From 7deb9f8e6c1dc5912f9f7c59156b5b6ff3b070ea Mon Sep 17 00:00:00 2001
From: ashlshen <140095563+ashlshen@users.noreply.github.com>
Date: Thu, 5 Oct 2023 13:04:33 +0200
Subject: [PATCH] Create qakbot-affiliated-actors-distribute-ransom.json
---
2023/10/qakbot-affiliated-actors-distribute-ransom.json | 1 +
1 file changed, 1 insertion(+)
create mode 100644 2023/10/qakbot-affiliated-actors-distribute-ransom.json
diff --git a/2023/10/qakbot-affiliated-actors-distribute-ransom.json b/2023/10/qakbot-affiliated-actors-distribute-ransom.json
new file mode 100644
index 0000000..e6abffe
--- /dev/null
+++ b/2023/10/qakbot-affiliated-actors-distribute-ransom.json
@@ -0,0 +1 @@
+{"type": "bundle", "spec_version": "2.0", "id": "bundle--68b4eeb6-919a-4aab-aa3c-4c62056d03c0", "objects": [{"type": "identity", "id": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Talos", "identity_class": "organization"}, {"type": "report", "id": "report--b5513bbb-049c-4bc8-a266-e8569d7771ee", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Qakbot-affiliated actors distribute Ransom Night malware despite infrastructure takedown", "published": "2023-10-05T08:27:41Z", "object_refs": ["x-misp-attribute--b9830c20-a9fd-486e-8192-a18d5501b1e6", "x-misp-attribute--5f2090e0-1b8e-49b5-98c8-6ff9339e1aa7", "x-misp-attribute--f8b40d89-ef95-4451-b418-9fdfcceef508", "observed-data--2aae8d38-2c1b-4867-aedb-cd61ef65730b", "indicator--45d475a4-82a2-4377-9dca-63d645e11294", "indicator--0bc56e7d-b9b8-43be-bdab-c060b61e844f", "indicator--6a9942a2-c591-42d0-97f0-1bb2db99e6dc", "indicator--543cb9d9-57d4-4bb9-9377-b0ed60cada19", "indicator--f6a0c3b9-6989-4214-addd-2d11e5e05cf1", "indicator--6151ffba-fed3-45aa-9aec-3295ead6a54f", "indicator--1fd3d5e5-9e03-4d04-8511-cf9ea5f0f757", "indicator--68471ba4-b442-4a73-a7f4-d14fa13d5feb", "indicator--2909e294-43ee-490e-8a83-8a1d42726f01", "indicator--c66d6977-c8bb-4a21-94b9-5a846abb6337", "indicator--31c0c8c8-da87-4067-8523-ba00a0d9dd40", "indicator--285b7fff-b3db-4ab2-a667-ee2902636f65", "indicator--d1050283-7809-4578-a711-5cbc273f6b3c", "indicator--4b575fdb-f5f1-4f1e-a07a-8924e9977ec6", "indicator--285dcc50-e890-4e39-a381-32929d620969", "indicator--0db5a4c3-ee86-4c3b-bee2-4a03385f3f21", "indicator--ea30ee9e-2765-4df7-ad86-64db03e71191", "indicator--7e5dfaa7-cb92-49b3-959d-48696eecd8ac", "indicator--6eec67da-6c36-4eb9-a82a-901679f9034b", "indicator--85492e4f-7a2e-4ce1-9645-fdc3c0d860b5", "indicator--f1e5529f-15a3-4142-bcdf-751309bd2b0f", "indicator--46b29c79-e393-4141-bbbf-575757a04f2f", "indicator--b04ccf2a-8f0f-4c44-acf4-b5edca8a9cba", "indicator--fcc02b2a-4f8d-4024-9361-4e91e66bfb9c", "indicator--dc761584-5dd6-48d4-8ea7-a0374e8af66c", "tool--7cd0bc75-055b-4098-a00e-83dc8beaff14", "attack-pattern--64196062-5210-42c3-9a02-563a0d1797ef", "attack-pattern--70d81154-b187-45f9-8ec5-295d01255979", "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579", "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298", "attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc", "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470", "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619", "attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004", "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391", "attack-pattern--46944654-fcc1-4f63-9dad-628102376586", "attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52", "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", "attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e", "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4", "attack-pattern--d519cfd5-f3a8-43a9-a846-ed0bb40672b1"], "labels": ["Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "Knight", "Qakbot", "ta577", " Remcos Remote Access Trojan", "Talos_Intel_Blog"], "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"]}, {"type": "x-misp-attribute", "id": "x-misp-attribute--b9830c20-a9fd-486e-8192-a18d5501b1e6", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:20:43.000Z", "modified": "2023-10-04T21:20:43.000Z", "labels": ["misp:type=\"threat-actor\"", "misp:category=\"Attribution\""], "x_misp_category": "Attribution", "x_misp_comment": "Threat actor for Qakbot", "x_misp_type": "threat-actor", "x_misp_value": "TA577 Qakbot gang"}, {"type": "x-misp-attribute", "id": "x-misp-attribute--5f2090e0-1b8e-49b5-98c8-6ff9339e1aa7", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:21:27.000Z", "modified": "2023-10-04T21:21:27.000Z", "labels": ["misp:type=\"text\"", "misp:category=\"Payload type\""], "x_misp_category": "Payload type", "x_misp_comment": "Remcos RAT distributed by Qakbot gang", "x_misp_type": "text", "x_misp_value": "Remcos"}, {"type": "x-misp-attribute", "id": "x-misp-attribute--f8b40d89-ef95-4451-b418-9fdfcceef508", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:22:03.000Z", "modified": "2023-10-04T21:22:03.000Z", "labels": ["misp:type=\"text\"", "misp:category=\"Payload