forked from MISP/misp-galaxy
/
mitre-attack-pattern.json
5090 lines (5090 loc) · 382 KB
/
mitre-attack-pattern.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"authors": [
"MITRE"
],
"category": "attack-pattern",
"description": "ATT&CK tactic",
"name": "Attack Pattern",
"source": "https://github.com/mitre/cti",
"type": "mitre-attack-pattern",
"uuid": "dcb864dc-775f-11e7-9fbb-1f41b4996683",
"values": [
{
"description": "Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, or some other network protocol. Different channels could include Internet Web services such as cloud storage.\n\nDetection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[[Citation: University of Birmingham C2]]\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X\n\nData Sources: User interface, Process monitoring, Process use of network, Packet capture, Netflow/Enclave netflow, Network protocol analysis",
"meta": {
"mitre_data_sources": [
"User interface",
"Process monitoring",
"Process use of network",
"Packet capture",
"Netflow/Enclave netflow",
"Network protocol analysis"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Linux",
"Windows 10",
"MacOS",
"OS X"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1048",
"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
],
"uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776"
},
"value": "Exfiltration Over Alternative Protocol"
},
{
"description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n\nFor connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.\n\nDetection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.[[Citation: University of Birmingham C2]]\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X\n\nData Sources: Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring",
"meta": {
"mitre_data_sources": [
"Packet capture",
"Netflow/Enclave netflow",
"Process use of network",
"Malware reverse engineering",
"Process monitoring"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Linux",
"Windows 10",
"MacOS",
"OS X"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1071",
"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
],
"uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"value": "Standard Application Layer Protocol"
},
{
"description": "Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>$HOME/Library/LaunchAgents</code>[[Citation: AppleDocs Launch Agent Daemons]][[Citation: OSX Keydnap malware]][[Citation: Antiquated Mac Malware]]. These launch agents have property list files which point to the executables that will be launched[[Citation: OSX.Dok Malware]].\n \nAdversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories [[Citation: Sofacy Komplex Trojan]] [[Citation: Methods of Mac Malware Persistence]]. The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in[[Citation: OSX Malware Detection]][[Citation: OceanLotus for OS X]]. They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).\n\nDetection: Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.\n\nPlatforms: MacOS, OS X\n\nData Sources: File monitoring, Process Monitoring",
"meta": {
"mitre_data_sources": [
"File monitoring",
"Process Monitoring"
],
"mitre_platforms": [
"MacOS",
"OS X"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1159",
"https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/",
"https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/",
"https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html",
"https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/",
"https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf",
"https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/",
"https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update",
"https://www.synack.com/wp-content/uploads/2016/03/RSA%20OSX%20Malware.pdf"
],
"uuid": "12f399b0-d9de-4f60-a262-22c21baae140"
},
"value": "Launch Agent"
},
{
"description": "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.\n\nDetection: Monitor file access on removable media. Detect processes that execute when removable media is mounted.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X\n\nData Sources: File monitoring, Data loss prevention",
"meta": {
"mitre_data_sources": [
"File monitoring",
"Data loss prevention"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Linux",
"Windows 10",
"MacOS",
"OS X"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1092"
],
"uuid": "64196062-5210-42c3-9a02-563a0d1797ef"
},
"value": "Communication Through Removable Media"
},
{
