site traffic

Enterprise Techniques

Initial Access

Execution

Persistence

Privelege Escalation

Drive-by Compromise

Exploit Public-Facing Application

Hardware Additions

Replication Through Removable Media

Spearphishing Attachment

Spearphishing Link

Spearphishing via Service

Supply Chain Compromise

Trusted Relationship

Valid Accounts


-------


Defense Evasion

Access Token Manipulation

Binary Padding

BITS Jobs

Bypass User Account Control

Clear Command History

CMSTP

Code Signing

Compiled HTML File

Component Firmware

Component Object Model Hijacking

Control Panel Items

DCShadow

Deobfuscate/Decode Files or Information

Disabling Security Tools

DLL Search Order Hijacking

DLL Side-Loading

Exploitation for Defense Evasion

Extra Window Memory Injection

File Deletion

File Permissions Modification

File System Logical Offsets

Gatekeeper Bypass

Hidden Files and Directories

Hidden Users

Hidden Window

HISTCONTROL

Image File Execution Options Injection

Indicator Blocking

Indicator Removal from Tools

Indicator Removal on Host

Indirect Command Execution

Install Root Certificate

InstallUtil

Launchctl

LC_MAIN Hijacking

Masquerading

Modify Registry

Mshta

Network Share Connection Removal

NTFS File Attributes

Obfuscated Files or Information

Plist Modification

Port Knocking

Process Doppelgänging

Process Hollowing

Process Injection

Redundant Access

Regsvcs/Regasm

Regsvr32

Rootkit

Rundll32

Scripting

Signed Binary Proxy Execution

Signed Script Proxy Execution

SIP and Trust Provider Hijacking

Software Packing

Space after Filename

Template Injection

Timestomp

Trusted Developer Utilities

Valid Accounts

Web Service

XSL Script Processing

AppleScript

CMSTP

Command-Line Interface

Compiled HTML File

Control Panel Items

Dynamic Data Exchange

Execution through API

Execution through Module Load

Exploitation for Client Execution

Graphical User Interface

InstallUtil

Launchctl

Local Job Scheduling

LSASS Driver

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scheduled Task

Scripting

Service Execution

Signed Binary Proxy Execution

Signed Script Proxy Execution

Source

Space after Filename

Third-party Software

Trap

Trusted Developer Utilities

User Execution

Windows Management Instrumentation

Windows Remote Management

XSL Script Processing


Credential Access

Access Token Manipulation

Binary Padding

BITS Jobs

Bypass User Account Control

Clear Command History

CMSTP

Code Signing

Compiled HTML File

Component Firmware

Component Object Model Hijacking

Control Panel Items

DCShadow

Deobfuscate/Decode Files or Information

Disabling Security Tools

DLL Search Order Hijacking

DLL Side-Loading

Exploitation for Defense Evasion

Extra Window Memory Injection

File Deletion

File Permissions Modification

File System Logical Offsets

Gatekeeper Bypass

Hidden Files and Directories

Hidden Users

Hidden Window

HISTCONTROL

Image File Execution Options Injection

Indicator Blocking

Indicator Removal from Tools

Indicator Removal on Host

Indirect Command Execution

Install Root Certificate

InstallUtil

Launchctl

LC_MAIN Hijacking

Masquerading

Modify Registry

Mshta

Network Share Connection Removal

NTFS File Attributes

Obfuscated Files or Information

Plist Modification

Port Knocking

Process Doppelgänging

Process Hollowing

Process Injection

Redundant Access

Regsvcs/Regasm

Regsvr32

Rootkit

Rundll32

Scripting

Signed Binary Proxy Execution

Signed Script Proxy Execution

SIP and Trust Provider Hijacking

Software Packing

Space after Filename

Template Injection

Timestomp

Trusted Developer Utilities

Valid Accounts

Web Service

XSL Script Processing

.bash_profile and .bashrc

Accessibility Features

Account Manipulation

AppCert DLLs

AppInit DLLs

Application Shimming

Authentication Package

BITS Jobs

Bootkit

Browser Extensions

Change Default File Association

Component Firmware

Component Object Model Hijacking

Create Account

DLL Search Order Hijacking

Dylib Hijacking

External Remote Services

File System Permissions Weakness

Hidden Files and Directories

Hooking

Hypervisor

