "modified": "2020-02-05T20:28:16.257Z", + "relationship_type": "uses", + "description": "Geneio installs the browser extension *~/Library/Safari/Extensions/Omnibar.safariextz*. It also creates the app files listed in the description above.", + "source_ref": "malware--9168de31-46b0-4c9f-9e20-77e77e78a0ab", + "target_ref": "attack-pattern--b255fae3-82ad-4a9d-a76a-3301e0c3caed", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--6b15a47c-add7-407e-866c-455b82eb5206.json b/relationship/relationship--6b15a47c-add7-407e-866c-455b82eb5206.json new file mode 100644 index 00000000..9ab42052 --- /dev/null +++ b/relationship/relationship--6b15a47c-add7-407e-866c-455b82eb5206.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--91f63dad-7240-4b84-b101-fc32209c57ff", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--6b15a47c-add7-407e-866c-455b82eb5206", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.256Z", + "modified": "2020-02-05T20:28:16.256Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--01051bb2-6339-4556-8363-3b94ba289ec1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--6c01abcc-9ec4-4294-b39b-c3aad259c796.json b/relationship/relationship--6c01abcc-9ec4-4294-b39b-c3aad259c796.json new file mode 100644 index 00000000..20278a58 --- /dev/null +++ b/relationship/relationship--6c01abcc-9ec4-4294-b39b-c3aad259c796.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--2f65cdc8-2b86-4c0f-9cdd-b96172b4a008", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--6c01abcc-9ec4-4294-b39b-c3aad259c796", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.252Z", + "modified": "2020-02-05T20:28:16.252Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--91907ea3-beed-40bd-b4d6-1875893568a6", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--6cfc5694-2afb-4727-9af1-3bdf4688947e.json b/relationship/relationship--6cfc5694-2afb-4727-9af1-3bdf4688947e.json new file mode 100644 index 00000000..29403830 --- /dev/null +++ b/relationship/relationship--6cfc5694-2afb-4727-9af1-3bdf4688947e.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--6ad6d7f7-aec8-45c1-b2e2-fb9941ae6e55", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--6cfc5694-2afb-4727-9af1-3bdf4688947e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.261Z", + "modified": "2020-02-05T20:28:16.261Z", + "relationship_type": "uses", + "description": "Uses a domain name generator.", + "source_ref": "malware--bf2e37d0-29cf-43ef-82d1-f970a128e6bf", + "target_ref": "attack-pattern--51fb196e-4be8-4b21-ba5b-fce4d7de6767", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--6dfe86f6-1818-4108-aca9-e49c819192b4.json b/relationship/relationship--6dfe86f6-1818-4108-aca9-e49c819192b4.json new file mode 100644 index 00000000..9f406d68 --- /dev/null +++ b/relationship/relationship--6dfe86f6-1818-4108-aca9-e49c819192b4.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--a34f2e70-f4ed-4e38-bcda-86db60e17d31", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--6dfe86f6-1818-4108-aca9-e49c819192b4", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.260Z", + "modified": "2020-02-05T20:28:16.260Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--7f7f9c9f-db90-4294-91ad-d1c9da04e9d8", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--70293730-edee-424a-aaaf-19f18a2ebd02.json b/relationship/relationship--70293730-edee-424a-aaaf-19f18a2ebd02.json new file mode 100644 index 00000000..9a526dc1 --- /dev/null +++ b/relationship/relationship--70293730-edee-424a-aaaf-19f18a2ebd02.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--ee679ece-6ce6-4658-8e58-aec28cc55728", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--70293730-edee-424a-aaaf-19f18a2ebd02", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.260Z", + "modified": "2020-02-05T20:28:16.260Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--101d8709-b8d4-4604-a835-b122f1ecb227", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--76c22659-341c-4ef5-9dd9-dee2d9f9b96a.json b/relationship/relationship--76c22659-341c-4ef5-9dd9-dee2d9f9b96a.json new file mode 100644 index 00000000..6a963520 --- /dev/null +++ b/relationship/relationship--76c22659-341c-4ef5-9dd9-dee2d9f9b96a.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--8a94e3b2-bd57-4ae0-a732-50bd10f22d31", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--76c22659-341c-4ef5-9dd9-dee2d9f9b96a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.250Z", + "modified": "2020-02-05T20:28:16.250Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--a1f1b921-b815-4311-93c2-6c98a333fd5d", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--7c232b17-6421-4459-bbca-410f7660a760.json b/relationship/relationship--7c232b17-6421-4459-bbca-410f7660a760.json new file mode 100644 index 00000000..26b452ff --- /dev/null +++ b/relationship/relationship--7c232b17-6421-4459-bbca-410f7660a760.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--0da67068-ea53-4984-bd0a-cf42ffa12437", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--7c232b17-6421-4459-bbca-410f7660a760", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.262Z", + "modified": "2020-02-05T20:28:16.262Z", + "relationship_type": "uses", + "description": "Uses API Hashing Method.", + "source_ref": "malware--7d15a1bf-98dc-4da5-9867-15cba30ed3cc", + "target_ref": "attack-pattern--17717ca4-3713-496e-87d7-13a95a6b1790", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--80a8579e-8f8a-45f1-b745-6254f77b1a8b.json b/relationship/relationship--80a8579e-8f8a-45f1-b745-6254f77b1a8b.json new file mode 100644 index 00000000..367b8350 --- /dev/null +++ b/relationship/relationship--80a8579e-8f8a-45f1-b745-6254f77b1a8b.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--0569c92c-7e82-41d9-bfed-0c0ad2ffdbd9", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--80a8579e-8f8a-45f1-b745-6254f77b1a8b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.262Z", + "modified": "2020-02-05T20:28:16.262Z", + "relationship_type": "uses", + "description": "Conficker A has routine that causes the process to suicide if the keyboard language layout is set to Ukrainian.", + "source_ref": "malware--e042c0eb-4540-4f41-87c4-a57510c7d4ed", + "target_ref": "attack-pattern--d77057dc-8454-4a4c-9dd4-3da26ae009be", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--80dcb928-b50d-4ee7-8c26-369660f041de.json b/relationship/relationship--80dcb928-b50d-4ee7-8c26-369660f041de.json new file mode 100644 index 00000000..2e9b3f96 --- /dev/null +++ b/relationship/relationship--80dcb928-b50d-4ee7-8c26-369660f041de.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--0ffb6acd-8d86-4454-aa53-4dc7d3e2e444", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--80dcb928-b50d-4ee7-8c26-369660f041de", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.251Z", + "modified": "2020-02-05T20:28:16.251Z", + "relationship_type": "uses", + "description": "From the command line, drops and unzips a password-protected Cabinet archive file.", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--e9a06bb6-c6e9-4718-9434-f6b737eee9e8", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--8358a935-9460-42a9-bfbc-31653fb1a3e5.json b/relationship/relationship--8358a935-9460-42a9-bfbc-31653fb1a3e5.json new file mode 100644 index 00000000..15fa39d3 --- /dev/null +++ b/relationship/relationship--8358a935-9460-42a9-bfbc-31653fb1a3e5.