"description": "Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command <code>runas</code>. [[Citation: Microsoft runas]]\n \nAdversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level.[[Citation: Pentestlab Token Manipulation]]\n\nAdversaries can also create spoofed access tokens if they know the credentials of a user. Any standard user can use the <code>runas</code> command, and the Windows API functions, to do this; it does not require access to an administrator account.\n\nLastly, an adversary can use a spoofed token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.\n\nMetasploit’s Meterpreter payload allows arbitrary token stealing and uses token stealing to escalate privileges. [[Citation: Metasploit access token]] The Cobalt Strike beacon payload allows arbitrary token stealing and can also create tokens. [[Citation: Cobalt Strike Access Token]]\n\nDetection: If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the <code>runas</code> command. Detailed command-line logging is not enabled by default in Windows.[[Citation: Microsoft Command-line Logging]]\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. \n\nThere are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., <code>LogonUser</code>[[Citation: Microsoft LogonUser]], <code>DuplicateTokenEx</code>[[Citation: Microsoft DuplicateTokenEx]], and <code>ImpersonateLoggedOnUser</code>[[Citation: Microsoft ImpersonateLoggedOnUser]]). Please see the referenced Windows API pages for more information.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nEffective Permissions: SYSTEM\n\nContributors: Tom Ueltschi @c_APT_ure",
"meta": {
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Windows 10"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1134",
"https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing",
"https://blog.cobaltstrike.com/2015/12/16/windows-access-tokens-and-alternate-credentials/",
"https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx",
"https://www.offensive-security.com/metasploit-unleashed/fun-incognito/",
"https://technet.microsoft.com/en-us/library/bb490994.aspx",
"https://pentestlab.blog/2017/04/03/token-manipulation/",
"https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx",
"https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx"
],
"uuid": "a611377b-ff2b-450c-b065-19026fa63488"
},
"value": "Access Token Manipulation"
},
{
"description": "Adversaries may communicate using a custom command and control protocol instead of using existing Standard Application Layer Protocol to encapsulate commands. Implementations could mimic well-known protocols.\n\nDetection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[[Citation: University of Birmingham C2]]\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X\n\nData Sources: Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring",
"meta": {
"mitre_data_sources": [
"Packet capture",
"Netflow/Enclave netflow",
"Process use of network",
"Process monitoring"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Linux",
"Windows 10",
"MacOS",
"OS X"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1094",
"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
],
"uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00"
},
"value": "Custom Command and Control Protocol"
},
{
"description": "Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.\n\n===Services===\n\nManipulation of Windows service binaries is one variation of this technique. Adversaries may replace a legitimate service executable with their own executable to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). Once the service is started, either directly by the user (if appropriate access is available) or through some other means, such as a system restart if the service starts on bootup, the replaced executable will run instead of the original service executable.\n\n===Executable Installers===\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the <code>%TEMP%</code> directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of DLL Search Order Hijacking. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to Bypass User Account Control. Several examples of this weakness in existing common installers have been reported to software vendors.[[Citation: Mozilla Firefox Installer DLL Hijack]][[Citation: Seclists Kanthak 7zip Installer]]\n\nDetection: Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to [[Discovery]] or other adversary techniques.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nData Sources: File monitoring, Services, Process command-line parameters\n\nEffective Permissions: SYSTEM, User, Administrator\n\nContributors: Stefan Kanthak",
"meta": {
"mitre_data_sources": [
"File monitoring",
"Services",
"Process command-line parameters"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Windows 10"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1044",
"https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/",
"http://seclists.org/fulldisclosure/2015/Dec/34"
],
"uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a"
},
"value": "File System Permissions Weakness"
},
{
"description": "Process hollowing occurs when a process is created in a suspended state and the process's memory is replaced with the code of a second program so that the second program runs instead of the original program. Windows and process monitoring tools believe the original process is running, whereas the actual program running is different.DLL Injection to evade defenses and detection analysis of malicious process execution by launching adversary-controlled code under the context of a legitimate process.\n\nDetection: Monitoring API calls may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior.\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nData Sources: Process monitoring, API monitoring",
"meta": {
"mitre_data_sources": [