Image File Execution Options Injection

Kernel Modules and Extensions

Launch Agent

Launch Daemon

Launchctl

LC_LOAD_DYLIB Addition

Local Job Scheduling

Login Item

Logon Scripts

LSASS Driver

Modify Existing Service

Netsh Helper DLL

New Service

Office Application Startup

Path Interception

Plist Modification

Port Knocking

Port Monitors

Rc.common

Re-opened Applications

Redundant Access

Registry Run Keys / Startup Folder

Scheduled Task

Screensaver

Security Support Provider

Service Registry Permissions Weakness

Setuid and Setgid

Shortcut Modification

SIP and Trust Provider Hijacking

Startup Items

System Firmware

Time Providers

Trap

Valid Accounts

Web Shell

Windows Management Instrumentation Event Subscription

Winlogon Helper DLL


Discovery

Account Discovery

Application Window Discovery

Browser Bookmark Discovery

File and Directory Discovery

Network Service Scanning

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery

Process Discovery

Query Registry

Remote System Discovery

Security Software Discovery

System Information Discovery

System Network Configuration Discovery

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

Access Token Manipulation

Accessibility Features

AppCert DLLs

AppInit DLLs

Application Shimming

Bypass User Account Control

DLL Search Order Hijacking

Dylib Hijacking

Exploitation for Privilege Escalation

Extra Window Memory Injection

File System Permissions Weakness

Hooking

Image File Execution Options Injection

Launch Daemon

New Service

Path Interception

Plist Modification

Port Monitors

Process Injection

Scheduled Task

Service Registry Permissions Weakness

Setuid and Setgid

SID-History Injection

Startup Items

Sudo

Sudo Caching

Valid Accounts

Web Shell


Lateral Movement

AppleScript

Application Deployment Software

Distributed Component Object Model

Exploitation of Remote Services

Logon Scripts

Pass the Hash

Pass the Ticket

Remote Desktop Protocol

Remote File Copy

Remote Services

Replication Through Removable Media

Shared Webroot

SSH Hijacking

Taint Shared Content

Third-party Software

Windows Admin Shares

Windows Remote Management


Collection

Audio Capture

Automated Collection

Clipboard Data

Data from Information Repositories

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture


Exfilitration

Automated Exfiltration

Data Compressed

Data Encrypted

Data Transfer Size Limits

Exfiltration Over Alternative Protocol

Exfiltration Over Command and Control Channel

Exfiltration Over Other Network Medium

Exfiltration Over Physical Medium

Scheduled Transfer


Command and Control

Commonly Used Port

Communication Through Removable Media

Connection Proxy

Custom Command and Control Protocol

Custom Cryptographic Protocol

Data Encoding

Data Obfuscation

Domain Fronting

Fallback Channels

Multi-hop Proxy

Multi-Stage Channels

Multiband Communication

Multilayer Encryption

Port Knocking

Remote Access Tools

Remote File Copy

Standard Application Layer Protocol

Standard Cryptographic Protocol

Standard Non-Application Layer Protocol

Uncommonly Used Port

Web Service



ATT&CK Matrix for Enterprise


 

Organizational Information Gathering

 

Organizational information gathering consists of the process of identifying critical organizational elements of intelligence an adversary will need about a target in order to best attack.  Similar to competitive intelligence, organizational intelligence gathering focuses on understanding the operational tempo of an organization and gathering a deep understanding of the organization and how it operates, in order to best develop a strategy to target it.

Techniques

 

Techniques: 11ID Name Description

T1277

Acquire OSINT data sets and information

Data sets can be anything from Security Exchange Commission (SEC) filings to public phone numbers. Many datasets are now either publicly available for free or can be purchased from a variety of data vendors. Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line as well as in the physical world.

T1279

Conduct social engineering

Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action.