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--aeff0b17-0014-4aab-9a2a-9630eaf9e1c1", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--8358a935-9460-42a9-bfbc-31653fb1a3e5", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.255Z", + "modified": "2020-02-05T20:28:16.255Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--19965f2f-3091-4611-b5da-4f5351319b63", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--8ce0a9c1-7392-4877-b6ed-6023f0dcacec.json b/relationship/relationship--8ce0a9c1-7392-4877-b6ed-6023f0dcacec.json new file mode 100644 index 00000000..fbf73e47 --- /dev/null +++ b/relationship/relationship--8ce0a9c1-7392-4877-b6ed-6023f0dcacec.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--3855bc2c-94b3-4ac2-b93c-31311dc2fc52", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--8ce0a9c1-7392-4877-b6ed-6023f0dcacec", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.253Z", + "modified": "2020-02-05T20:28:16.253Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--731ecd6a-9782-4272-84f3-f4d5ff3732e0", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--8d7e7aeb-c462-4051-aff0-4f526ccfa699.json b/relationship/relationship--8d7e7aeb-c462-4051-aff0-4f526ccfa699.json new file mode 100644 index 00000000..8ebe0d31 --- /dev/null +++ b/relationship/relationship--8d7e7aeb-c462-4051-aff0-4f526ccfa699.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--3f3c04fc-d7e0-482e-a2c9-4e0c9c969531", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--8d7e7aeb-c462-4051-aff0-4f526ccfa699", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.252Z", + "modified": "2020-02-05T20:28:16.252Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--1665b6e5-769a-4abb-9de1-4719ac6ce727", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--8dece164-935e-4939-9fbe-483f3baedc4a.json b/relationship/relationship--8dece164-935e-4939-9fbe-483f3baedc4a.json new file mode 100644 index 00000000..e588fde1 --- /dev/null +++ b/relationship/relationship--8dece164-935e-4939-9fbe-483f3baedc4a.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--cdce00c2-e73d-447a-8527-66f9ff920f31", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--8dece164-935e-4939-9fbe-483f3baedc4a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.261Z", + "modified": "2020-02-05T20:28:16.261Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--e7dcd590-8f60-4f7d-bb91-ec2863e56e2a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--8fce710f-5023-4a45-ac3a-c4ace1c7d0dd.json b/relationship/relationship--8fce710f-5023-4a45-ac3a-c4ace1c7d0dd.json new file mode 100644 index 00000000..ccfb5e04 --- /dev/null +++ b/relationship/relationship--8fce710f-5023-4a45-ac3a-c4ace1c7d0dd.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--bc0d456f-152f-4258-90b7-ca9b2c55106f", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--8fce710f-5023-4a45-ac3a-c4ace1c7d0dd", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.251Z", + "modified": "2020-02-05T20:28:16.251Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--fbe0f011-0dbb-4a6e-a860-32120311f74b", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--90c677fd-2dab-4eda-9b84-d8028de953de.json b/relationship/relationship--90c677fd-2dab-4eda-9b84-d8028de953de.json new file mode 100644 index 00000000..0c5dbd62 --- /dev/null +++ b/relationship/relationship--90c677fd-2dab-4eda-9b84-d8028de953de.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--5bb72b2c-ee63-492e-bdd4-b6ce84f9a029", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--90c677fd-2dab-4eda-9b84-d8028de953de", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.260Z", + "modified": "2020-02-05T20:28:16.260Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--e9a06bb6-c6e9-4718-9434-f6b737eee9e8", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--913ac448-0c3d-4856-90a4-6273865eb381.json b/relationship/relationship--913ac448-0c3d-4856-90a4-6273865eb381.json new file mode 100644 index 00000000..60be195a --- /dev/null +++ b/relationship/relationship--913ac448-0c3d-4856-90a4-6273865eb381.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--7d4cb90f-a57a-4cda-a29f-20376f3525a4", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--913ac448-0c3d-4856-90a4-6273865eb381", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.263Z", + "modified": "2020-02-05T20:28:16.263Z", + "relationship_type": "uses", + "description": "Intercepts data coming into and going out of device.", + "source_ref": "malware--19f41321-fc57-475f-b7d5-ef5285f4b489", + "target_ref": "attack-pattern--d410c87e-8b82-47d9-8f43-15ea0e908e52", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--9277a5c2-8988-46dc-87d2-20359be28def.json b/relationship/relationship--9277a5c2-8988-46dc-87d2-20359be28def.json new file mode 100644 index 00000000..df8b00a6 --- /dev/null +++ b/relationship/relationship--9277a5c2-8988-46dc-87d2-20359be28def.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--f1e2281b-7a0a-42a1-980c-7a972ff6b911", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--9277a5c2-8988-46dc-87d2-20359be28def", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.254Z", + "modified": "2020-02-05T20:28:16.254Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--7f7f9c9f-db90-4294-91ad-d1c9da04e9d8", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--928e6604-a7d3-436c-a7fe-97f1ca278a5d.json b/relationship/relationship--928e6604-a7d3-436c-a7fe-97f1ca278a5d.json new file mode 100644 index 00000000..0cd3724c --- /dev/null +++ b/relationship/relationship--928e6604-a7d3-436c-a7fe-97f1ca278a5d.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--ad5e89ff-1c6c-4972-91c9-254c5a2ca6b8", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--928e6604-a7d3-436c-a7fe-97f1ca278a5d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.260Z", + "modified": "2020-02-05T20:28:16.260Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--893190c4-3228-4d10-854b-cd8469fb9172", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--941e3c16-3412-46d6-86e1-55372dbc3fcd.json b/relationship/relationship--941e3c16-3412-46d6-86e1-55372dbc3fcd.json new file mode 100644 index 00000000..86506967 --- /dev/null +++ b/relationship/relationship--941e3c16-3412-46d6-86e1-55372dbc3fcd.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--d2264a36-94ab-4676-b6c6-326f65e404c8", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--941e3c16-3412-46d6-86e1-55372dbc3fcd", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.261Z", + "modified": "2020-02-05T20:28:16.261Z", + "relationship_type": "uses", + "description": "Dumping Kraken's c.dll module from the heap of its own process is tricky because its PE-header is wiped out.", + "source_ref": "malware--bf2e37d0-29cf-43ef-82d1-f970a128e6bf", + "target_ref": "attack-pattern--ebf911df-6135-42a8-a9f5-76676f546d4a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--943fd319-6d73-41b0-a01f-b45474c5be87.json b/relationship/relationship--943fd319-6d73-41b0-a01f-b45474c5be87.json new file mode 100644 index 00000000..30cad93b --- /dev/null +++ b/relationship/relationship--943fd319-6d73-41b0-a01f-b45474c5be87.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--d5c33101-f278-45ea-bf03-7deb66563880", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--943fd319-6d73-41b0-a01f-b45474c5be87", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.263Z", + "modified": "2020-02-05T20:28:16.263Z", + "relationship_type": "uses", + "description": "An MBR bootkit and a BIOS bootkit targeting Award BIOS.", + "source_ref": "malware--cb0b4776-cbd6-417c-b6c1-51f67f44d5b1", + "target_ref": "attack-pattern--e9f0d1de-13f3-499a-a0ee-32fe37912720", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--97175b7c-fb76-4aa4-bcbf-89c5ab1d44b9.json b/relationship/relationship--97175b7c-fb76-4aa4-bcbf-89c5ab1d44b9.json new file mode 100644 index 00000000..aec8481f --- /dev/null +++ b/relationship/relationship--97175b7c-fb76-4aa4-bcbf-89c5ab1d44b9.