This repository has been archived by the owner on Sep 13, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathenterprise-attack-9.0-only-mock-data-sources.json
1112 lines (1112 loc) · 70.1 KB
/
enterprise-attack-9.0-only-mock-data-sources.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"type": "bundle",
"id": "bundle-5f3fdb07-c27b-4b1a-a945-27484fe8eada",
"spec_version": "2.0",
"objects": [
{
"id": "x-mitre-data-source--6da9ab38-437f-4e2f-b24c-f0da3a8ce441",
"type": "x-mitre-data-source",
"created": "2021-07-19T18:59:32.328889Z",
"modified": "2021-07-19T18:59:32.328889Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Smoke Signal",
"external_references": [
{
"external_id": "DS6941",
"url": "https://attack.mitre.org/datasources/DS6941",
"source_name": "mitre-attack"
},
{
"source_name": "Mcdonald, Cortez and Lawrence",
"description": "Mcdonald, Cortez and Lawrence. (2021). Sint excepteur laborum irure ut ut eu. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Campbell, Caldwell and Ford",
"description": "Campbell, Caldwell and Ford. (2021). Minim velit anim pariatur exercitation. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Fisher Ltd",
"description": "Fisher Ltd. (2021). Magna quis anim et. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "The smoke signal is one of the oldest forms of long-distance communication. It is a form of visual communication used over a long distance. In general smoke signals are used to transmit news, signal danger, or to gather people to a common area..(Citation: Mcdonald, Cortez and Lawrence)(Citation: Campbell, Caldwell and Ford)(Citation: Fisher Ltd)",
"x_mitre_platforms": [
"macOS",
"Network",
"IaaS",
"SaaS",
"Office 365"
],
"x_mitre_collection_layers": [
"fugiat",
"amet",
"esse"
],
"x_mitre_contributors": [
"Herbert Examplecontributor"
],
"x_mitre_version": "1.0"
},
{
"id": "x-mitre-data-source--1e0d83f8-86bb-42c2-a39c-c717c763524c",
"type": "x-mitre-data-source",
"created": "2021-07-19T18:59:32.331932Z",
"modified": "2021-07-19T18:59:32.331932Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Data Source Nulla",
"external_references": [
{
"external_id": "DS5309",
"url": "https://attack.mitre.org/datasources/DS5309",
"source_name": "mitre-attack"
},
{
"source_name": "Wagner-Reese",
"description": "Wagner-Reese. (2021). Ipsum amet consequat quis commodo veniam consequat dolor. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Hays, Singh and Green",
"description": "Hays, Singh and Green. (2021). Eiusmod ipsum exercitation do enim commodo sunt qui. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Douglas Ltd",
"description": "Douglas Ltd. (2021). Proident mollit commodo deserunt. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Exercitation quis occaecat cupidatat in enim. Minim enim ea mollit cupidatat.(Citation: Wagner-Reese)(Citation: Hays, Singh and Green)(Citation: Douglas Ltd)",
"x_mitre_platforms": [
"macOS",
"Office 365",
"Google Workspace",
"Linux",
"Network"
],
"x_mitre_collection_layers": [
"duis",
"laboris"
],
"x_mitre_contributors": [
"Herbert Examplecontributor"
],
"x_mitre_version": "1.0"
},
{
"id": "x-mitre-data-source--e9565b6a-e97c-497b-be40-95234cdb3024",
"type": "x-mitre-data-source",
"created": "2021-07-19T18:59:32.334845Z",
"modified": "2021-07-19T18:59:32.334845Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Data Source Ad",
"external_references": [
{
"external_id": "DS8206",
"url": "https://attack.mitre.org/datasources/DS8206",
"source_name": "mitre-attack"
},
{
"source_name": "Peterson, Butler and Walters",
"description": "Peterson, Butler and Walters. (2021). Nisi commodo incididunt esse aliquip. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Eu consequat consequat deserunt laboris do, esse lorem ea eiusmod dolore irure. Ex lorem proident quis.(Citation: Peterson, Butler and Walters)",
"x_mitre_platforms": [
"SaaS",
"macOS",
"Linux",
"Windows"
],
"x_mitre_collection_layers": [
"elit",
"ea"
],
"x_mitre_contributors": [
"Herbert Examplecontributor"
],
"x_mitre_version": "1.0"
},
{
"id": "x-mitre-data-source--d3a30ccf-4e0d-4dbf-acd4-900f76775376",
"type": "x-mitre-data-source",
"created": "2021-07-19T18:59:32.336603Z",
"modified": "2021-07-19T18:59:32.336603Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Data Source Pariatur",
"external_references": [
{
"external_id": "DS2545",
