Remote Services| attack.mitre.org
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of FIN7 was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to a big game hunting (BGH) app...| attack.mitre.org
Multi-Factor Authentication Request Generation| attack.mitre.org
NOKKI| attack.mitre.org
ROKRAT| attack.mitre.org
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so th...| attack.mitre.org
= | attack.mitre.org
Hijack Execution Flow| attack.mitre.org
Scheduled Task/Job| attack.mitre.org
APT41| attack.mitre.org
Phishing:| attack.mitre.org
Lateral Tool Transfer| attack.mitre.org
Remote Services:| attack.mitre.org
Windows Registry: Windows Registry Key Access| attack.mitre.org
Command: Command Execution| attack.mitre.org
Enterprise| attack.mitre.org
APT33| attack.mitre.org
Phishing| attack.mitre.org
Command and Scripting Interpreter:| attack.mitre.org
Tropic Trooper| attack.mitre.org
Command and Scripting Interpreter:| attack.mitre.org
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. | attack.mitre.org
Exploit Public-Facing Application| attack.mitre.org
Application Layer Protocol:| attack.mitre.org
Application Layer Protocol:| attack.mitre.org
Mobile| attack.mitre.org
Application Layer Protocol| attack.mitre.org
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.| attack.mitre.org
T1548 | attack.mitre.org
Version History| attack.mitre.org
Active Directory: Active Directory Credential Request| attack.mitre.org
Lateral Movement| attack.mitre.org
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.[1]| attack.mitre.org
DS0017| attack.mitre.org
T1098 | attack.mitre.org
T1548 | attack.mitre.org
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.| attack.mitre.org
Lazarus Group is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.[1][2] The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSe...| attack.mitre.org
Monitor network traffic for WMI connections for potential use to remotely edit configuration, start services, or query files. When remote WMI requests are over RPC it connects to a DCOM interface within the RPC group netsvcs. To detect this activity, a sensor is needed at the network level that can decode RPC traffic or on the host where the communication can be detected more natively, such as Event Tracing for Windows. Using wireshark/tshark decoders, the WMI interfaces can be extracted so ...| attack.mitre.org
T1071 | attack.mitre.org
= | attack.mitre.org
(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND ParentImage!="?" AND ParentImage!="C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" AND ParentImage!="C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" AND((Image="C:\Windows\System32\smss.exe" AND (ParentImage!="C:\Windows\System32\smss.exe" AND ParentImage!="System")) OR(Image="C:\Windows\System32\csrss.exe" AND (ParentImage!="C...| attack.mitre.org
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization...| attack.mitre.org
T1659 | attack.mitre.org
Groups| attack.mitre.org
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]| attack.mitre.org
Tactics represent the "why" of an ATT&CK technique or sub-technique. It is the adversary's tactical goal: the reason for performing an action. For example, an adversary may want to achieve credential access.| attack.mitre.org
Netwalker| attack.mitre.org
Application Layer Protocol:| attack.mitre.org
= | attack.mitre.org
Masquerading| attack.mitre.org
Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.[1][2] | attack.mitre.org
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.| attack.mitre.org