"Process monitoring",
"API monitoring"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Windows 10"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1093",
"http://www.autosectools.com/process-hollowing.pdf"
],
"uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21"
},
"value": "Process Hollowing"
},
{
"description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit[[Citation: Metasploit]], Veil[[Citation: Veil]], and PowerSploit[[Citation: Powersploit]] are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell.[[Citation: Alperovitch 2014]]\n\nDetection: Scripting may be common on admin, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information [[Discovery]], [[Collection]], or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10, Linux, MacOS, OS X\n\nData Sources: Process monitoring, File monitoring, Process command-line parameters",
"meta": {
"mitre_data_sources": [
"Process monitoring",
"File monitoring",
"Process command-line parameters"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Windows 10",
"Linux",
"MacOS",
"OS X"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1064",
"http://www.metasploit.com",
"http://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/",
"https://www.veil-framework.com/framework/",
"https://github.com/mattifestation/PowerSploit"
],
"uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"value": "Scripting"
},
{
"description": "Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to cmd may be used to gather information. Some adversaries may also use Automated Collection on removable media.\n\nDetection: Monitor processes and command-line arguments for actions that could be taken to collect files from a system's connected removable media. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10, Linux, MacOS, OS X\n\nData Sources: File monitoring, Process monitoring, Process command-line parameters",
"meta": {
"mitre_data_sources": [
"File monitoring",
"Process monitoring",
"Process command-line parameters"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Windows 10",
"Linux",
"MacOS",
"OS X"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1025"
],
"uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec"
},
"value": "Data from Removable Media"
},
{
"description": "Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with.[[Citation: Wikipedia Code Signing]] However, adversaries are known to use code signing certificates to masquerade malware and tools as legitimate binaries[[Citation: Janicab]]. The certificates used during an operation may be created, forged, or stolen by the adversary.[[Citation: Securelist Digital Certificates]][[Citation: Symantec Digital Certificates]]\n\nCode signing to verify software on first run can be used on modern Windows and MacOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform.[[Citation: Wikipedia Code Signing]]\n\nCode signing certificates may be used to bypass security policies that require signed code to execute on a system.\n\nDetection: Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10, MacOS, OS X\n\nData Sources: Binary file metadata",
"meta": {
"mitre_data_sources": [
"Binary file metadata"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Windows 10",
"MacOS",
"OS X"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1116",
"http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates",
"https://securelist.com/blog/security-policies/68593/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/",
"http://www.thesafemac.com/new-signed-malware-called-janicab/",
"https://en.wikipedia.org/wiki/Code%20signing"
],
"uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d"
},
"value": "Code Signing"
},
{
"description": "The configurations for how applications run on macOS and OS X are listed in property list (plist) files. One of the tags in these files can be <code>apple.awt.UIElement</code>, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. However, adversaries can abuse this feature and hide their running window [[Citation: Antiquated Mac Malware]].\n\nDetection: Plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the <code>apple.awt.UIElement</code> or any other suspicious plist tag in plist files and flag them.\n\nPlatforms: MacOS, OS X\n\nData Sources: File monitoring",
"meta": {
"mitre_data_sources": [
"File monitoring"
],
"mitre_platforms": [
"MacOS",
"OS X"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1143",
"https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"
],
"uuid": "52619537-a5c4-4b7b-aac0-6f214d0dfeba"
},
"value": "Hidden Window"
},
{
"description": "Rootkits are programs that hide the existence of malware by intercepting and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the System Firmware.[[Citation: Wikipedia Rootkit]]\n\nAdversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.\n\nDetection: Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR.[[Citation: Wikipedia Rootkit]]\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nData Sources: BIOS, MBR, System calls",
"meta": {
"mitre_data_sources": [
"BIOS",
"MBR",
"System calls"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Windows 10"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1014",