"url": "https://attack.mitre.org/datasources/DS2545",
"source_name": "mitre-attack"
},
{
"source_name": "Guzman-Rodriguez",
"description": "Guzman-Rodriguez. (2021). Aute laboris aliqua occaecat. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Aute ullamco esse veniam aliquip nulla irure, excepteur proident aliquip in tempor velit. Sit lorem pariatur duis aliqua nisi non, incididunt mollit ex incididunt in enim cupidatat excepteur.(Citation: Guzman-Rodriguez)",
"x_mitre_platforms": [
"Containers",
"Windows",
"SaaS",
"IaaS"
],
"x_mitre_collection_layers": [
"exercitation"
],
"x_mitre_contributors": [
"Herbert Examplecontributor"
],
"x_mitre_version": "1.0"
},
{
"id": "x-mitre-data-source--e2085389-bc6f-4ca8-8eba-1815279b5107",
"type": "x-mitre-data-source",
"created": "2021-07-19T18:59:32.337964Z",
"modified": "2021-07-19T18:59:32.337964Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Data Source Ea",
"external_references": [
{
"external_id": "DS5768",
"url": "https://attack.mitre.org/datasources/DS5768",
"source_name": "mitre-attack"
},
{
"source_name": "Diaz Ltd",
"description": "Diaz Ltd. (2021). Et aute ut do exercitation minim eu consectetur, culpa esse nulla eu esse dolore sunt reprehenderit. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Excepteur anim culpa irure consequat dolor non aute. Consectetur culpa aute id excepteur cillum, dolor sint sunt ea voluptate.(Citation: Diaz Ltd)",
"x_mitre_platforms": [
"SaaS",
"Azure AD",
"Containers",
"Linux",
"IaaS"
],
"x_mitre_collection_layers": [
"ex",
"eu",
"ad"
],
"x_mitre_contributors": [
"Herbert Examplecontributor"
],
"x_mitre_version": "1.0"
},
{
"id": "x-mitre-data-component--b7360ee0-c3a2-4338-a3b6-31944f76d71b",
"type": "x-mitre-data-component",
"created": "2021-07-19T18:59:32.338891Z",
"modified": "2021-07-19T18:59:32.338891Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Smoke Volume",
"x_mitre_data_source_ref": "x-mitre-data-source--6da9ab38-437f-4e2f-b24c-f0da3a8ce441",
"external_references": [
{
"source_name": "Anderson-Cohen",
"description": "Anderson-Cohen. (2021). Officia esse ullamco id dolor eu nisi eiusmod. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Ferguson PLC",
"description": "Ferguson PLC. (2021). Nostrud esse ad et id. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Amount of space the smoke signal occupies, used as an indicator of the amount of \"hot air\" within a specified space.(Citation: Anderson-Cohen)(Citation: Ferguson PLC)"
},
{
"id": "x-mitre-data-component--17453a78-737d-42d4-ac57-fede30d5b287",
"type": "x-mitre-data-component",
"created": "2021-07-19T18:59:32.340325Z",
"modified": "2021-07-19T18:59:32.340325Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Data Component Aliqua",
"x_mitre_data_source_ref": "x-mitre-data-source--1e0d83f8-86bb-42c2-a39c-c717c763524c",
"external_references": [
{
"source_name": "Sweeney, Reynolds and Jones",
"description": "Sweeney, Reynolds and Jones. (2021). Aliqua id sit ad elit. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Phillips, Bond and Cole",
"description": "Phillips, Bond and Cole. (2021). Adipiscing laborum et veniam qui non duis. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Sanchez Inc",
"description": "Sanchez Inc. (2021). Ut mollit dolor aute ad et ullamco laboris, esse dolor consectetur occaecat dolore et labore. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Sunt deserunt esse cupidatat. Quis sunt do officia dolore fugiat ea.(Citation: Sweeney, Reynolds and Jones)(Citation: Phillips, Bond and Cole)(Citation: Sanchez Inc)"
},
{
"id": "x-mitre-data-component--75f4e10c-ee4e-400c-86d2-c63a00269512",
"type": "x-mitre-data-component",
"created": "2021-07-19T18:59:32.342537Z",
"modified": "2021-07-19T18:59:32.342537Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Data Component Est",
"x_mitre_data_source_ref": "x-mitre-data-source--1e0d83f8-86bb-42c2-a39c-c717c763524c",
"external_references": [
{
"source_name": "Nolan, Weaver and Marshall",
"description": "Nolan, Weaver and Marshall. (2021). Mollit mollit lorem excepteur aute cillum aliquip, irure commodo consequat ex fugiat qui culpa exercitation. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Nostrud adipiscing occaecat duis enim. Sint culpa incididunt adipiscing deserunt adipiscing.(Citation: Nolan, Weaver and Marshall)"
},
{
"id": "x-mitre-data-component--f7283eae-9cb6-420b-aa47-1c38e67cf105",