type\""], "x_misp_category": "Payload type", "x_misp_comment": "Ransom Knight distributed by Qakbot gang", "x_misp_type": "text", "x_misp_value": "Ransom Knight"}, {"type": "observed-data", "id": "observed-data--2aae8d38-2c1b-4867-aedb-cd61ef65730b", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:23:12.000Z", "modified": "2023-10-04T21:23:12.000Z", "first_observed": "2023-10-04T21:23:12Z", "last_observed": "2023-10-04T21:23:12Z", "number_observed": 1, "objects": {"0": {"type": "url", "value": "https://blog.talosintelligence.com/qakbot-affiliated-actors-distribute-ransom"}}, "labels": ["misp:type=\"url\"", "misp:category=\"External analysis\""]}, {"type": "indicator", "id": "indicator--45d475a4-82a2-4377-9dca-63d645e11294", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = '006e0b5f47462c4d755b3f84e22b90f09fb6b369032a3ca72f39180e5395ed17']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--0bc56e7d-b9b8-43be-bdab-c060b61e844f", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = '19bae62fc0a3a64c80b666237c2f04706e3b89c5a6ea6be055df22122e5f8a63']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--6a9942a2-c591-42d0-97f0-1bb2db99e6dc", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = '25cc64a072861840df9dfa7b2449165e4c37d57c542da8ec4ea4fffa10f1be39']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--543cb9d9-57d4-4bb9-9377-b0ed60cada19", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = '44065decc86f79ebbd56b27f1db8c7bd5843147f3fa8e577604c0ed45317b016']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--f6a0c3b9-6989-4214-addd-2d11e5e05cf1", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = '6e0062ccdfa7a117a8b76d4056ac144fdf91f3a2811b32d5a3b7f31ac326181b']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--6151ffba-fed3-45aa-9aec-3295ead6a54f", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = '75c562f9101eab86d03386fcf0ddfe3cdebec0008c2c5b5a94047c06ddeb2566']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--1fd3d5e5-9e03-4d04-8511-cf9ea5f0f757", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = '78784c02843a518bdc546534759dcdb3ea523c54751858a51f39e0f9d1492868']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--68471ba4-b442-4a73-a7f4-d14fa13d5feb", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = '7ab8bcf9b4dc63ad3d9e1fe8eb2e8292a1545871fb2e3b5dd83c96a2b7e33b41']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--2909e294-43ee-490e-8a83-8a1d42726f01", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = '877f8a66be5c99d5a4636d74c566d61ebc1951049be5fa8968c132922ca4ba18']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--c66d6977-c8bb-4a21-94b9-5a846abb6337", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = 'af5f5aa32a3e2bc802b9863c20de2eac0ca14e1002c02396e63e2aa38eb351c6']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--31c0c8c8-da87-4067-8523-ba00a0d9dd40", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = 'bfd2c062c12a261c4460cdc59cc9f7e80b72b455e852d08c106f12a3d657a575']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--285b7fff-b3db-4ab2-a667-ee2902636f65", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = 'd0013d23218a1aafdea792a0599b746af6966f765181c8c1dbfe7257be0cb022']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--d1050283-7809-4578-a711-5cbc273f6b3c", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = 'd522a32eebc7f0108dbff116b7fa9dd457bf9f062465060115ec423c567c5115']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--4b575fdb-f5f1-4f1e-a07a-8924e9977ec6", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = 'e38a1648fc6494f881e3b793688ef4d69e925137c4c7494f4dd6c6604142a2bc']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--285dcc50-e890-4e39-a381-32929d620969", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = 'ec4ac7ade34402ad3757e97d03de7aa3dfee0ed53f28f32c99d8dbbb96958dcb']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--0db5a4c3-ee86-4c3b-bee2-4a03385f3f21", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = 'f2e2427107648e8d7be5f4e42341c702ceddb442191434128cbbf15c0325d8e9']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--ea30ee9e-2765-4df7-ad86-64db03e71191", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = '7b4d227fddcc4e93ea0cdf017026ff2dad6efd6bc7de71b689dc0595a2a4fb4d']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--7e5dfaa7-cb92-49b3-959d-48696eecd8ac", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = 'a2c654357d790d7c4cec619de951649db31ecdb63935f38b11bb37f983ff58de']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--6eec67da-6c36-4eb9-a82a-901679f9034b", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = 'c42ad519510936f14ab46fbad53606db8132ea52a11e3fc8d111fbccc7d9ab5a']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--85492e4f-7a2e-4ce1-9645-fdc3c0d860b5", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = '34ea4cad8558fcab75631a44eae492a54e1cf9ae2f52e7d5fa712686acd06437']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--f1e5529f-15a3-4142-bcdf-751309bd2b0f", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = '597541041b49043bd2abd482b3bf4dd233a0dbb47d5ef704ea9ee28705d2764b']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--46b29c79-e393-4141-bbbf-575757a04f2f", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = '86e96d3d22ead8f41f6a29f7bfe4b35c0d4ae5bd8da046ff0d01d9c6ea678dc2']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--b04ccf2a-8f0f-4c44-acf4-b5edca8a9cba", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[file:hashes.SHA256 = 'ef74d2b8d1767667fb6817916f7d2d2c998358e07422a6af246151e0299f26aa']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Payload delivery"}], "labels": ["misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--fcc02b2a-4f8d-4024-9361-4e91e66bfb9c", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '89.23.96.203']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "indicator", "id": "indicator--dc761584-5dd6-48d4-8ea7-a0374e8af66c", "created_by_ref": "identity--5df15c12-89fc-45a7-9620-0044ac110004", "created": "2023-10-04T21:26:06.000Z", "modified": "2023-10-04T21:26:06.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.34.188.7']", "valid_from": "2023-10-04T21:26:06Z", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""]}, {"type": "tool", "id": "tool--7cd0bc75-055b-4098-a00e-83dc8beaff14", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Remcos - S0332", "description": "Name of ATT&CK software | [Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in malware campaigns.(Citation: Riskiq Remcos Jan 2018)(Citation: Talos Remcos Aug 2018)", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-tool"}], "labels": ["misp:galaxy-name=\"Tool\"", "misp:galaxy-type=\"mitre-tool\"", "misp-galaxy:mitre-tool=\"Remcos - S0332\""], "external_references": [{"source_name": "mitre-attack", "external_id": "S0332"}]}, {"type": "attack-pattern", "id": "attack-pattern--64196062-5210-42c3-9a02-563a0d1797ef", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Communication Through Removable Media - T1092", "description": "ATT&CK Tactic | Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Communication Through Removable Media - T1092\""], "external_references": [{"source_name": "mitre-attack", "external_id": "T1092"}]}, {"type": "attack-pattern", "id": "attack-pattern--70d81154-b187-45f9-8ec5-295d01255979", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Executable Installer File Permissions Weakness - T1574.005", "description": "ATT&CK Tactic | Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Executable Installer File Permissions Weakness - T1574.005\""], "external_references": [{"source_name": "mitre-attack", "external_id": "T1574.005"}]}, {"type": "attack-pattern", "id": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Disable or Modify Tools - T1562.001", "description": "ATT&CK Tactic | Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take the many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information.\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\""], "external_references": [{"source_name": "capec", "external_id": "CAPEC-578"}]}, {"type": "attack-pattern", "id": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Obfuscated Files or Information - T1027", "description": "ATT&CK Tactic | Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as JavaScript. \n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) ", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\""], "external_references": [{"source_name": "capec", "external_id": "CAPEC-267"}]}, {"type": "attack-pattern", "id": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Process Discovery - T1424", "description": "ATT&CK Tactic | On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the ps command, or by examining the /proc directory. Starting in Android version 7, use of the Linux kernel's hidepid feature prevents applications (without escalated privileges) from accessing this information (Citation: Android-SELinuxChanges).", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1424\""], "external_references": [{"source_name": "mitre-attack", "external_id": "T1424"}]}, {"type": "attack-pattern", "id": "attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Extra Window Memory Injection - T1055.011", "description": "ATT&CK Tactic | Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. \n\nBefore creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).(Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)\n\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process\u2019s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process\u2019s EWM.\n\nExecution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread.(Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process. ", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Extra Window Memory Injection - T1055.011\""], "external_references": [{"source_name": "mitre-attack", "external_id": "T1055.011"}]}, {"type": "attack-pattern", "id": "attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Credentials In Files - T1552.001", "description": "ATT&CK Tactic | Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n\nIt is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)\n\nIn cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\""], "external_references": [{"source_name": "capec", "external_id": "CAPEC-639"}]}, {"type": "attack-pattern", "id": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "File and Directory Discovery - T1420", "description": "ATT&CK Tactic | On Android, command line tools or the Java file APIs can be used to enumerate file system contents. However, Linux file permissions and SELinux policies generally strongly restrict what can be accessed by apps (without taking advantage of a privilege escalation exploit). The contents of the external storage directory are generally visible, which could present concern if sensitive data is inappropriately stored there.\n\niOS's security architecture generally restricts the ability to perform file and directory discovery without use of escalated privileges.", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1420\""], "external_references": [{"source_name": "mitre-attack", "external_id": "T1420"}]}, {"type": "attack-pattern", "id": "attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Email Account - T1087.003", "description": "ATT&CK Tactic | Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)\n\nIn on-premises Exchange and Exchange Online, theGet-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)\n\nIn Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Email Account - T1087.003\""], "external_references": [{"source_name": "mitre-attack", "external_id": "T1087.003"}]}, {"type": "attack-pattern", "id": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Data from Local System - T1533", "description": "ATT&CK Tactic | Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system.\n\nLocal system data includes information stored by the operating system. Access to local system data often requires escalated privileges (e.g. root access). Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos.", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1533\""], "external_references": [{"source_name": "mitre-attack", "external_id": "T1533"}]}, {"type": "attack-pattern", "id": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Automated Collection - T1119", "description": "ATT&CK Tactic | Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619) to identify resources in cloud environments.", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\""], "external_references": [{"source_name": "mitre-attack", "external_id": "T1119"}]}, {"type": "attack-pattern", "id": "attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Local Email Collection - T1114.001", "description": "ATT&CK Tactic | Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user\u2019s local system, such as Outlook storage or cache files.\n\nOutlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\\Users\\\\Documents\\Outlook Files` or `C:\\Users\\\\AppData\\Local\\Microsoft\\Outlook`.(Citation: Microsoft Outlook Files)", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Local Email Collection - T1114.001\""], "external_references": [{"source_name": "mitre-attack", "external_id": "T1114.001"}]}, {"type": "attack-pattern", "id": "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Debugger Evasion - T1622", "description": "ATT&CK Tactic | Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)\n\nDebugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497), if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.\n\nSpecific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would \u201cswallow\u201d or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)\n\nAdversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as OutputDebugStringW().