"https://en.wikipedia.org/wiki/Rootkit"
],
"uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b"
},
"value": "Rootkit"
},
{
"description": "Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items[[Citation: Startup Items]]. This is technically a deprecated version (superseded by Launch Daemons), and thus the appropriate folder, <code>/Library/StartupItems</code> isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), <code>StartupParameters.plist</code>, reside in the top-level directory. \n\nAn adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism[[Citation: Methods of Mac Malware Persistence]]. Additionally, since StartupItems run during the bootup phase of macOS, they will run as root. If an adversary is able to modify an existing Startup Item, then they will be able to Privilege Escalate as well.\n\nDetection: The <code>/Library/StartupItems</code> folder can be monitored for changes. Similarly, the programs that are actually executed from this mechanism should be checked against a whitelist. Monitor processes that are executed during the bootup process to check for unusual or unknown applications and behavior.\n\nPlatforms: MacOS, OS X\n\nData Sources: File monitoring, Process Monitoring\n\nEffective Permissions: root",
"meta": {
"mitre_data_sources": [
"File monitoring",
"Process Monitoring"
],
"mitre_platforms": [
"MacOS",
"OS X"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1165",
"https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html",
"https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf"
],
"uuid": "c3dc8707-c1cd-4ce0-add5-5302670770b3"
},
"value": "Startup Items"
},
{
"description": "Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms.cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task).\n\nAdversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.\n\nDetection: Command-line interface activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X\n\nData Sources: Process monitoring, Process command-line parameters",
"meta": {
"mitre_data_sources": [
"Process monitoring",
"Process command-line parameters"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Linux",
"Windows 10",
"MacOS",
"OS X"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1059",
"https://en.wikipedia.org/wiki/Command-line%20interface"
],
"uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"value": "Command-Line Interface"
},
{
"description": "Data exfiltration is performed over the [[Command and Control]] channel. Data is encoded into the normal communications channel using the same protocol as command and control communications.\n\nDetection: Detection for command and control applies. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[[Citation: University of Birmingham C2]]\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X\n\nData Sources: User interface, Process monitoring",
"meta": {
"mitre_data_sources": [
"User interface",
"Process monitoring"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Linux",
"Windows 10",
"MacOS",
"OS X"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1041",
"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
],
"uuid": "92d7da27-2d91-488e-a00c-059dc162766d"
},
"value": "Exfiltration Over Command and Control Channel"
},
{
"description": "Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.\n\nRemote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.\n\nThe different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or Fallback Channels in case the original first-stage communication path is discovered and blocked.\n\nDetection: Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure. Relating subsequent actions that may result from [[Discovery]] of the system and network information or [[Lateral Movement]] to the originating process may also yield useful data.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X\n\nData Sources: Netflow/Enclave netflow, Network device logs, Network protocol analysis, Packet capture, Process use of network",
"meta": {
"mitre_data_sources": [
"Netflow/Enclave netflow",
"Network device logs",
"Network protocol analysis",
"Packet capture",
"Process use of network"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Linux",
"Windows 10",
"MacOS",
"OS X"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1104"
],
"uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91"
},
"value": "Multi-Stage Channels"
},
{
"description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in <code>~/Library/Keychains/</code>,<code>/Library/Keychains/</code>, and <code>/Network/Library/Keychains/</code>.[[Citation: Wikipedia keychain]] The <code>security</code> command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.\n\nTo manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault.[[Citation: External to DA, the OS X Way]] By default, the passphrase for the keychain is the user’s logon credentials.\n\nDetection: Unlocking the keychain and using passwords from it is a very common process, so there is likely to be a lot of noise in any detection technique. Monitoring of system calls to the keychain can help determine if there is a suspicious process trying to access it.\n\nPlatforms: MacOS, OS X\n\nData Sources: System calls, Process Monitoring",