"type": "x-mitre-data-component",
"created": "2021-07-19T18:59:32.343642Z",
"modified": "2021-07-19T18:59:32.343642Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Data Component Qui",
"x_mitre_data_source_ref": "x-mitre-data-source--e9565b6a-e97c-497b-be40-95234cdb3024",
"external_references": [
{
"source_name": "Avery-Barnes",
"description": "Avery-Barnes. (2021). Et in laborum lorem laboris. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Day-Simpson",
"description": "Day-Simpson. (2021). Pariatur enim incididunt dolor dolor cillum esse cillum, exercitation consequat labore do consectetur. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Quis cupidatat tempor non labore nisi cillum, duis incididunt nulla proident exercitation veniam ut fugiat. Anim fugiat dolore deserunt ipsum enim et voluptate.(Citation: Avery-Barnes)(Citation: Day-Simpson)"
},
{
"id": "x-mitre-data-component--a0aed7ed-2119-4a7b-9a15-9c6fd5520416",
"type": "x-mitre-data-component",
"created": "2021-07-19T18:59:32.345217Z",
"modified": "2021-07-19T18:59:32.345217Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Data Component Incididunt",
"x_mitre_data_source_ref": "x-mitre-data-source--d3a30ccf-4e0d-4dbf-acd4-900f76775376",
"external_references": [
{
"source_name": "Diaz, Edwards and Thompson",
"description": "Diaz, Edwards and Thompson. (2021). Voluptate do ut sint veniam anim labore officia, nisi eiusmod do amet irure fugiat ad aliquip, amet sunt voluptate occaecat minim. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Mullins, Cox and Martinez",
"description": "Mullins, Cox and Martinez. (2021). Laborum minim enim aliqua consectetur, magna ullamco pariatur anim minim ut id adipiscing. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Hurst-Turner",
"description": "Hurst-Turner. (2021). Qui ea lorem incididunt quis fugiat consectetur consectetur, ad sint esse id elit culpa nulla. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Labore id in ex do, aliqua nostrud laborum ea ipsum adipiscing commodo. Laborum sunt aute incididunt in exercitation culpa.(Citation: Diaz, Edwards and Thompson)(Citation: Mullins, Cox and Martinez)(Citation: Hurst-Turner)"
},
{
"id": "x-mitre-data-component--176e3fd0-477f-4073-a654-7a62c101a9b3",
"type": "x-mitre-data-component",
"created": "2021-07-19T18:59:32.347399Z",
"modified": "2021-07-19T18:59:32.347399Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Data Component Aliquip",
"x_mitre_data_source_ref": "x-mitre-data-source--d3a30ccf-4e0d-4dbf-acd4-900f76775376",
"external_references": [
{
"source_name": "Taylor PLC",
"description": "Taylor PLC. (2021). Amet enim exercitation excepteur ut commodo elit deserunt. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Hayes, Hodge and Thompson",
"description": "Hayes, Hodge and Thompson. (2021). Laborum sunt est non. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Ipsum id excepteur quis est eu elit est. Mollit velit anim proident, labore laborum labore aliquip deserunt, incididunt adipiscing nisi magna.(Citation: Taylor PLC)(Citation: Hayes, Hodge and Thompson)"
},
{
"id": "x-mitre-data-component--f79594c6-204d-4fd5-b8fa-9467c6ae92ca",
"type": "x-mitre-data-component",
"created": "2021-07-19T18:59:32.349385Z",
"modified": "2021-07-19T18:59:32.349385Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Data Component Amet",
"x_mitre_data_source_ref": "x-mitre-data-source--e2085389-bc6f-4ca8-8eba-1815279b5107",
"external_references": [
{
"source_name": "Robbins-Forbes",
"description": "Robbins-Forbes. (2021). Lorem anim eiusmod aliquip veniam. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Enim excepteur sint voluptate exercitation irure. Officia id proident sunt pariatur voluptate voluptate veniam.(Citation: Robbins-Forbes)"
},
{
"id": "relationship--9384c649-75f5-4ef0-b303-81426893a72d",
"type": "relationship",
"created": "2021-07-19T18:59:32.350531Z",
"modified": "2021-07-19T18:59:32.350531Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "x-mitre-data-component--b7360ee0-c3a2-4338-a3b6-31944f76d71b",
"relationship_type": "detects",
"target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
"external_references": [
{
"source_name": "Williams and Sons",
"description": "Williams and Sons. (2021). Veniam anim excepteur laboris do deserunt do. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "West-Ellison",
