Skip to content

Commit

Permalink
ATT&CK v16.0 Enterprise
Browse files Browse the repository at this point in the history
  • Loading branch information
@adpare
adpare committed Oct 30, 2024
1 parent 680236d commit 1a6f154
Show file tree
Hide file tree
Showing 21,328 changed files with 82,168 additions and 32,706 deletions.
The diff you're trying to view is too large. We only load the first 3000 changed files.
2 changes: 1 addition & 1 deletion enterprise-attack/attack-pattern/attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--8c085b46-0db9-4eba-80e1-c05f59284d16",
"id": "bundle--d46f9ec8-949d-4465-a930-93643b80fd9f",
"spec_version": "2.0",
"objects": [
{
Expand Down
22 changes: 16 additions & 6 deletions enterprise-attack/attack-pattern/attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9.json
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
{
"type": "bundle",
"id": "bundle--0b84c16a-ff56-4e89-ac6c-ddde0f733702",
"id": "bundle--8fe6361d-e509-41e2-bd49-c49daee88e6f",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-11-15T14:33:53.354Z",
"modified": "2024-10-13T16:13:47.770Z",
"name": "Scheduled Task",
"description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)), though <code>at.exe</code> can not access tasks created with <code>schtasks</code> or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments) ",
"description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
Expand Down Expand Up @@ -37,7 +37,7 @@
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.5",
"x_mitre_version": "1.6",
"x_mitre_data_sources": [
"Windows Registry: Windows Registry Key Creation",
"File: File Modification",
Expand Down Expand Up @@ -74,8 +74,8 @@
},
{
"source_name": "Twitter Leoloobeek Scheduled Task",
"description": "Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017.",
"url": "https://twitter.com/leoloobeek/status/939248813465853953"
"description": "Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved September 12, 2024.",
"url": "https://x.com/leoloobeek/status/939248813465853953"
},
{
"source_name": "Tarrask scheduled task",
Expand All @@ -92,6 +92,11 @@
"description": "Microsoft. (n.d.). General Task Registration. Retrieved December 12, 2017.",
"url": "https://technet.microsoft.com/library/dd315590.aspx"
},
{
"source_name": "Red Canary - Atomic Red Team",
"description": "Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled Task/Job: Scheduled Task. Retrieved June 19, 2024.",
"url": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"
},
{
"source_name": "TechNet Autoruns",
"description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.",
Expand All @@ -106,6 +111,11 @@
"source_name": "SigmaHQ",
"description": "Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule Task - Registry. Retrieved June 1, 2022.",
"url": "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml"
},
{
"source_name": "Stack Overflow",
"description": "Stack Overflow. (n.d.). How to find the location of the Scheduled Tasks folder. Retrieved June 19, 2024.",
"url": "https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder"
}
],
"object_marking_refs": [
Expand Down
2 changes: 1 addition & 1 deletion enterprise-attack/attack-pattern/attack-pattern--005cc321-08ce-4d17-b1ea-cb5275926520.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--742c4aaf-6de9-4527-9ad5-1085f3619f4e",
"id": "bundle--aaa50ad0-8dd2-43dc-b947-4d5f7e30f67e",
"spec_version": "2.0",
"objects": [
{
Expand Down
2 changes: 1 addition & 1 deletion enterprise-attack/attack-pattern/attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--2b56ffdf-4343-4162-97f4-23c172b626e6",
"id": "bundle--c0dda483-6f69-4da4-bb1a-53a770074235",
"spec_version": "2.0",
"objects": [
{
Expand Down
2 changes: 1 addition & 1 deletion enterprise-attack/attack-pattern/attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--9f025e8f-f4f0-4a0a-8a12-16f82197b331",
"id": "bundle--aed3a0c8-a29e-4bbb-818e-bfa05c65ee0a",
"spec_version": "2.0",
"objects": [
{
Expand Down
66 changes: 34 additions & 32 deletions enterprise-attack/attack-pattern/attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b.json
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
{
"type": "bundle",
"id": "bundle--fbfc73e6-648e-49f9-aa72-abd721ee24c3",
"id": "bundle--9a772109-14eb-4b39-af03-a92f8e26c87a",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-03-30T21:01:46.879Z",
"modified": "2024-09-12T15:20:07.264Z",
"name": "VNC",
"description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (\u201cremote framebuffer\u201d) protocol to enable users to remotely control another computer\u2019s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)\n\nVNC differs from [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)\n\nAdversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)",
"kill_chain_phases": [
Expand All @@ -13,12 +13,12 @@
"phase_name": "lateral-movement"
}
],
"x_mitre_deprecated": false,
"x_mitre_detection": "Use of VNC may be legitimate depending on the environment and how it\u2019s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.\n\nOn macOS systems <code>log show --predicate 'process = \"screensharingd\" and eventMessage contains \"Authentication:\"'</code> can be used to review incoming VNC connection attempts for suspicious activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nMonitor for use of built-in debugging environment variables (such as those containing credentials or other sensitive information) as well as test/default users on VNC servers, as these can leave openings for adversaries to abuse.(Citation: Gnome Remote Desktop grd-settings)(Citation: Gnome Remote Desktop gschema)",