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--71ab6131-24d7-4267-a543-9942adb0f5b4", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--97175b7c-fb76-4aa4-bcbf-89c5ab1d44b9", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.252Z", + "modified": "2020-02-05T20:28:16.252Z", + "relationship_type": "uses", + "description": "Launches distributed denial of service attacks that can target more than one IP address per hostname.", + "source_ref": "malware--dc90c5ae-c90c-4733-a9c4-c3a2a6bea3e1", + "target_ref": "attack-pattern--7d617afd-819d-4588-9b22-38470d5b338c", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--9b7fde5e-600c-4214-9714-1247c4ea5260.json b/relationship/relationship--9b7fde5e-600c-4214-9714-1247c4ea5260.json new file mode 100644 index 00000000..4ffa0957 --- /dev/null +++ b/relationship/relationship--9b7fde5e-600c-4214-9714-1247c4ea5260.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--6a166bbd-7986-4470-b476-4d82d792b3bb", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--9b7fde5e-600c-4214-9714-1247c4ea5260", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.253Z", + "modified": "2020-02-05T20:28:16.253Z", + "relationship_type": "uses", + "description": "Prevents the infected system from installing anti-virus software updates.", + "source_ref": "malware--901ac923-57ee-4d6a-b14a-ae64e3225b8c", + "target_ref": "attack-pattern--a5cd65d0-eee1-463e-a003-04f3a71bb813", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--9ea77314-a832-4920-9716-35381b728892.json b/relationship/relationship--9ea77314-a832-4920-9716-35381b728892.json new file mode 100644 index 00000000..f239f619 --- /dev/null +++ b/relationship/relationship--9ea77314-a832-4920-9716-35381b728892.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--a5ecbe8f-843e-447c-a9d2-a2804c6f9861", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--9ea77314-a832-4920-9716-35381b728892", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.254Z", + "modified": "2020-02-05T20:28:16.254Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--7917db1d-3be0-4a58-b706-00c62379a7b2", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--9ff32dae-46f3-4061-82b9-e7197b4ae30d.json b/relationship/relationship--9ff32dae-46f3-4061-82b9-e7197b4ae30d.json new file mode 100644 index 00000000..650c9201 --- /dev/null +++ b/relationship/relationship--9ff32dae-46f3-4061-82b9-e7197b4ae30d.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--d8f185d0-705e-4469-a177-c3bc6c3d7744", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--9ff32dae-46f3-4061-82b9-e7197b4ae30d", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.259Z", + "modified": "2020-02-05T20:28:16.259Z", + "relationship_type": "uses", + "description": "Redhip samples are packed with different custom packers.", + "source_ref": "malware--6cfae3aa-e8ee-4f11-aebd-b2ea95d60c27", + "target_ref": "attack-pattern--fb7a6e89-4943-47a3-980f-d22c9f394d40", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--a3218798-6c62-458a-8f6b-0fcd127ca4e8.json b/relationship/relationship--a3218798-6c62-458a-8f6b-0fcd127ca4e8.json new file mode 100644 index 00000000..d5b4b5b1 --- /dev/null +++ b/relationship/relationship--a3218798-6c62-458a-8f6b-0fcd127ca4e8.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--02a9754c-b8f2-4a6c-96da-b7e57333f31c", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--a3218798-6c62-458a-8f6b-0fcd127ca4e8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.257Z", + "modified": "2020-02-05T20:28:16.257Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--2f098b48-391a-4869-acba-b10ba07a4522", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--a7588119-f565-4489-9512-db956975c1f5.json b/relationship/relationship--a7588119-f565-4489-9512-db956975c1f5.json new file mode 100644 index 00000000..75afbfb4 --- /dev/null +++ b/relationship/relationship--a7588119-f565-4489-9512-db956975c1f5.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--51aae455-805e-414a-9378-0069dd61d5fb", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--a7588119-f565-4489-9512-db956975c1f5", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.253Z", + "modified": "2020-02-05T20:28:16.253Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--4799cdef-cff0-476b-adaa-685b8277ef7c", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--a867e78a-e15d-40be-9cf1-6f746531eb44.json b/relationship/relationship--a867e78a-e15d-40be-9cf1-6f746531eb44.json new file mode 100644 index 00000000..27fee583 --- /dev/null +++ b/relationship/relationship--a867e78a-e15d-40be-9cf1-6f746531eb44.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--99e1109a-5984-42c1-b7f5-f8cb2c792a9c", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--a867e78a-e15d-40be-9cf1-6f746531eb44", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.251Z", + "modified": "2020-02-05T20:28:16.251Z", + "relationship_type": "uses", + "description": "Executes differently depending on whether it's running on an x86 or x64 system.", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--d77057dc-8454-4a4c-9dd4-3da26ae009be", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--a9c1d8df-3732-4e6e-a7bf-6be0821fae73.json b/relationship/relationship--a9c1d8df-3732-4e6e-a7bf-6be0821fae73.json new file mode 100644 index 00000000..0da242b2 --- /dev/null +++ b/relationship/relationship--a9c1d8df-3732-4e6e-a7bf-6be0821fae73.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--b16d0c27-12eb-45c6-b0d5-60a2d5a571db", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--a9c1d8df-3732-4e6e-a7bf-6be0821fae73", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.258Z", + "modified": "2020-02-05T20:28:16.258Z", + "relationship_type": "uses", + "description": "Redhip uses general approaches to detecting user level debuggers (e.g., Process Environment Block 'Being Debugged' field), as well as specific checks for kernel level debuggers like SOFICE.", + "source_ref": "malware--6cfae3aa-e8ee-4f11-aebd-b2ea95d60c27", + "target_ref": "attack-pattern--9188ea31-fa9e-4fad-949b-f705e0fabd20", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--abc3029d-06b2-4048-a14d-2ef0a1bf8ea3.json b/relationship/relationship--abc3029d-06b2-4048-a14d-2ef0a1bf8ea3.json new file mode 100644 index 00000000..17c164ef --- /dev/null +++ b/relationship/relationship--abc3029d-06b2-4048-a14d-2ef0a1bf8ea3.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--9cd669d3-d3cf-4c5c-aff1-7ce26db019a4", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--abc3029d-06b2-4048-a14d-2ef0a1bf8ea3", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.252Z", + "modified": "2020-02-05T20:28:16.252Z", + "relationship_type": "uses", + "description": "Most security products hook some APIs to monitor the behavior of malware. To avoid being found by this technique, WebCobra loads ntdll.dll and user32.dll as data files in memory and overwrites the first 8 bytes of those functions, which unhooks the APIs.", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--a5cd65d0-eee1-463e-a003-04f3a71bb813", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--ac6d1a10-221a-49aa-9f6a-84a528d565d1.json b/relationship/relationship--ac6d1a10-221a-49aa-9f6a-84a528d565d1.json new file mode 100644 index 00000000..6131e6af --- /dev/null +++ b/relationship/relationship--ac6d1a10-221a-49aa-9f6a-84a528d565d1.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--135615f2-1afd-4b5c-81ac-cff24e8dc4b7", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--ac6d1a10-221a-49aa-9f6a-84a528d565d1", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.256Z", + "modified": "2020-02-05T20:28:16.256Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--1c4e8b61-bdb4-4ff5-bbf2-10dda4b276da", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--ad5b898c-6553-46a7-99dc-f51dcdef9b45.json b/relationship/relationship--ad5b898c-6553-46a7-99dc-f51dcdef9b45.json new file mode 100644 index 00000000..738e425e --- /dev/null +++ b/relationship/relationship--ad5b898c-6553-46a7-99dc-f51dcdef9b45.