"description": "West-Ellison. (2021). Ad laborum aute reprehenderit est, amet esse aute consectetur amet laboris exercitation. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Smoke volume can be used to enumerate the location and placement of naughty Run keys.(Citation: Williams and Sons)(Citation: West-Ellison)",
"x_mitre_version": "1.0"
},
{
"id": "relationship--fca69aa0-c1ef-410c-a322-2341140ee9af",
"type": "relationship",
"created": "2021-07-19T18:59:37.948876Z",
"modified": "2021-07-19T18:59:37.948876Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "x-mitre-data-component--b7360ee0-c3a2-4338-a3b6-31944f76d71b",
"relationship_type": "detects",
"target_ref": "attack-pattern--3ee16395-03f0-4690-a32e-69ce9ada0f9e",
"external_references": [
{
"source_name": "Buck and Sons",
"description": "Buck and Sons. (2021). Fugiat laboris mollit ad consectetur culpa incididunt. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Smoke volume can be used to enumerate the existence of icky codez.(Citation: Buck and Sons)",
"x_mitre_version": "1.0"
},
{
"id": "relationship--c0ed38e2-5df1-485a-ac62-0db54b6a75e4",
"type": "relationship",
"created": "2021-07-19T18:59:37.950176Z",
"modified": "2021-07-19T18:59:37.950176Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "x-mitre-data-component--b7360ee0-c3a2-4338-a3b6-31944f76d71b",
"relationship_type": "detects",
"target_ref": "attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d",
"external_references": [
{
"source_name": "Hill, Compton and Gay",
"description": "Hill, Compton and Gay. (2021). Non eu enim in dolor adipiscing cillum tempor, exercitation nulla sit amet esse est eu. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "High smoke volume levels may be produced when cloud control planes are exhausted with fumes.(Citation: Hill, Compton and Gay)",
"x_mitre_version": "1.0"
},
{
"id": "relationship--530eb03b-9e5a-4c0e-ac44-ae7d2ff6d046",
"type": "relationship",
"created": "2021-07-19T18:59:37.951589Z",
"modified": "2021-07-19T18:59:37.951589Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "x-mitre-data-component--17453a78-737d-42d4-ac57-fede30d5b287",
"relationship_type": "detects",
"target_ref": "attack-pattern--3ee16395-03f0-4690-a32e-69ce9ada0f9e",
"external_references": [
{
"source_name": "Wilson Inc",
"description": "Wilson Inc. (2021). Nulla et magna non deserunt fugiat officia. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Hoffman and Sons",
"description": "Hoffman and Sons. (2021). Exercitation eu aliquip quis occaecat, in laborum aliquip proident, aliquip minim excepteur irure officia sunt. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Perkins Inc",
"description": "Perkins Inc. (2021). Laboris nisi anim enim. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Sed et aute exercitation duis enim id, id incididunt incididunt ut lorem magna dolore irure, id duis aute consectetur dolor est. Qui velit amet velit sed.(Citation: Wilson Inc)(Citation: Hoffman and Sons)(Citation: Perkins Inc)",
"x_mitre_version": "1.0"
},
{
"id": "relationship--fed285ed-d7c1-416a-bee7-953d2d9ba503",
"type": "relationship",
"created": "2021-07-19T18:59:37.954684Z",
"modified": "2021-07-19T18:59:37.954684Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "x-mitre-data-component--17453a78-737d-42d4-ac57-fede30d5b287",
"relationship_type": "detects",
"target_ref": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34",
"external_references": [
{
"source_name": "Brown, Hill and Logan",
"description": "Brown, Hill and Logan. (2021). Proident esse id in, consequat incididunt eu officia magna voluptate nulla. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Lewis-Wagner",
"description": "Lewis-Wagner. (2021). Est sit aliqua exercitation cillum sunt velit. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Duis voluptate non sed adipiscing aute ullamco pariatur. Commodo labore velit est sunt et nostrud, enim velit dolor amet laboris ex.(Citation: Brown, Hill and Logan)(Citation: Lewis-Wagner)",
"x_mitre_version": "1.0"
},
{
"id": "relationship--94ca966e-c155-4e69-ac82-b9b8a5d1169c",
"type": "relationship",
"created": "2021-07-19T18:59:37.959321Z",
"modified": "2021-07-19T18:59:37.959321Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "x-mitre-data-component--17453a78-737d-42d4-ac57-fede30d5b287",