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
Expand All @@ -37,77 +37,79 @@
"id": "attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b",
"created": "2020-02-11T18:28:44.950Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1021/005",
"external_id": "T1021.005"
},
{
"source_name": "The Remote Framebuffer Protocol",
"description": "T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote Framebuffer Protocol. Retrieved September 20, 2021.",
"url": "https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2"
"source_name": "Attacking VNC Servers PentestLab",
"description": "Administrator, Penetration Testing Lab. (2012, October 30). Attacking VNC Servers. Retrieved October 6, 2021.",
"url": "https://pentestlab.blog/2012/10/30/attacking-vnc-servers/"
},
{
"source_name": "MacOS VNC software for Remote Desktop",
"description": "Apple Support. (n.d.). Set up a computer running VNC software for Remote Desktop. Retrieved August 18, 2021.",
"url": "https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac"
},
{
"source_name": "VNC Authentication",
"description": "Tegan. (2019, August 15). Setting up System Authentication. Retrieved September 20, 2021.",
"url": "https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication"
},
{
"source_name": "Hijacking VNC",
"description": "Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute, Access and Crack). Retrieved September 20, 2021.",
"url": "https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc"
"source_name": "Havana authentication bug",
"description": "Jay Pipes. (2013, December 23). Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!. Retrieved September 12, 2024.",
"url": "https://lists.openstack.org/pipermail/openstack/2013-December/004138.html"
},
{
"source_name": "macOS root VNC login without authentication",
"description": "Nick Miles. (2017, November 30). Detecting macOS High Sierra root account without authentication. Retrieved September 20, 2021.",
"url": "https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication"
},
{
"source_name": "VNC Vulnerabilities",
"description": "Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities Found in Linux, Windows Solutions. Retrieved September 20, 2021.",
"url": "https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/"
},
{
"source_name": "Offensive Security VNC Authentication Check",
"description": "Offensive Security. (n.d.). VNC Authentication. Retrieved October 6, 2021.",
"url": "https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/"
},
{
"source_name": "Attacking VNC Servers PentestLab",
"description": "Administrator, Penetration Testing Lab. (2012, October 30). Attacking VNC Servers. Retrieved October 6, 2021.",
"url": "https://pentestlab.blog/2012/10/30/attacking-vnc-servers/"
"source_name": "Gnome Remote Desktop grd-settings",
"description": "Pascal Nowack. (n.d.). Retrieved September 21, 2021.",
"url": "https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207"
},
{
"source_name": "Havana authentication bug",
"description": "Jay Pipes. (2013, December 23). Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.",
"url": "http://lists.openstack.org/pipermail/openstack/2013-December/004138.html"
"source_name": "Gnome Remote Desktop gschema",
"description": "Pascal Nowack. (n.d.). Retrieved September 21, 2021.",
"url": "https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in"
},
{
"source_name": "Apple Unified Log Analysis Remote Login and Screen Sharing",
"description": "Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] \u2013 Working From Home? Remote Logins. Retrieved August 19, 2021.",
"url": "https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins"
},
{
"source_name": "Gnome Remote Desktop grd-settings",
"description": "Pascal Nowack. (n.d.). Retrieved September 21, 2021.",
"url": "https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207"
"source_name": "VNC Vulnerabilities",
"description": "Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities Found in Linux, Windows Solutions. Retrieved September 20, 2021.",
"url": "https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/"
},
{
"source_name": "Gnome Remote Desktop gschema",
"description": "Pascal Nowack. (n.d.). Retrieved September 21, 2021.",
"url": "https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in"
"source_name": "The Remote Framebuffer Protocol",
"description": "T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote Framebuffer Protocol. Retrieved September 20, 2021.",
"url": "https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2"
},
{
"source_name": "VNC Authentication",
"description": "Tegan. (2019, August 15). Setting up System Authentication. Retrieved September 20, 2021.",
"url": "https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication"
},
{
"source_name": "Hijacking VNC",
"description": "Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute, Access and Crack). Retrieved September 20, 2021.",
"url": "https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.1.0"
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
]
}
Loading

0 comments on commit 1a6f154

Please sign in to comment.