-
Notifications
You must be signed in to change notification settings - Fork 6
/
attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2.json
54 lines (54 loc) · 3.28 KB
/
attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
{
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1036.005",
"url": "https://attack.mitre.org/techniques/T1036/005"
},
{
"external_id": "CAPEC-177",
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/177.html"
},
{
"source_name": "Endgame Masquerade Ball",
"description": "Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.",
"url": "http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf"
},
{
"source_name": "Twitter ItsReallyNick Masquerading Update",
"url": "https://twitter.com/ItsReallyNick/status/1055321652777619457",
"description": "Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019."
}
],
"created_by_ref": "The MITRE Corporation",
"name": "Match Legitimate Name or Location",
"description": "Adversaries may match or approximate the name or location of legitimate files when naming/placing their files. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous.\n\nAdversaries may also use the same icon of the file they are trying to mimic.",
"id": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"modified": "2020-06-20T22:11:45.970Z",
"created": "2020-02-10T20:43:10.239Z",
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": true,
"x_mitre_defense_bypassed": [
"Application control by file name or path"
],
"x_mitre_detection": "Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.\n\nIf file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Endgame Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)",
"x_mitre_data_sources": [
"File monitoring",
"Process monitoring",
"Process command-line parameters",
"Binary file metadata"
],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
]
}