"relationship_type": "detects",
"target_ref": "attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d",
"external_references": [
{
"source_name": "Grant LLC",
"description": "Grant LLC. (2021). Incididunt aliqua laboris magna aute, pariatur velit exercitation minim sit proident voluptate. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Mollit ea exercitation exercitation ullamco. Sit in nisi anim.(Citation: Grant LLC)",
"x_mitre_version": "1.0"
},
{
"id": "relationship--21d15713-437b-47e7-8b1a-61f24f539cb4",
"type": "relationship",
"created": "2021-07-19T18:59:37.961623Z",
"modified": "2021-07-19T18:59:37.961623Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "x-mitre-data-component--75f4e10c-ee4e-400c-86d2-c63a00269512",
"relationship_type": "detects",
"target_ref": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34",
"external_references": [
{
"source_name": "Morgan-Olson",
"description": "Morgan-Olson. (2021). Quis irure veniam magna. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Dolore eu laboris officia elit. Aliqua anim deserunt minim et do ut.(Citation: Morgan-Olson)",
"x_mitre_version": "1.0"
},
{
"id": "relationship--02a7d262-9e24-4dc6-a7dc-d42117dd39dd",
"type": "relationship",
"created": "2021-07-19T18:59:37.963527Z",
"modified": "2021-07-19T18:59:37.963527Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "x-mitre-data-component--75f4e10c-ee4e-400c-86d2-c63a00269512",
"relationship_type": "detects",
"target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"external_references": [
{
"source_name": "Bright-Reyes",
"description": "Bright-Reyes. (2021). Elit sed eu dolore, eiusmod amet in laborum ipsum lorem enim incididunt. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Nostrud ut anim reprehenderit non et, velit eu laborum commodo ex qui, officia ut cillum elit commodo id reprehenderit veniam. Velit pariatur nostrud in occaecat, in ipsum cillum eu esse.(Citation: Bright-Reyes)",
"x_mitre_version": "1.0"
},
{
"id": "relationship--aa02dcac-34ac-4068-8174-58b25279a067",
"type": "relationship",
"created": "2021-07-19T18:59:37.965876Z",
"modified": "2021-07-19T18:59:37.965876Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "x-mitre-data-component--75f4e10c-ee4e-400c-86d2-c63a00269512",
"relationship_type": "detects",
"target_ref": "attack-pattern--3ee16395-03f0-4690-a32e-69ce9ada0f9e",
"external_references": [
{
"source_name": "Silva-Allen",
"description": "Silva-Allen. (2021). Reprehenderit adipiscing ullamco do elit pariatur velit sint, quis culpa consectetur mollit sed consectetur cupidatat velit. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Eu exercitation sit non commodo non. Occaecat commodo consectetur irure eiusmod ipsum do do.(Citation: Silva-Allen)",
"x_mitre_version": "1.0"
},
{
"id": "relationship--858bbf1c-7ebf-4975-9c97-8625cc4164ba",
"type": "relationship",
"created": "2021-07-19T18:59:37.967328Z",
"modified": "2021-07-19T18:59:37.967328Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "x-mitre-data-component--f7283eae-9cb6-420b-aa47-1c38e67cf105",
"relationship_type": "detects",
"target_ref": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34",
"external_references": [
{
"source_name": "Munoz, Myers and Brown",
"description": "Munoz, Myers and Brown. (2021). Irure sint consectetur tempor enim sit, excepteur elit excepteur sed qui anim. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Ayala-Hobbs",
"description": "Ayala-Hobbs. (2021). Occaecat ullamco eu elit officia proident, do tempor velit lorem ad. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Nguyen-Burton",
"description": "Nguyen-Burton. (2021). Laborum aliqua ea qui deserunt in nostrud. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Aliquip occaecat esse ut et aliquip fugiat laborum. Ad tempor ut incididunt.(Citation: Munoz, Myers and Brown)(Citation: Ayala-Hobbs)(Citation: Nguyen-Burton)",
"x_mitre_version": "1.0"
},
{
"id": "relationship--c6649e53-9857-43ba-8cab-a0bb93baeb5f",
"type": "relationship",
"created": "2021-07-19T18:59:37.970417Z",
"modified": "2021-07-19T18:59:37.970417Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "x-mitre-data-component--f7283eae-9cb6-420b-aa47-1c38e67cf105",
"relationship_type": "detects",
"target_ref": "attack-pattern--3ee16395-03f0-4690-a32e-69ce9ada0f9e",
"external_references": [
{
"source_name": "Briggs, Bell and Chavez",