(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Debugger Evasion - T1622\""], "external_references": [{"source_name": "mitre-attack", "external_id": "T1622"}]}, {"type": "attack-pattern", "id": "attack-pattern--46944654-fcc1-4f63-9dad-628102376586", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "DLL Search Order Hijacking - T1038", "description": "ATT&CK Tactic | Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft DLL Search) Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence. \n\nAdversaries may perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft 2269637) Adversaries may use this behavior to cause the program to load a malicious DLL. \n\nAdversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL to maintain persistence or privilege escalation. (Citation: Microsoft DLL Redirection) (Citation: Microsoft Manifests) (Citation: Mandiant Search Order)\n\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.\n\nPrograms that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking - T1038\""], "external_references": [{"source_name": "capec", "external_id": "CAPEC-471"}]}, {"type": "attack-pattern", "id": "attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Invalid Code Signature - T1036.001", "description": "ATT&CK Tactic | Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)\n\nUnlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature.", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Invalid Code Signature - T1036.001\""], "external_references": [{"source_name": "mitre-attack", "external_id": "T1036.001"}]}, {"type": "attack-pattern", "id": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "PowerShell - T1059.001", "description": "ATT&CK Tactic | Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).\n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)\n\nPowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\""], "external_references": [{"source_name": "mitre-attack", "external_id": "T1059.001"}]}, {"type": "attack-pattern", "id": "attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Indirect Command Execution - T1202", "description": "ATT&CK Tactic | Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Indirect Command Execution - T1202\""], "external_references": [{"source_name": "mitre-attack", "external_id": "T1202"}]}, {"type": "attack-pattern", "id": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Process Injection - T1055", "description": "ATT&CK Tactic | Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nThere are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. \n\nMore sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel. ", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\""], "external_references": [{"source_name": "capec", "external_id": "CAPEC-640"}]}, {"type": "attack-pattern", "id": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Application Layer Protocol - T1071", "description": "ATT&CK Tactic | Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. ", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\""], "external_references": [{"source_name": "mitre-attack", "external_id": "T1071"}]}, {"type": "attack-pattern", "id": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Ingress Tool Transfer - T1105", "description": "ATT&CK Tactic | Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)\n\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\""], "external_references": [{"source_name": "mitre-attack", "external_id": "T1105"}]}, {"type": "attack-pattern", "id": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Modify Registry - T1112", "description": "ATT&CK Tactic | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.\n\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\""], "external_references": [{"source_name": "capec", "external_id": "CAPEC-203"}]}, {"type": "attack-pattern", "id": "attack-pattern--d519cfd5-f3a8-43a9-a846-ed0bb40672b1", "created": "2023-10-05T08:26:39.000Z", "modified": "2023-10-05T08:26:39.000Z", "name": "Install Root Certificate - T1130", "description": "ATT&CK Tactic | Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. (Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\n\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials. (Citation: Operation Emmental)\n\nAtypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide a man-in-the-middle capability for intercepting information transmitted over secure TLS/SSL communications. (Citation: Kaspersky Superfish)\n\nRoot certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence. (Citation: SpectorOps Code Signing Dec 2017)\n\nIn macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain. (Citation: objective-see ay mami 2018)", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "mitre-attack-pattern"}], "labels": ["misp:galaxy-name=\"Attack Pattern\"", "misp:galaxy-type=\"mitre-attack-pattern\"", "misp-galaxy:mitre-attack-pattern=\"Install Root Certificate - T1130\""], "external_references": [{"source_name": "capec", "external_id": "CAPEC-479"}]}, {"type": "marking-definition", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "definition": {"tlp": "white"}}]}