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--bcd2844f-0fe5-4362-888b-044de878b384", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--ad5b898c-6553-46a7-99dc-f51dcdef9b45", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.250Z", + "modified": "2020-02-05T20:28:16.250Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--7917db1d-3be0-4a58-b706-00c62379a7b2", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--b082f098-c65c-433d-a9f1-6634c2a07f57.json b/relationship/relationship--b082f098-c65c-433d-a9f1-6634c2a07f57.json new file mode 100644 index 00000000..20312e8e --- /dev/null +++ b/relationship/relationship--b082f098-c65c-433d-a9f1-6634c2a07f57.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--394ec986-7d66-43ad-90aa-03c24ae1826f", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b082f098-c65c-433d-a9f1-6634c2a07f57", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.251Z", + "modified": "2020-02-05T20:28:16.251Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--6c58676d-57be-4bbc-a9b2-54a11098ca12", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--b2442af2-272c-42e5-94b6-ac52bbbd1a5c.json b/relationship/relationship--b2442af2-272c-42e5-94b6-ac52bbbd1a5c.json new file mode 100644 index 00000000..59370916 --- /dev/null +++ b/relationship/relationship--b2442af2-272c-42e5-94b6-ac52bbbd1a5c.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--03981273-d1b3-4860-901a-f0a1af108d18", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b2442af2-272c-42e5-94b6-ac52bbbd1a5c", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.259Z", + "modified": "2020-02-05T20:28:16.259Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--5f63251a-e426-493e-9dd6-3b562c0e7157", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--b28c0897-acb5-4205-8210-eb7c1d420789.json b/relationship/relationship--b28c0897-acb5-4205-8210-eb7c1d420789.json new file mode 100644 index 00000000..ca58e9f3 --- /dev/null +++ b/relationship/relationship--b28c0897-acb5-4205-8210-eb7c1d420789.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--9fcdffb3-745f-442a-ab52-b36fb67b1da4", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b28c0897-acb5-4205-8210-eb7c1d420789", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.253Z", + "modified": "2020-02-05T20:28:16.253Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--8f470860-de90-44e9-b88f-4b188918bb7c", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--b43c677a-dd98-4545-8e4e-118ae78050ff.json b/relationship/relationship--b43c677a-dd98-4545-8e4e-118ae78050ff.json new file mode 100644 index 00000000..24a939c6 --- /dev/null +++ b/relationship/relationship--b43c677a-dd98-4545-8e4e-118ae78050ff.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--216fecc9-5a8d-42dc-a45f-46516c17f0e4", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b43c677a-dd98-4545-8e4e-118ae78050ff", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.257Z", + "modified": "2020-02-05T20:28:16.257Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--a7ea0b40-a316-43db-9dcf-1ae03eda94a6", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--b53918d6-524a-408a-b79f-ccd56bd6950e.json b/relationship/relationship--b53918d6-524a-408a-b79f-ccd56bd6950e.json new file mode 100644 index 00000000..6b96d90d --- /dev/null +++ b/relationship/relationship--b53918d6-524a-408a-b79f-ccd56bd6950e.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--ade6e13c-a874-41d2-bce9-bf543d9e36f0", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b53918d6-524a-408a-b79f-ccd56bd6950e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.254Z", + "modified": "2020-02-05T20:28:16.254Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--b176779c-a4df-49a4-993e-e424a114b73a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--b7947355-7dfc-4ef4-9f62-efb0c755a48f.json b/relationship/relationship--b7947355-7dfc-4ef4-9f62-efb0c755a48f.json new file mode 100644 index 00000000..3213c06b --- /dev/null +++ b/relationship/relationship--b7947355-7dfc-4ef4-9f62-efb0c755a48f.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--0e70b5bc-b89d-4b57-9124-d3af62bfc635", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b7947355-7dfc-4ef4-9f62-efb0c755a48f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.256Z", + "modified": "2020-02-05T20:28:16.256Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--c376d9bb-5e45-42f5-95ce-b57d6ce417b8", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--b7bcccb7-045a-4b97-9b07-f63afb868095.json b/relationship/relationship--b7bcccb7-045a-4b97-9b07-f63afb868095.json new file mode 100644 index 00000000..11ad7488 --- /dev/null +++ b/relationship/relationship--b7bcccb7-045a-4b97-9b07-f63afb868095.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--b304c0a8-5e4d-4a13-acf2-e11c167f70a1", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b7bcccb7-045a-4b97-9b07-f63afb868095", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.262Z", + "modified": "2020-02-05T20:28:16.262Z", + "relationship_type": "uses", + "description": "Modification of the router's firmware image that can be used to maintain persistence within a victim's network.", + "source_ref": "malware--ab86ee1d-8789-4357-aff2-d6fec9434952", + "target_ref": "attack-pattern--cec46ca6-08c3-46d6-b37f-92c50fe689bb", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--b7c12079-a65e-4901-8849-59f138da35e6.json b/relationship/relationship--b7c12079-a65e-4901-8849-59f138da35e6.json new file mode 100644 index 00000000..86e230b0 --- /dev/null +++ b/relationship/relationship--b7c12079-a65e-4901-8849-59f138da35e6.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--6baccc7a-f129-4174-b5f6-188071e8b36e", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b7c12079-a65e-4901-8849-59f138da35e6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.262Z", + "modified": "2020-02-05T20:28:16.262Z", + "relationship_type": "uses", + "description": "Uses a domain name generator.", + "source_ref": "malware--e042c0eb-4540-4f41-87c4-a57510c7d4ed", + "target_ref": "attack-pattern--51fb196e-4be8-4b21-ba5b-fce4d7de6767", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--baaa5c93-f948-4e2c-81ca-6f33a86409c3.json b/relationship/relationship--baaa5c93-f948-4e2c-81ca-6f33a86409c3.json new file mode 100644 index 00000000..672938ed --- /dev/null +++ b/relationship/relationship--baaa5c93-f948-4e2c-81ca-6f33a86409c3.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--78b54a32-4968-4c09-b977-0d60eb092df9", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--baaa5c93-f948-4e2c-81ca-6f33a86409c3", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.252Z", + "modified": "2020-02-05T20:28:16.252Z", + "relationship_type": "uses", + "description": "Intercepts encrypted web traffic to inject adds.", + "source_ref": "malware--f79355e1-6d17-4d9a-83f7-6d3a985bddb4", + "target_ref": "attack-pattern--d410c87e-8b82-47d9-8f43-15ea0e908e52", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--bfec970e-c03a-4732-857b-e636c78d01e0.json b/relationship/relationship--bfec970e-c03a-4732-857b-e636c78d01e0.json new file mode 100644 index 00000000..17768f67 --- /dev/null +++ b/relationship/relationship--bfec970e-c03a-4732-857b-e636c78d01e0.