T1284

Determine 3rd party infrastructure services

A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available as 3rd party infrastructure services. These services could provide an adversary with another avenue of approach or compromise.

T1285

Determine centralization of IT management

Determining if a "corporate" help desk exists, the degree of access and control it has, and whether there are "edge" units that may have different support processes and standards.

T1282

Determine physical locations

Physical locality information may be used by an adversary to shape social engineering attempts (language, culture, events, weather, etc.) or to plan for physical actions such as dumpster diving or attempting to access a facility.

T1286

Dumpster dive

Dumpster diving is looking through waste for information on technology, people, and/or organizational items of interest.

T1280

Identify business processes/tempo

Understanding an organizations business processes and tempo may allow an adversary to more effectively craft social engineering attempts or to better hide technical actions, such as those that generate network traffic.

T1283

Identify business relationships

Business relationship information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship.

T1278

Identify job postings and needs/gaps

Job postings, on either company sites, or in other forums, provide information on organizational structure, needs, and gaps in an organization. This may give an adversary an indication of weakness in an organization (such as under-resourced IT shop). Job postings can also provide information on an organizations structure which could be valuable in social engineering attempts.

T1276

Identify supply chains

Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit organizational relationships.

T1281

Obtain templates/branding materials

Templates and branding materials may be used by an adversary to add authenticity to social engineering message.

Groups Technical Information Gathering

Technical information gathering consists of the process of identifying critical technical elements of intelligence an adversary will need about a target in order to best attack.  Technical intelligence gathering includes, but is not limited to, understanding the target's network architecture, IP space, network services, email format, and security procedures.

Techniques

 

Techniques: 20ID Name Description

T1247

Acquire OSINT data sets and information

Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line, such as from search engines, as well as in the physical world.

T1254

Conduct active scanning

Active scanning is the act of sending transmissions to end nodes, and analyzing the responses, in order to identify information about the communications system.

T1253

Conduct passive scanning

Passive scanning is the act of looking at existing network traffic in order to identify information about the communications system.

T1249

Conduct social engineering

Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action.

T1260

Determine 3rd party infrastructure services

Infrastructure services includes the hardware, software, and network resources required to operate a communications environment. This infrastructure can be managed by a 3rd party rather than being managed by the owning organization.

T1250

Determine domain and IP address space

Domain Names are the human readable names used to represent one or more IP addresses. IP addresses are the unique identifier of computing devices on a network. Both pieces of information are valuable to an adversary who is looking to understand the structure of a network.

T1259

Determine external network trust dependencies

Network trusts enable communications between different networks with specific accesses and permissions. Network trusts could include the implementation of domain trusts or the use of virtual private networks (VPNs).

T1258

Determine firmware version

Firmware is permanent software programmed into the read-only memory of a device. As with other types of software, firmware may be updated over time and have multiple versions.

T1255

Discover target logon/email address format

Email addresses, logon credentials, and other forms of online identification typically share a common format. This makes guessing other credentials within the same domain easier. For example if a known email address is first.last@company.com it is likely that others in the company will have an email in the same format.

T1262

Enumerate client configurations

Client configurations information such as the operating system and web browser, along with additional information such as version or language, are often transmitted as part of web browsing communications. This can be accomplished in several ways including use of a compromised web site to collect details on visiting computers.

T1261

Enumerate externally facing software applications technologies, languages, and dependencies

Software applications will be built using different technologies, languages, and dependencies. This information may reveal vulnerabilities or opportunities to an adversary.

T1248

Identify job postings and needs/gaps

Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on technologies within the organization which could be valuable in attack or provide insight in to possible security weaknesses or limitations in detection or protection mechanisms.

T1263

Identify security defensive capabilities

Security defensive capabilities are designed to stop or limit unauthorized network traffic or other types of accesses.

T1246

Identify supply chains

Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the technology or interconnections that are part of the supply chain.

T1264

Identify technology usage patterns

Technology usage patterns include identifying if users work offsite, connect remotely, or other possibly less restricted/secured access techniques.