"meta": {
"mitre_data_sources": [
"System calls",
"Process Monitoring"
],
"mitre_platforms": [
"MacOS",
"OS X"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1142",
"http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way",
"https://en.wikipedia.org/wiki/Keychain%20(software)"
],
"uuid": "38cfae40-42c8-431e-8cb7-0f14b2ce0e86"
},
"value": "Keychain"
},
{
"description": "Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Credential Dumping efforts are not effective, and may require an adversary to remain passive on a system for a period of time before an opportunity arises.\n\nAdversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.Valid Accounts in use by adversaries may help to catch the result of user input interception if new techniques are used.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10, Linux, MacOS, OS X\n\nData Sources: Windows Registry, Kernel drivers, Process monitoring, API monitoring\n\nContributors: John Lambert, Microsoft Threat Intelligence Center",
"meta": {
"mitre_data_sources": [
"Windows Registry",
"Kernel drivers",
"Process monitoring",
"API monitoring"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Windows 10",
"Linux",
"MacOS",
"OS X"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1056",
"http://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/",
"https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/"
],
"uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"value": "Input Capture"
},
{
"description": "Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft.[[Citation: MSDN Regsvcs]][[Citation: MSDN Regasm]]\n\nAdversaries can use Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Both utilities may be used to bypass process whitelisting through use of attributes within the binary to specify code that should be run before registration or unregistration: <code>[ComRegisterFunction]</code> or <code>[ComUnregisterFunction]</code> respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute.[[Citation: SubTee GitHub All The Things Application Whitelisting Bypass]]\n\nDetection: Use process monitoring to monitor the execution and arguments of Regsvcs.exe and Regasm.exe. Compare recent invocations of Regsvcs.exe and Regasm.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after Regsvcs.exe or Regasm.exe invocation may also be useful in determining the origin and purpose of the binary being executed.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nData Sources: Process monitoring, Process command-line parameters\n\nContributors: Casey Smith",
"meta": {
"mitre_data_sources": [
"Process monitoring",
"Process command-line parameters"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Windows 10"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1121",
"https://msdn.microsoft.com/en-us/library/04za0hca.aspx",
"https://msdn.microsoft.com/en-us/library/tzat5yw6.aspx",
"https://github.com/subTee/AllTheThings"
],
"uuid": "215190a9-9f02-4e83-bb5f-e0589965a302"
},
"value": "Regsvcs/Regasm"
},
{
"description": "There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application whitelisting defensive solutions.\n\n===MSBuild===\n\nMSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It takes XML formatted project files that define requirements for building various platforms and configurations.[[Citation: MSDN MSBuild]] \n\nAdversaries can use MSBuild to proxy execution of code through a trusted Windows utility. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into the XML project file.[[Citation: MSDN MSBuild Inline Tasks]] MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application whitelisting defenses that are configured to allow MSBuild.exe execution.[[Citation: SubTee GitHub All The Things Application Whitelisting Bypass]]\n\n===DNX===\n\nThe .NET Execution Environment (DNX), dnx.exe, is a software development kit packaged with Visual Studio Enterprise. It was retired in favor of .NET Core CLI in 2016.[[Citation: Microsoft Migrating from DNX]] DNX is not present on standard builds of Windows and may only be present on developer workstations using older versions of .NET Core and ASP.NET Core 1.0. The dnx.exe executable is signed by Microsoft. \n\nAn adversary can use dnx.exe to proxy execution of arbitrary code to bypass application whitelist policies that do not account for DNX.[[Citation: engima0x3 DNX Bypass]]\n\n===RCSI===\n\nThe rcsi.exe utility is a non-interactive command-line interface for C# that is similar to csi.exe. It was provided within an early version of the Roslyn .NET Compiler Platform but has since been deprecated for an integrated solution.[[Citation: Microsoft Roslyn CPT RCSI]] The rcsi.exe binary is signed by Microsoft.[[Citation: engima0x3 RCSI Bypass]]\n\nC# .csx script files can be written and executed with rcsi.exe at the command-line. An adversary can use rcsi.exe to proxy execution of arbitrary code to bypass application whitelisting policies that do not account for execution of rcsi.exe.