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--d8efe7b4-af6b-4080-9463-d9f76b776d3f", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--bfec970e-c03a-4732-857b-e636c78d01e0", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.252Z", + "modified": "2020-02-05T20:28:16.252Z", + "relationship_type": "uses", + "description": "Injects miner code into a running process.", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--92557c19-d2a7-4b25-b77c-34954e99d3a8", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--cb13515b-a198-41ab-ac0b-8be56c0f099f.json b/relationship/relationship--cb13515b-a198-41ab-ac0b-8be56c0f099f.json new file mode 100644 index 00000000..9d8306bc --- /dev/null +++ b/relationship/relationship--cb13515b-a198-41ab-ac0b-8be56c0f099f.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--bd3d5dfc-9c6d-49e3-b649-a53b45ba3882", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--cb13515b-a198-41ab-ac0b-8be56c0f099f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.264Z", + "modified": "2020-02-05T20:28:16.264Z", + "relationship_type": "uses", + "description": "Code virtualization is added to the Locky Bart binary using WPProtect.", + "source_ref": "malware--135968d7-8b5f-492e-9423-9c98bc4d9d06", + "target_ref": "attack-pattern--5a7483f3-b636-4f12-8925-21be3e0f3676", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--d4df8105-8510-4675-a9c8-bbcd6bbacd53.json b/relationship/relationship--d4df8105-8510-4675-a9c8-bbcd6bbacd53.json new file mode 100644 index 00000000..5d0f1ef6 --- /dev/null +++ b/relationship/relationship--d4df8105-8510-4675-a9c8-bbcd6bbacd53.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--61778b44-2d8f-4aee-9260-6d62cee4931f", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--d4df8105-8510-4675-a9c8-bbcd6bbacd53", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.252Z", + "modified": "2020-02-05T20:28:16.252Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--11d90b50-17e9-45f5-84aa-05899a63714e", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--daaf4264-4102-4737-a69a-d68e315479ac.json b/relationship/relationship--daaf4264-4102-4737-a69a-d68e315479ac.json new file mode 100644 index 00000000..54d8d8b1 --- /dev/null +++ b/relationship/relationship--daaf4264-4102-4737-a69a-d68e315479ac.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--7edd6733-a21f-4fa7-a590-e2a20759338e", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--daaf4264-4102-4737-a69a-d68e315479ac", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.250Z", + "modified": "2020-02-05T20:28:16.250Z", + "relationship_type": "uses", + "description": "Gamut probes the infected system's SMTP port 25 by sending a test SMTP transaction to mail.ru and hotmail.com. If port 25 is open, the bot requests the spam template and email list, which it uses to send spam.", + "source_ref": "malware--92c8c384-839c-40a2-b58d-3af2ee3f1938", + "target_ref": "attack-pattern--01051bb2-6339-4556-8363-3b94ba289ec1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--dbd0c7c0-889e-4742-9f47-793d7ece67dc.json b/relationship/relationship--dbd0c7c0-889e-4742-9f47-793d7ece67dc.json new file mode 100644 index 00000000..c3f3c1b6 --- /dev/null +++ b/relationship/relationship--dbd0c7c0-889e-4742-9f47-793d7ece67dc.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--ba606549-78b6-4e8a-ac8f-8d210117aec9", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--dbd0c7c0-889e-4742-9f47-793d7ece67dc", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.251Z", + "modified": "2020-02-05T20:28:16.251Z", + "relationship_type": "uses", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--7a0a5840-aed7-48bf-abcb-89056c1ba932", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--de086192-07b7-4aa9-a479-c1098d63d9ed.json b/relationship/relationship--de086192-07b7-4aa9-a479-c1098d63d9ed.json new file mode 100644 index 00000000..d63d9dec --- /dev/null +++ b/relationship/relationship--de086192-07b7-4aa9-a479-c1098d63d9ed.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--dd822aba-aa6d-4552-92e4-fa14bf7677d8", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--de086192-07b7-4aa9-a479-c1098d63d9ed", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.254Z", + "modified": "2020-02-05T20:28:16.254Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--05f6625b-7291-4a4b-8ec1-4044efa6cb2e", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--e1580aaa-d87b-4528-bcd6-148cf44bdb8f.json b/relationship/relationship--e1580aaa-d87b-4528-bcd6-148cf44bdb8f.json new file mode 100644 index 00000000..4db0ed88 --- /dev/null +++ b/relationship/relationship--e1580aaa-d87b-4528-bcd6-148cf44bdb8f.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--4739654a-e082-4c1a-a063-8c4c2dc2b8e5", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--e1580aaa-d87b-4528-bcd6-148cf44bdb8f", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.261Z", + "modified": "2020-02-05T20:28:16.261Z", + "relationship_type": "uses", + "source_ref": "malware--5412b3c6-dfe4-49fc-bd91-04db038de5ea", + "target_ref": "attack-pattern--5e8c37e7-530d-4da6-a520-83a39fc52d7a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--e1f2529b-4a72-460e-b1a7-3fb7852b99e7.json b/relationship/relationship--e1f2529b-4a72-460e-b1a7-3fb7852b99e7.json new file mode 100644 index 00000000..65be5a56 --- /dev/null +++ b/relationship/relationship--e1f2529b-4a72-460e-b1a7-3fb7852b99e7.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--b8664381-0f3e-49f8-aa59-6e75a6b212ac", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--e1f2529b-4a72-460e-b1a7-3fb7852b99e7", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.251Z", + "modified": "2020-02-05T20:28:16.251Z", + "relationship_type": "uses", + "description": "Drops software that mines for cryptocurrency: Cryptonight or Claymore's Zcash miner, depending on system architecture.", + "source_ref": "malware--d1fb45bc-676d-4f46-9bc8-9890ce9d7c10", + "target_ref": "attack-pattern--422b0025-9286-4a11-812d-5494dab28d9a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--e21d1d26-eade-424b-a7ac-f720826591df.json b/relationship/relationship--e21d1d26-eade-424b-a7ac-f720826591df.json new file mode 100644 index 00000000..6d868254 --- /dev/null +++ b/relationship/relationship--e21d1d26-eade-424b-a7ac-f720826591df.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--4cc348a2-8bbe-4ca1-9f37-aa39169e813a", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--e21d1d26-eade-424b-a7ac-f720826591df", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.258Z", + "modified": "2020-02-05T20:28:16.258Z", + "relationship_type": "uses", + "description": "Redhip detects all publicly available automated malware analysis workbenches (ThreatExpert, JoeBox, etc.).", + "source_ref": "malware--6cfae3aa-e8ee-4f11-aebd-b2ea95d60c27", + "target_ref": "attack-pattern--43f3997b-88e5-4a2e-9b59-6af0892a89b2", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--e28f5300-c580-49dd-99fb-cd32aaf69be8.json b/relationship/relationship--e28f5300-c580-49dd-99fb-cd32aaf69be8.json new file mode 100644 index 00000000..5836a494 --- /dev/null +++ b/relationship/relationship--e28f5300-c580-49dd-99fb-cd32aaf69be8.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--c8ebd4d7-c6a5-4c51-ae2d-d7b16de4f88c", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--e28f5300-c580-49dd-99fb-cd32aaf69be8", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.263Z", + "modified": "2020-02-05T20:28:16.263Z", + "relationship_type": "uses", + "description": "Sets \"2019\" as Windows' startup folder by modifying a registry value.", + "source_ref": "malware--0823d7b2-2870-4bb8-9818-a31108708c93", + "target_ref": "attack-pattern--e7dcd590-8f60-4f7d-bb91-ec2863e56e2a", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--e2aff5f4-7996-4332-b538-2b936ac8f229.json b/relationship/relationship--e2aff5f4-7996-4332-b538-2b936ac8f229.json new file mode 100644 index 00000000..4d99b50d --- /dev/null +++ b/relationship/relationship--e2aff5f4-7996-4332-b538-2b936ac8f229.