"description": "Briggs, Bell and Chavez. (2021). Voluptate non dolor incididunt minim est irure aliqua. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Et ex nisi exercitation qui, aliqua dolor adipiscing labore fugiat fugiat amet est. Aute reprehenderit eiusmod ad commodo ad fugiat commodo, culpa qui ipsum excepteur duis adipiscing esse, culpa ex nisi occaecat est tempor id elit.(Citation: Briggs, Bell and Chavez)",
"x_mitre_version": "1.0"
},
{
"id": "relationship--50749912-8245-43ab-9bb5-a7f270f00f1b",
"type": "relationship",
"created": "2021-07-19T18:59:37.973298Z",
"modified": "2021-07-19T18:59:37.973298Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "x-mitre-data-component--f7283eae-9cb6-420b-aa47-1c38e67cf105",
"relationship_type": "detects",
"target_ref": "attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d",
"external_references": [
{
"source_name": "Palmer, Perkins and Hardy",
"description": "Palmer, Perkins and Hardy. (2021). Labore elit aute sit sunt ipsum. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Laboris deserunt do laborum. Fugiat aliqua cillum ut labore elit, ut sit officia aliqua et mollit tempor sit.(Citation: Palmer, Perkins and Hardy)",
"x_mitre_version": "1.0"
},
{
"id": "relationship--b648d14d-cf75-4a9f-837b-55188ddabc91",
"type": "relationship",
"created": "2021-07-19T18:59:37.976534Z",
"modified": "2021-07-19T18:59:37.976534Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "x-mitre-data-component--a0aed7ed-2119-4a7b-9a15-9c6fd5520416",
"relationship_type": "detects",
"target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"external_references": [
{
"source_name": "Gross Group",
"description": "Gross Group. (2021). Irure est incididunt id adipiscing eu. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Occaecat velit eu proident labore exercitation est ex. Enim velit nulla excepteur.(Citation: Gross Group)",
"x_mitre_version": "1.0"
},
{
"id": "relationship--76e8ef72-9e28-41df-84e1-2c1569372415",
"type": "relationship",
"created": "2021-07-19T18:59:37.979220Z",
"modified": "2021-07-19T18:59:37.979220Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "x-mitre-data-component--a0aed7ed-2119-4a7b-9a15-9c6fd5520416",
"relationship_type": "detects",
"target_ref": "attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d",
"external_references": [
{
"source_name": "Davis, Hurley and Smith",
"description": "Davis, Hurley and Smith. (2021). Ea sed dolor aute culpa incididunt. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Vincent Inc",
"description": "Vincent Inc. (2021). Sit aliqua id cupidatat. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Frye, Henderson and Rice",
"description": "Frye, Henderson and Rice. (2021). Proident esse anim laborum consequat est adipiscing amet. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Deserunt et ex labore mollit veniam. Labore do eiusmod ut voluptate.(Citation: Davis, Hurley and Smith)(Citation: Vincent Inc)(Citation: Frye, Henderson and Rice)",
"x_mitre_version": "1.0"
},
{
"id": "relationship--bd34cf80-fc8a-4815-8a23-a86f531f4f71",
"type": "relationship",
"created": "2021-07-19T18:59:37.984117Z",
"modified": "2021-07-19T18:59:37.984117Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "x-mitre-data-component--a0aed7ed-2119-4a7b-9a15-9c6fd5520416",
"relationship_type": "detects",
"target_ref": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34",
"external_references": [
{
"source_name": "Johnson-Hawkins",
"description": "Johnson-Hawkins. (2021). Ad ad consectetur ea, cillum sit quis dolore reprehenderit in, fugiat enim ipsum esse deserunt. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Pugh-Grant",
"description": "Pugh-Grant. (2021). Ipsum in commodo enim in adipiscing esse veniam, anim quis dolore quis eu, quis sit fugiat cupidatat lorem nisi nostrud. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Sit nisi sit id officia. Cillum velit minim quis, sint voluptate incididunt exercitation consectetur, fugiat ad lorem commodo aute id laboris anim.(Citation: Johnson-Hawkins)(Citation: Pugh-Grant)",
"x_mitre_version": "1.0"
},
{
"id": "relationship--85d9d05d-a6e8-4268-997a-44f7e468bc8f",
"type": "relationship",
"created": "2021-07-19T18:59:37.986151Z",
"modified": "2021-07-19T18:59:37.986151Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "x-mitre-data-component--176e3fd0-477f-4073-a654-7a62c101a9b3",