[[Citation: engima0x3 RCSI Bypass]]\n\n===WinDbg/CDB===\n\nWinDbg is a Microsoft Windows kernel and user-mode debugging utility. The Microsoft Console Debugger (CDB) cdb.exe is also user-mode debugger. Both utilities are included in Windows software development kits and can be used as standalone tools.[[Citation: Microsoft Debugging Tools for Windows]] They are commonly used in software development and reverse engineering and may not be found on typical Windows systems. Both WinDbg.exe and cdb.exe binaries are signed by Microsoft.\n\nAn adversary can use WinDbg.exe and cdb.exe to proxy execution of arbitrary code to bypass application whitelist policies that do not account for execution of those utilities.[[Citation: Exploit Monday WinDbg]]\n\nIt is likely possible to use other debuggers for similar purposes, such as the kernel-mode debugger kd.exe, which is also signed by Microsoft.\n\nDetection: The presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.\n\nUse process monitoring to monitor the execution and arguments of MSBuild.exe, dnx.exe, rcsi.exe, WinDbg.exe, and cdb.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development related tasks, so if it exists and is used outside of that context, then the event may be suspicious. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.\n\nPlatforms: Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nData Sources: Process monitoring\n\nContributors: Casey Smith",
"meta": {
"mitre_data_sources": [
"Process monitoring"
],
"mitre_platforms": [
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Windows 10"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1127",
"https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/",
"https://msdn.microsoft.com/library/dd722601.aspx",
"https://blogs.msdn.microsoft.com/visualstudio/2011/10/19/introducing-the-microsoft-roslyn-ctp/",
"https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/index",
"https://github.com/subTee/AllTheThings",
"https://msdn.microsoft.com/library/dd393574.aspx",
"http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html",
"https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/",
"https://docs.microsoft.com/en-us/dotnet/core/migration/from-dnx"
],
"uuid": "ff25900d-76d5-449b-a351-8824e62fc81b"
},
"value": "Trusted Developer Utilities"
},
{
"description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10, Linux, MacOS, OS X\n\nData Sources: Process monitoring, Process command-line parameters",
"meta": {
"mitre_data_sources": [
"Process monitoring",
"Process command-line parameters"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Windows 10",
"Linux",
"MacOS",
"OS X"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1016"
],
"uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"value": "System Network Configuration Discovery"
},
{
"description": "Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. The account used to create the task must be in the Administrators group on the local system. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on.Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nData Sources: File monitoring, Process monitoring, Process command-line parameters\n\nEffective Permissions: SYSTEM, Administrator",
"meta": {
"mitre_data_sources": [
"File monitoring",
"Process monitoring",
"Process command-line parameters"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Windows 10"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1053",
"https://technet.microsoft.com/en-us/sysinternals/bb963902",
"https://technet.microsoft.com/en-us/library/cc785125.aspx"
],
"uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"value": "Scheduled Task"
},
{
"description": "The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow compatibility of programs as Windows updates and changes its code. For example, application shimming feature that allows programs that were created for Windows XP to work with Windows 10. Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses API hooking to redirect the code as necessary in order to communicate with the OS. A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* <code>%WINDIR%\\AppPatch\\sysmain.sdb</code>\n* <code>hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb</code>\n\nCustom databases are stored in:\n\n* <code>%WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom</code>\n* <code>hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom</code>\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to Bypass User Account Control (UAC) (RedirectEXE), inject DLLs into processes (InjectDll), and intercept memory addresses (GetProcAddress). Utilizing these shims, an adversary can perform several malicious acts, such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc.\n\nDetection: There are several public tools available that will detect shims that are currently available[[Citation: Black Hat 2015 App Shim]]:\n\n* Shim-Process-Scanner - checks memory of every running process for any Shim flags\n* Shim-Detector-Lite - detects installation of custom shim databases\n* Shim-Guard - monitors registry for any shim installations\n* ShimScanner - forensic tool to find active shims in memory\n* ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot)\n\nMonitor process execution for sdbinst.exe and command-line arguments for potential indications of application shim abuse.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nData Sources: Loaded DLLs, System calls, Windows Registry, Process Monitoring, Process command-line parameters",