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--5fdd532c-3429-4f9a-af64-fd71820d8a1f", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--e2aff5f4-7996-4332-b538-2b936ac8f229", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.253Z", + "modified": "2020-02-05T20:28:16.253Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--a49e3ab1-4f38-49b4-8bb2-5bf5778ae503", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--ec166b67-9034-406a-9df3-cc026fa58801.json b/relationship/relationship--ec166b67-9034-406a-9df3-cc026fa58801.json new file mode 100644 index 00000000..81e2b41a --- /dev/null +++ b/relationship/relationship--ec166b67-9034-406a-9df3-cc026fa58801.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--17c1717b-8185-44c3-8446-c401b487d2f4", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--ec166b67-9034-406a-9df3-cc026fa58801", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.254Z", + "modified": "2020-02-05T20:28:16.254Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--a5cd65d0-eee1-463e-a003-04f3a71bb813", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--f5d16822-4a48-4d9c-944e-67ef45a59d48.json b/relationship/relationship--f5d16822-4a48-4d9c-944e-67ef45a59d48.json new file mode 100644 index 00000000..7b746c0f --- /dev/null +++ b/relationship/relationship--f5d16822-4a48-4d9c-944e-67ef45a59d48.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--99cdd1f0-2ad8-40b0-b344-8b553ce4c83f", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--f5d16822-4a48-4d9c-944e-67ef45a59d48", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.262Z", + "modified": "2020-02-05T20:28:16.262Z", + "relationship_type": "uses", + "description": "Stores malware files in the Registry instead of the hard drive.", + "source_ref": "malware--8c3f24a7-b0ca-4934-9374-b73508cd1be1", + "target_ref": "attack-pattern--ca41dedd-dddb-45bb-bbf7-ef5a17b1b4f5", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--f74ca922-715f-431d-a2c8-f22d299306aa.json b/relationship/relationship--f74ca922-715f-431d-a2c8-f22d299306aa.json new file mode 100644 index 00000000..d4496f17 --- /dev/null +++ b/relationship/relationship--f74ca922-715f-431d-a2c8-f22d299306aa.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--9e35da26-b8b5-4551-b6e3-17014890e556", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--f74ca922-715f-431d-a2c8-f22d299306aa", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.255Z", + "modified": "2020-02-05T20:28:16.255Z", + "relationship_type": "uses", + "source_ref": "malware--0cc95157-e602-407e-9225-3d595cb1a6e8", + "target_ref": "attack-pattern--031beb01-79db-43f5-a901-1e32a4b79628", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--f758c224-450b-42b0-b54a-d0d4dcb41ac6.json b/relationship/relationship--f758c224-450b-42b0-b54a-d0d4dcb41ac6.json new file mode 100644 index 00000000..a4cfb8bd --- /dev/null +++ b/relationship/relationship--f758c224-450b-42b0-b54a-d0d4dcb41ac6.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--5712fc34-0215-4601-a395-074380e2449b", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--f758c224-450b-42b0-b54a-d0d4dcb41ac6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.263Z", + "modified": "2020-02-05T20:28:16.263Z", + "relationship_type": "uses", + "description": "The Terminator rat evades a sandbox by not executing until after a reboot. Most sandboxes don't reboot during an analysis.", + "source_ref": "malware--0823d7b2-2870-4bb8-9818-a31108708c93", + "target_ref": "attack-pattern--43f3997b-88e5-4a2e-9b59-6af0892a89b2", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/relationship/relationship--fde7d5f5-6e64-469f-a3d0-5f06e337374a.json b/relationship/relationship--fde7d5f5-6e64-469f-a3d0-5f06e337374a.json new file mode 100644 index 00000000..789e911b --- /dev/null +++ b/relationship/relationship--fde7d5f5-6e64-469f-a3d0-5f06e337374a.json @@ -0,0 +1,21 @@ +{ + "type": "bundle", + "id": "bundle--c02391fd-844d-4a8a-ac58-97d1017ac672", + "objects": [ + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--fde7d5f5-6e64-469f-a3d0-5f06e337374a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:16.264Z", + "modified": "2020-02-05T20:28:16.264Z", + "relationship_type": "uses", + "description": "The malicious executable deletes itself after it has dropped other executable files.", + "source_ref": "malware--0823d7b2-2870-4bb8-9818-a31108708c93", + "target_ref": "attack-pattern--1665b6e5-769a-4abb-9de1-4719ac6ce727", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ] + } + ] +} \ No newline at end of file diff --git a/x-mitre-matrix/x-mitre-matrix--d5eae189-586e-4f87-bf4f-51fa251f0ba6.json b/x-mitre-matrix/x-mitre-matrix--d5eae189-586e-4f87-bf4f-51fa251f0ba6.json new file mode 100644 index 00000000..b40db14b --- /dev/null +++ b/x-mitre-matrix/x-mitre-matrix--d5eae189-586e-4f87-bf4f-51fa251f0ba6.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--74f5cc77-6957-49e4-965c-65e4fbce9b59", + "objects": [ + { + "type": "x-mitre-matrix", + "id": "x-mitre-matrix--d5eae189-586e-4f87-bf4f-51fa251f0ba6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-01-01T00:00:00.000Z", + "modified": "2020-01-01T00:00:00.000Z", + "name": "MBC", + "description": "The Malware Behavior Catalog (MBC) is a catalog of malware objectives and behaviors, created to support malware analysis-oriented use cases, such as labeling, similarity analysis, and standardized reporting.", + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject", + "external_id": "mbc" + } + ], + "tactic_refs": [ + "x-mitre-tactic--97051199-043f-4e26-b548-beeccdd7be3e", + "x-mitre-tactic--1f99e060-c0e8-449c-8629-216ef75d7828", + "x-mitre-tactic--69c52ee6-8372-40be-8efc-200896493343", + "x-mitre-tactic--225d85b5-6806-4760-a9d7-b5e38ca66153", + "x-mitre-tactic--eb6166b0-f3c9-4124-aeb9-662941baa19e", + "x-mitre-tactic--9f09f947-5fc6-455f-b7eb-504c2ba972aa", + "x-mitre-tactic--5ca03153-2bfb-4540-acad-4eb54f188589", + "x-mitre-tactic--f95436cf-2e09-4541-b88a-f3fb6ec3b63b", + "x-mitre-tactic--d2f87328-9fe0-4f81-800e-ea1058f49906", + "x-mitre-tactic--911377e6-b712-4754-a865-3e2989512b9a", + "x-mitre-tactic--9b3422b7-bc43-4b28-8d51-ba68782a9da2", + "x-mitre-tactic--d896bd1c-d0e9-4281-9755-9b76a7c963d3", + "x-mitre-tactic--4fd027ac-dddc-4744-aa72-d1b4598d9898", + "x-mitre-tactic--389367d2-9dea-4ffe-b794-cfeaba83bcf6" + ], + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "spec_version": "2.1" + } + ] +} \ No newline at end of file diff --git a/x-mitre-tactic/x-mitre-tactic--1f99e060-c0e8-449c-8629-216ef75d7828.json b/x-mitre-tactic/x-mitre-tactic--1f99e060-c0e8-449c-8629-216ef75d7828.json new file mode 100644 index 00000000..798d3113 --- /dev/null +++ b/x-mitre-tactic/x-mitre-tactic--1f99e060-c0e8-449c-8629-216ef75d7828.json @@ -0,0 +1,27 @@ +{ + "type": "bundle", + "id": "bundle--0bfb84c5-8a14-4817-83a6-9e6e8d5d46a9", + "objects": [ + { + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--1f99e060-c0e8-449c-8629-216ef75d7828", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.056Z", + "modified": "2020-02-05T20:28:15.056Z", + "name": "Lateral Movement", + "description": "Behaviors that enable propagation through a compromised system or infected files. The malware may move actively (e.g., gain access to a machine directly) or passively (e.g., send malicious email).", + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/lateral-movement/README.md", + "external_id": "M9011" + } + ], + "spec_version": "2.1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_shortname": "lateral-movement" + } + ] +} \ No newline at end of file diff --git a/x-mitre-tactic/x-mitre-tactic--225d85b5-6806-4760-a9d7-b5e38ca66153.json b/x-mitre-tactic/x-mitre-tactic--225d85b5-6806-4760-a9d7-b5e38ca66153.json new file mode 100644 index 00000000..4b02cb04 --- /dev/null +++ b/x-mitre-tactic/x-mitre-tactic--225d85b5-6806-4760-a9d7-b5e38ca66153.