"relationship_type": "detects",
"target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
"external_references": [
{
"source_name": "Davis, Haley and Bartlett",
"description": "Davis, Haley and Bartlett. (2021). Id et exercitation commodo tempor. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Occaecat laborum adipiscing aute est elit duis, lorem quis pariatur sunt incididunt ipsum nisi. Fugiat in nulla aliqua nisi ipsum.(Citation: Davis, Haley and Bartlett)",
"x_mitre_version": "1.0"
},
{
"id": "relationship--f821bc1c-7209-4123-a46c-f72963ceab3c",
"type": "relationship",
"created": "2021-07-19T18:59:37.988117Z",
"modified": "2021-07-19T18:59:37.988117Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "x-mitre-data-component--176e3fd0-477f-4073-a654-7a62c101a9b3",
"relationship_type": "detects",
"target_ref": "attack-pattern--3ee16395-03f0-4690-a32e-69ce9ada0f9e",
"external_references": [
{
"source_name": "Smith LLC",
"description": "Smith LLC. (2021). Magna qui eu enim. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Rodriguez, Koch and Smith",
"description": "Rodriguez, Koch and Smith. (2021). Veniam aute et duis. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Consequat occaecat dolore laborum duis esse voluptate, in ut incididunt officia incididunt sunt ex ullamco. Ipsum reprehenderit mollit exercitation, anim deserunt aliqua voluptate nostrud est officia ex.(Citation: Smith LLC)(Citation: Rodriguez, Koch and Smith)",
"x_mitre_version": "1.0"
},
{
"id": "relationship--e3c3382d-bf7e-4e3d-92ef-3aaeca716cbb",
"type": "relationship",
"created": "2021-07-19T18:59:37.992358Z",
"modified": "2021-07-19T18:59:37.992358Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "x-mitre-data-component--f79594c6-204d-4fd5-b8fa-9467c6ae92ca",
"relationship_type": "detects",
"target_ref": "attack-pattern--3ee16395-03f0-4690-a32e-69ce9ada0f9e",
"external_references": [
{
"source_name": "White-Lee",
"description": "White-Lee. (2021). Minim laborum officia laboris aliquip velit. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Sed magna sed fugiat cillum duis elit ipsum, occaecat tempor ea esse. Non excepteur ullamco irure cupidatat ea qui deserunt.(Citation: White-Lee)",
"x_mitre_version": "1.0"
},
{
"id": "relationship--431746d3-270e-4198-a443-9fc26df2f07f",
"type": "relationship",
"created": "2021-07-19T18:59:37.994710Z",
"modified": "2021-07-19T18:59:37.994710Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "x-mitre-data-component--f79594c6-204d-4fd5-b8fa-9467c6ae92ca",
"relationship_type": "detects",
"target_ref": "attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d",
"external_references": [
{
"source_name": "Hancock, Baxter and Mccormick",
"description": "Hancock, Baxter and Mccormick. (2021). Pariatur quis nisi esse lorem veniam do. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
},
{
"source_name": "Reynolds, Johnson and Ball",
"description": "Reynolds, Johnson and Ball. (2021). Adipiscing do velit adipiscing magna officia ex culpa, magna ullamco eiusmod est. Retrieved July 19, 2021",
"url": "https://attack.mitre.org"
}
],
"description": "Consectetur ipsum ullamco veniam dolor exercitation velit. Tempor exercitation mollit labore.(Citation: Hancock, Baxter and Mccormick)(Citation: Reynolds, Johnson and Ball)",
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1580",
"url": "https://attack.mitre.org/techniques/T1580"
},
{
"source_name": "Amazon Describe Instance",
"url": "https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html",
"description": "Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020."
},
{
"source_name": "Amazon Describe Instances API",
"url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html",
"description": "Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020."
},
{
"source_name": "Google Compute Instances",
"url": "https://cloud.google.com/sdk/gcloud/reference/compute/instances/list",
"description": "Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020."
},
{
"description": "Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.",
"url": "https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest",
"source_name": "Microsoft AZ CLI"
},
{
"source_name": "Expel IO Evil in AWS",
"url": "https://expel.io/blog/finding-evil-in-aws/",
"description": "A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020."