"meta": {
"mitre_data_sources": [
"Loaded DLLs",
"System calls",
"Windows Registry",
"Process Monitoring",
"Process command-line parameters"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Windows 10"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1138",
"https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf"
],
"uuid": "1e16e6fe-c0d9-4d9a-b112-9ac5ce3bdfdc"
},
"value": "Application Shimming"
},
{
"description": "Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB)[[Citation: Wikipedia SMB]] and Remote Procedure Call Service (RPCS)[[Citation: TechNet RPC]] for remote access. RPCS operates over port 135.[[Citation: MSDN WMI]]\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for [[Discovery]] and remote [[Execution]] of files as part of [[Lateral Movement]].[[Citation: FireEye WMI 2015]]\n\nDetection: Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of \"wmic\" and detect commands that are used to perform remote behavior.[[Citation: FireEye WMI 2015]]\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nData Sources: Authentication logs, Netflow/Enclave netflow, Process monitoring, Process command-line parameters",
"meta": {
"mitre_data_sources": [
"Authentication logs",
"Netflow/Enclave netflow",
"Process monitoring",
"Process command-line parameters"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Windows 10"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1047",
"https://msdn.microsoft.com/en-us/library/aa394582.aspx",
"https://en.wikipedia.org/wiki/Server%20Message%20Block",
"https://technet.microsoft.com/en-us/library/cc787851.aspx",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf"
],
"uuid": "01a5a209-b94c-450b-b7f9-946497d91055"
},
"value": "Windows Management Instrumentation"
},
{
"description": "Data or executables may be stored in New Technology File System (NTFS) partition metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.[[Citation: Journey into IR ZeroAccess NTFS EA]]\n\nThe NTFS format has a feature called Extended Attributes (EA), which allows data to be stored as an attribute of a file or folder.[[Citation: Microsoft File Streams]]\n\nDetection: Forensic techniques exist to identify information stored in EA.[[Citation: Journey into IR ZeroAccess NTFS EA]] It may be possible to monitor NTFS for writes or reads to NTFS EA or to regularly scan for the presence of modified information.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nData Sources: File monitoring, Kernel drivers",
"meta": {
"mitre_data_sources": [
"File monitoring",
"Kernel drivers"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Windows 10"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1096",
"http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html",
"http://msdn.microsoft.com/en-us/library/aa364404"
],
"uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d"
},
"value": "NTFS Extended Attributes"
},
{
"description": "Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code>[[Citation: AppleDocs Launch Agent Daemons]]. These LaunchDaemons have property list files which point to the executables that will be launched[[Citation: Methods of Mac Malware Persistence]].\n \nAdversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories[[Citation: OSX Malware Detection]]. The daemon name may be disguised by using a name from a related operating system or benign software [[Citation: WireLurker]]. Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root.\n \nThe plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon’s executable and gain persistence or Privilege Escalation.\n\nDetection: Monitor Launch Daemon creation through additional plist files and utilities such as Objective-See's Knock Knock application.\n\nPlatforms: MacOS, OS X\n\nData Sources: Process Monitoring, File monitoring\n\nEffective Permissions: root",
"meta": {
"mitre_data_sources": [
"Process Monitoring",
"File monitoring"
],
"mitre_platforms": [
"MacOS",
"OS X"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1160",
"https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html",
"https://www.paloaltonetworks.com/content/dam/pan/en%20US/assets/pdf/reports/Unit%2042/unit42-wirelurker.pdf",
"https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf",
"https://www.synack.com/wp-content/uploads/2016/03/RSA%20OSX%20Malware.pdf"
],
"uuid": "eddadd9a-8322-490e-8666-58662beb3d18"
},
"value": "Launch Daemon"
},
{
"description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.\n\n===Windows===\n\nAn example command that would obtain details on processes is \"tasklist\" using the Tasklist utility.\n\n===Mac and Linux===\n\nIn Mac and Linux, this is accomplished with the <code>ps</code> command.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X\n\nData Sources: Process monitoring, Process command-line parameters",
"meta": {
"mitre_data_sources": [
"Process monitoring",
"Process command-line parameters"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Linux",