T1256

Identify web defensive services

An adversary can attempt to identify web defensive services as CloudFlareIPBan, and Snort. This may be done by passively detecting services, like CloudFlare routing, or actively, such as by purposefully tripping security defenses.

T1252

Map network topology

A network topology is the arrangement of the various elements of a network (e.g., servers, workstations, printers, routers, firewalls, etc.). Mapping a network allows an adversary to understand how the elements are connected or related.

T1257

Mine technical blogs/forums

Technical blogs and forums provide a way for technical staff to ask for assistance or troubleshoot problems. In doing so they may reveal information such as operating system (OS), network devices, or applications in use.

T1251

Obtain domain/IP registration information

For a computing resource to be accessible to the public, domain names and IP addresses must be registered with an authorized organization.

T1397

Spearphishing for Information

Spearphishing for information is a specific variant of spearphishing. Spearphishing for information is different from other forms of spearphishing in that it it doesn't leverage malicious code. All forms of spearphishing are elctronically delivered social engineering targeted at a specific individual, company, or industry. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials, without involving malicious code. Spearphishing for information frequently involves masquerading as a source with a reason to collect information (such as a system administrator or a bank) and providing a user with a website link to visit. The given website often closely resembles a legitimate site in appearance and has a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Spearphishing for information may also try to obtain information directly through the exchange of emails, instant messengers or other electronic conversation means.

Groups

Groups are sets of related intrusion activity that are tracked by a common name in the security community.  Groups are also sometimes referred to as campaigns or intrusion sets. Some groups have multiple names associated with the same set of activities due to various organizations tracking the same set of activities by different names. Organizations' group definitions may be only partially overlapping and may be in disagreement on specific activity. 

Groups are mapped to publicly reported technique use and referenced in the ATT&CK threat model. Groups are also mapped to reported software used during intrusions.


Common Attack Pattern Enumeration and Classification

 

A Community Resource for Identifying and Understanding Attacks

Spearphishing Attachment

Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.

There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.


Examples

Name Description

APT19

APT19 sent spearphishing emails with malicious attachments in RTF and XLSM formats to deliver initial exploits.[1]

APT28

APT28 sent spearphishing emails containing malicious Microsoft Office attachments.[2][3][4][5]

APT29

APT29 has used spearphishing with an attachment to deliver files with exploits to initial victims.[6]

APT32

APT32 sends emails to victims with a malicious executable disguised as a document or spreadsheet displaying a fake icon.[7]

APT37

APT37 delivers malware using spearphishing emails with malicious HWP attachments.[8][9]

BRONZE BUTLER

BRONZE BUTLER used spearphishing emails with malicious Microsoft Word attachments to infect victims.[10]

Cobalt Group

Cobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables.[11][12][13][14][15][16]

DarkHydrus

DarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use the "attachedTemplate" technique to load a template from a remote server.[17][18][19]

Dragonfly 2.0

Dragonfly 2.0 used spearphishing with Microsoft Office attachments to target victims.[20][21]

Elderwood

Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.[22][23]

FIN7

FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.[24][25]

FIN8

FIN8 has distributed targeted emails containing Word documents with embedded malicious macros.[26][27][28]

Gorgon Group

Gorgon Group sent emails to victims with malicious Microsoft Office documents attached.[29]

Lazarus Group

Lazarus Group has targeted victims with spearphishing emails containing malicious Microsoft Word documents.[30]

Leviathan

Leviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.[31]

Magic Hound

Magic Hound sent malicious attachments to victims over email, including an Excel spreadsheet containing macros to download Pupy.[32]

menuPass

menuPass has sent malicious Office documents via email as part of spearphishing campaigns as well as executables disguised as documents.[33][34][35]

MuddyWater

MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.[36][37]

OilRig

OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts.[38][39]

Patchwork

Patchwork has used spearphishing with an attachment to deliver files with exploits to initial victims.[40][41][42][43]

PLATINUM

PLATINUM has sent spearphishing emails with attachments to victims as its primary initial access vector.[44]

Rancor

Rancor has attached a malicious document to an email to gain initial access.[45]

TA459

TA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments.[46]


verder >>