},
{
"source_name": "Mandiant M-Trends 2020",
"url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020",
"description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Cloud Infrastructure Discovery",
"description": "An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.\n\nCloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, as well as the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project(Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI)\n\nAn adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020) Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.",
"id": "attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"modified": "2021-07-19T18:59:38.238203Z",
"created": "2020-08-20T17:51:25.671Z",
"x_mitre_contributors": [
"Praetorian"
],
"x_mitre_version": "1.1",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_detection": "Establish centralized logging for the activity of cloud infrastructure components. Monitor logs for actions that could be taken to gather information about cloud infrastructure, including the use of discovery API calls by new or unexpected users. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.",
"x_mitre_data_sources": [
"Smoke Signal: Smoke Volume",
"Data Source Nulla: Data Component Aliqua",
"Data Source Ad: Data Component Qui",
"Data Source Pariatur: Data Component Incididunt",
"Data Source Ea: Data Component Amet"
],
"x_mitre_platforms": [
"IaaS"
]
},
{
"id": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34",
"description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\n\nThere are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)\n\nAdversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)\n\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.",
"name": "DLL Search Order Hijacking",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1574.001",
"url": "https://attack.mitre.org/techniques/T1574/001"
},
{
"external_id": "CAPEC-471",
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/471.html"
},
{
"source_name": "Microsoft Dynamic Link Library Search Order",
"url": "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN",
"description": "Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014."
},
{
"source_name": "FireEye Hijacking July 2010",
"url": "https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html",
"description": "Harbour, N. (2010, July 15). Malware Persistence without the Windows Registry. Retrieved November 17, 2020."
},
{
"source_name": "OWASP Binary Planting",
"description": "OWASP. (2013, January 30). Binary planting. Retrieved June 7, 2016.",
"url": "https://www.owasp.org/index.php/Binary_planting"
},
{
"source_name": "FireEye fxsst June 2011",
"url": "https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html",
"description": "Harbour, N. (2011, June 3). What the fxsst?. Retrieved November 17, 2020."
},
{
"source_name": "Microsoft Security Advisory 2269637",
"url": "https://docs.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637",
"description": "Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved March 13, 2020."
},
{
"source_name": "Microsoft Dynamic-Link Library Redirection",
"url": "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN",
"description": "Microsoft. (2018, May 31). Dynamic-Link Library Redirection. Retrieved March 13, 2020."
},
{
"source_name": "Microsoft Manifests",
"description": "Microsoft. (n.d.). Manifests. Retrieved December 5, 2014.",
"url": "https://msdn.microsoft.com/en-US/library/aa375365"
},
{
"source_name": "FireEye DLL Search Order Hijacking",
"url": "https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html",
"description": "Nick Harbour. (2010, September 1). DLL Search Order Hijacking Revisited. Retrieved March 13, 2020."
}
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"modified": "2021-07-19T18:59:38.238203Z",
"created": "2020-03-13T18:11:08.357Z",
"x_mitre_platforms": [
"Windows"
],
"x_mitre_contributors": [
"Travis Smith, Tripwire",
"Stefan Kanthak"
],
"x_mitre_data_sources": [
"Data Source Nulla: Data Component Aliqua",
"Data Source Nulla: Data Component Est",
"Data Source Ad: Data Component Qui",
"Data Source Pariatur: Data Component Incididunt"
],
"x_mitre_detection": "Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of `.manifest` and `.local` redirection files that do not correlate with software updates are suspicious.",
"x_mitre_is_subtechnique": true,
"x_mitre_version": "1.1"
},
{
"created": "2017-05-31T21:30:20.537Z",
"modified": "2021-07-19T18:59:38.238203Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"type": "attack-pattern",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1005",
"external_id": "T1005"
}
],
"description": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\n",
"name": "Data from Local System",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"x_mitre_version": "1.2",
"x_mitre_data_sources": [
"Data Source Nulla: Data Component Est",
"Data Source Pariatur: Data Component Incididunt"
],
"x_mitre_detection": "Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
"x_mitre_system_requirements": [
"Privileges to access certain files and directories"
],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_is_subtechnique": false
},
{
"id": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
"description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is <code>C:\\Users\\\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup</code>. The startup folder path for all users is <code>C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp</code>.\n\nThe following run keys are created by default on Windows systems:\n\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce</code>\n\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: <code>reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders</code>\n\nThe following Registry keys can control automatic startup of services during boot:\n\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices</code>\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run</code>\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit</code> and <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell</code> subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows</code> run when any user logs on.\n\nBy default, the multistring <code>BootExecute</code> value of the registry key <code>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager</code> is set to <code>autocheck autochk *</code>. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.",
"name": "Registry Run Keys / Startup Folder",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1547.001",
"url": "https://attack.mitre.org/techniques/T1547/001"
},
{
"external_id": "CAPEC-270",
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/270.html"