"Windows 10",
"MacOS",
"OS X"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1057"
],
"uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"value": "Process Discovery"
},
{
"description": "The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.[[Citation: Wikipedia BIOS]][[Citation: Wikipedia UEFI]][[Citation: About UEFI]]\n\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.\n\nDetection: System firmware manipulation may be detected.[[Citation: MITRE Trustworthy Firmware Measurement]] Dump and inspect BIOS images on vulnerable systems and compare against known good images.[[Citation: MITRE Copernicus]] Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.\n\nLikewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.[[Citation: McAfee CHIPSEC Blog]][[Citation: Github CHIPSEC]][[Citation: Intel HackingTeam UEFI Rootkit]]\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nData Sources: API monitoring, BIOS, EFI\n\nContributors: Ryan Becwar",
"meta": {
"mitre_data_sources": [
"API monitoring",
"BIOS",
"EFI"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Windows 10"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1019",
"https://en.wikipedia.org/wiki/Unified%20Extensible%20Firmware%20Interface",
"http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html",
"http://www.uefi.org/about",
"http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research",
"http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about",
"https://en.wikipedia.org/wiki/BIOS",
"https://github.com/chipsec/chipsec",
"https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/"
],
"uuid": "6856ddd6-2df3-4379-8b87-284603c189c3"
},
"value": "System Firmware"
},
{
"description": "Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.Masquerading to make the Registry entries look as if they are associated with legitimate programs.\n\nDetection: Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders.[[Citation: TechNet Autoruns]] Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.\n\nChanges to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for [[Command and Control]], learning details about the environment through [[Discovery]], and [[Lateral Movement]].\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nData Sources: Windows Registry, File monitoring",
"meta": {
"mitre_data_sources": [
"Windows Registry",
"File monitoring"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Windows 10"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1060",
"https://technet.microsoft.com/en-us/sysinternals/bb963902",
"http://msdn.microsoft.com/en-us/library/aa376977"
],
"uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"value": "Registry Run Keys / Start Folder"
},
{
"description": "Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.\n\nDetection: Changes to service Registry entries and command-line invocation of tools capable of modifying services that do not correlate with known software, patch cycles, etc., may be suspicious. If a service is used only to execute a binary or script and not to persist, then it will likely be changed back to its original form shortly after the service is restarted so the service is not left broken, as is the case with the common administrator tool PsExec.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nData Sources: Windows Registry, Process monitoring, Process command-line parameters",
"meta": {
"mitre_data_sources": [
"Windows Registry",
"Process monitoring",
"Process command-line parameters"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Windows 10"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1035"
],
"uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392"
},
"value": "Service Execution"
},
{
"description": "Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.\n\nDetection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[[Citation: University of Birmingham C2]]\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X\n\nData Sources: Netflow/Enclave netflow, Process use of network, Process monitoring",
"meta": {
"mitre_data_sources": [
"Netflow/Enclave netflow",
"Process use of network",
"Process monitoring"
],
"mitre_platforms": [
"Windows Server 2003",
"Windows Server 2008",
"Windows Server 2012",
"Windows XP",
"Windows 7",
"Windows 8",
"Windows Server 2003 R2",
"Windows Server 2008 R2",
"Windows Server 2012 R2",
"Windows Vista",
"Windows 8.1",
"Linux",
"Windows 10",
"MacOS",
"OS X"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1065",
"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
],
"uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0"
},
"value": "Uncommonly Used Port"
},
{
"description": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting, PowerShell, or by using utilities present on the system.\n\nOne such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file.certutil.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nData Sources: File monitoring, Process Monitoring, Process command-line parameters\n\nContributors: Matthew Demaske, Adaptforward",
"meta": {
"mitre_data_sources": [
"File monitoring",
"Process Monitoring",
"Process command-line parameters"
],
"mitre_platforms": [