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--88fd398c-75ab-4c34-9917-b836881b6f28", + "objects": [ + { + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--225d85b5-6806-4760-a9d7-b5e38ca66153", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.060Z", + "modified": "2020-02-05T20:28:15.060Z", + "name": "Anti-Static Analysis", + "description": "Behaviors and code characteristics that prevent static analysis or make it more difficult. Simple static analysis identifies features such as embedded strings, header information, hash values, and file metadata (e.g., creation date). More involved static analysis involves the disassembly of the binary code.\n\nTwo primary resources for anti-static analysis behaviors are [[1]](#1) and [[2]](#2).", + "external_references": [ + { + "source_name": "external_source", + "description": "Unprotect Project, a database about malware self-defense and protection.", + "url": "http://unprotect.tdgt.org/index.php/Unprotect_Project" + }, + { + "source_name": "external_source", + "description": "InDepthUnpacking, course content for teaching malware anti-analysis techniques and mitigations, with emphasis on packers.", + "url": "https://github.com/knowmalware/InDepthUnpacking" + }, + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-static-analysis/README.md", + "external_id": "M9002" + } + ], + "spec_version": "2.1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_shortname": "anti-static-analysis" + } + ] +} \ No newline at end of file diff --git a/x-mitre-tactic/x-mitre-tactic--389367d2-9dea-4ffe-b794-cfeaba83bcf6.json b/x-mitre-tactic/x-mitre-tactic--389367d2-9dea-4ffe-b794-cfeaba83bcf6.json new file mode 100644 index 00000000..fa78fe0b --- /dev/null +++ b/x-mitre-tactic/x-mitre-tactic--389367d2-9dea-4ffe-b794-cfeaba83bcf6.json @@ -0,0 +1,27 @@ +{ + "type": "bundle", + "id": "bundle--48ea6ca0-3492-46aa-b2aa-8d604e0ec89a", + "objects": [ + { + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--389367d2-9dea-4ffe-b794-cfeaba83bcf6", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.076Z", + "modified": "2020-02-05T20:28:15.076Z", + "name": "Impact", + "description": "Behaviors that enable malware to achieve its mission of manipulating, interrupting, or destroying systems and/or data.", + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/impact/README.md", + "external_id": "M9008" + } + ], + "spec_version": "2.1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_shortname": "impact" + } + ] +} \ No newline at end of file diff --git a/x-mitre-tactic/x-mitre-tactic--4fd027ac-dddc-4744-aa72-d1b4598d9898.json b/x-mitre-tactic/x-mitre-tactic--4fd027ac-dddc-4744-aa72-d1b4598d9898.json new file mode 100644 index 00000000..965a0175 --- /dev/null +++ b/x-mitre-tactic/x-mitre-tactic--4fd027ac-dddc-4744-aa72-d1b4598d9898.json @@ -0,0 +1,27 @@ +{ + "type": "bundle", + "id": "bundle--479d1d7a-5643-4c19-b86d-3f71fb601aa0", + "objects": [ + { + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--4fd027ac-dddc-4744-aa72-d1b4598d9898", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.074Z", + "modified": "2020-02-05T20:28:15.074Z", + "name": "Credential Access", + "description": "Behaviors to obtain credential access, allowing it or its underlying threat actor to assume control of an account, with the associated system and network permissions.", + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/credential-access/README.md", + "external_id": "M9005" + } + ], + "spec_version": "2.1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_shortname": "credential-access" + } + ] +} \ No newline at end of file diff --git a/x-mitre-tactic/x-mitre-tactic--5ca03153-2bfb-4540-acad-4eb54f188589.json b/x-mitre-tactic/x-mitre-tactic--5ca03153-2bfb-4540-acad-4eb54f188589.json new file mode 100644 index 00000000..6667ffaa --- /dev/null +++ b/x-mitre-tactic/x-mitre-tactic--5ca03153-2bfb-4540-acad-4eb54f188589.json @@ -0,0 +1,27 @@ +{ + "type": "bundle", + "id": "bundle--b9cf9b9f-0ccc-4dde-a181-09e9d9942bb2", + "objects": [ + { + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--5ca03153-2bfb-4540-acad-4eb54f188589", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.064Z", + "modified": "2020-02-05T20:28:15.064Z", + "name": "Command and Control", + "description": "Behaviors malware may use to communicate with systems under its control within a target network. There are many ways malware can establish command and control with various levels of covertness, depending on system configuration and network topology. Behaviors may relate to C2 servers or a bot that is part of a botnet.", + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/command-and-control/README.md", + "external_id": "M9004" + } + ], + "spec_version": "2.1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_shortname": "command-and-control" + } + ] +} \ No newline at end of file diff --git a/x-mitre-tactic/x-mitre-tactic--69c52ee6-8372-40be-8efc-200896493343.json b/x-mitre-tactic/x-mitre-tactic--69c52ee6-8372-40be-8efc-200896493343.json new file mode 100644 index 00000000..3c167acf --- /dev/null +++ b/x-mitre-tactic/x-mitre-tactic--69c52ee6-8372-40be-8efc-200896493343.json @@ -0,0 +1,27 @@ +{ + "type": "bundle", + "id": "bundle--0cf97986-94f6-4a35-b706-6bb5b33d6118", + "objects": [ + { + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--69c52ee6-8372-40be-8efc-200896493343", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.058Z", + "modified": "2020-02-05T20:28:15.058Z", + "name": "Collection", + "description": "Behaviors that identify and gather information, such as sensitive files, from a target network prior to exfiltration. This objective includes locations on a system or network where the malware may look for information to exfiltrate.", + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/collection/README.md", + "external_id": "M9003" + } + ], + "spec_version": "2.1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_shortname": "collection" + } + ] +} \ No newline at end of file diff --git a/x-mitre-tactic/x-mitre-tactic--911377e6-b712-4754-a865-3e2989512b9a.json b/x-mitre-tactic/x-mitre-tactic--911377e6-b712-4754-a865-3e2989512b9a.json new file mode 100644 index 00000000..4e92275d --- /dev/null +++ b/x-mitre-tactic/x-mitre-tactic--911377e6-b712-4754-a865-3e2989512b9a.json @@ -0,0 +1,27 @@ +{ + "type": "bundle", + "id": "bundle--7e8de8d0-9967-44a7-8a7a-52f2f5683421", + "objects": [ + { + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--911377e6-b712-4754-a865-3e2989512b9a", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.068Z", + "modified": "2020-02-05T20:28:15.068Z", + "name": "Exfiltration", + "description": "Behaviors that steal data from the system on which it executes. This includes stored data (e.g., files) as well as data input into applications (e.g., web browser).", + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/exfiltration/README.md", + "external_id": "M9010" + } + ], + "spec_version": "2.1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_shortname": "exfiltration" + } + ] +} \ No newline at end of file diff --git a/x-mitre-tactic/x-mitre-tactic--97051199-043f-4e26-b548-beeccdd7be3e.json b/x-mitre-tactic/x-mitre-tactic--97051199-043f-4e26-b548-beeccdd7be3e.json new file mode 100644 index 00000000..a1f5ec77 --- /dev/null +++ b/x-mitre-tactic/x-mitre-tactic--97051199-043f-4e26-b548-beeccdd7be3e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--c72978f1-5a01-486b-9e07-df1282503d27", + "objects": [ + { + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--97051199-043f-4e26-b548-beeccdd7be3e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.054Z", + "modified": "2020-02-05T20:28:15.054Z", + "name": "Theoretical Behaviors", + "description": "The following malware behaviors have been theorized. Proof-of-concept code has been created for some, but there are no in-the-wild examples of the behavior. Therefore, they are not appropriate for inclusion in the MBC.", + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/theoretical-behaviors/README.md" + } + ], + "spec_version": "2.1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_shortname": "theoretical-behaviors" + } + ] +} \ No newline at end of file diff --git a/x-mitre-tactic/x-mitre-tactic--9b3422b7-bc43-4b28-8d51-ba68782a9da2.json b/x-mitre-tactic/x-mitre-tactic--9b3422b7-bc43-4b28-8d51-ba68782a9da2.json new file mode 100644 index 00000000..1e84e9a2 --- /dev/null +++ b/x-mitre-tactic/x-mitre-tactic--9b3422b7-bc43-4b28-8d51-ba68782a9da2.json @@ -0,0 +1,27 @@ +{ + "type": "bundle", + "id": "bundle--625c03f8-d43d-46b4-8bbf-d9938237dc7f", + "objects": [ + { + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--9b3422b7-bc43-4b28-8d51-ba68782a9da2", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.071Z", + "modified": "2020-02-05T20:28:15.071Z", + "name": "Defense Evasion", + "description": "Behaviors that evade detection or avoid other defenses.", + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/defense-evasion/README.md", + "external_id": "M9006" + } + ], + "spec_version": "2.1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_shortname": "defense-evasion" + } + ] +} \ No newline at end of file diff --git a/x-mitre-tactic/x-mitre-tactic--9f09f947-5fc6-455f-b7eb-504c2ba972aa.json b/x-mitre-tactic/x-mitre-tactic--9f09f947-5fc6-455f-b7eb-504c2ba972aa.json new file mode 100644 index 00000000..b8ca553b --- /dev/null +++ b/x-mitre-tactic/x-mitre-tactic--9f09f947-5fc6-455f-b7eb-504c2ba972aa.json @@ -0,0 +1,27 @@ +{ + "type": "bundle", + "id": "bundle--048e0cc3-b4aa-4932-a66e-cc731ef65462", + "objects": [ + { + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--9f09f947-5fc6-455f-b7eb-504c2ba972aa", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.062Z", + "modified": "2020-02-05T20:28:15.062Z", + "name": "Discovery", + "description": "Behaviors that aim to gain knowledge about the system and internal network.", + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/discovery/README.md", + "external_id": "M9007" + } + ], + "spec_version": "2.1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_shortname": "discovery" + } + ] +} \ No newline at end of file diff --git a/x-mitre-tactic/x-mitre-tactic--d2f87328-9fe0-4f81-800e-ea1058f49906.json b/x-mitre-tactic/x-mitre-tactic--d2f87328-9fe0-4f81-800e-ea1058f49906.json new file mode 100644 index 00000000..d6c23a48 --- /dev/null +++ b/x-mitre-tactic/x-mitre-tactic--d2f87328-9fe0-4f81-800e-ea1058f49906.json @@ -0,0 +1,27 @@ +{ + "type": "bundle", + "id": "bundle--6dfd1efa-319a-4f25-9c73-602f935fbc14", + "objects": [ + { + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--d2f87328-9fe0-4f81-800e-ea1058f49906", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.067Z", + "modified": "2020-02-05T20:28:15.067Z", + "name": "Persistence", + "description": "Malware aims to remain on a system regardless of system events.", + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/README.md", + "external_id": "M9012" + } + ], + "spec_version": "2.1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_shortname": "persistence" + } + ] +} \ No newline at end of file diff --git a/x-mitre-tactic/x-mitre-tactic--d896bd1c-d0e9-4281-9755-9b76a7c963d3.json b/x-mitre-tactic/x-mitre-tactic--d896bd1c-d0e9-4281-9755-9b76a7c963d3.json new file mode 100644 index 00000000..ffc54b57 --- /dev/null +++ b/x-mitre-tactic/x-mitre-tactic--d896bd1c-d0e9-4281-9755-9b76a7c963d3.json @@ -0,0 +1,27 @@ +{ + "type": "bundle", + "id": "bundle--cf810144-51a5-4a88-921c-cf9f4bd15c16", + "objects": [ + { + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--d896bd1c-d0e9-4281-9755-9b76a7c963d3", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.072Z", + "modified": "2020-02-05T20:28:15.072Z", + "name": "Privilege Escalation", + "description": "Behaviors that aim to obtain a higher level of permission.", + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/privilege-escalation/README.md", + "external_id": "M9013" + } + ], + "spec_version": "2.1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_shortname": "privilege-escalation" + } + ] +} \ No newline at end of file diff --git a/x-mitre-tactic/x-mitre-tactic--eb6166b0-f3c9-4124-aeb9-662941baa19e.json b/x-mitre-tactic/x-mitre-tactic--eb6166b0-f3c9-4124-aeb9-662941baa19e.json new file mode 100644 index 00000000..60335e61 --- /dev/null +++ b/x-mitre-tactic/x-mitre-tactic--eb6166b0-f3c9-4124-aeb9-662941baa19e.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--2bb93d73-8517-4cd9-bf4f-10932e2c13e3", + "objects": [ + { + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--eb6166b0-f3c9-4124-aeb9-662941baa19e", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.061Z", + "modified": "2020-02-05T20:28:15.061Z", + "name": "Anti-Behavioral Analysis", + "description": "Behaviors that prevent, obstruct, or evade behavioral analysis (sandbox, debugger, etc). Because the underlying methods differ, separate \"detection\" and \"evasion\" behaviors are defined for some anti-behavioral analysis areas (e.g., anti-debugger). \n\nTwo primary resources for anti-behavioral analysis behaviors are [[1]](#1) and [[2]](#2).", + "external_references": [ + { + "source_name": "external_source", + "description": "Unprotect Project, a database about malware self-defense and protection.", + "url": "http://unprotect.tdgt.org/index.php/Unprotect_Project" + }, + { + "source_name": "external_source", + "description": "InDepthUnpacking, course content for teaching malware anti-analysis techniques and mitigations, with emphasis on packers.", + "url": "https://github.com/knowmalware/InDepthUnpacking" + }, + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/anti-behavioral-analysis/README.md", + "external_id": "M9001" + } + ], + "spec_version": "2.1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_shortname": "anti-behavioral-analysis" + } + ] +} \ No newline at end of file diff --git a/x-mitre-tactic/x-mitre-tactic--f95436cf-2e09-4541-b88a-f3fb6ec3b63b.json b/x-mitre-tactic/x-mitre-tactic--f95436cf-2e09-4541-b88a-f3fb6ec3b63b.json new file mode 100644 index 00000000..569e44e2 --- /dev/null +++ b/x-mitre-tactic/x-mitre-tactic--f95436cf-2e09-4541-b88a-f3fb6ec3b63b.json @@ -0,0 +1,27 @@ +{ + "type": "bundle", + "id": "bundle--37f4037b-cb88-42dd-b9c3-35b40b7aebc2", + "objects": [ + { + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--f95436cf-2e09-4541-b88a-f3fb6ec3b63b", + "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf", + "created": "2020-02-05T20:28:15.065Z", + "modified": "2020-02-05T20:28:15.065Z", + "name": "Execution", + "description": "Behaviors that execute code on a system to achieve a variety of goals.", + "external_references": [ + { + "source_name": "mitre-mbc", + "url": "https://github.com/MBCProject/mbc-markdown/blob/master/execution/README.md", + "external_id": "M9009" + } + ], + "spec_version": "2.1", + "object_marking_refs": [ + "marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3" + ], + "x_mitre_shortname": "execution" + } + ] +} \ No newline at end of file