-
Notifications
You must be signed in to change notification settings - Fork 6
/
attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0.json
53 lines (53 loc) · 3.92 KB
/
attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
{
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1587.001",
"url": "https://attack.mitre.org/techniques/T1587/001"
},
{
"url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf",
"description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.",
"source_name": "Mandiant APT1"
},
{
"source_name": "Kaspersky Sofacy",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.",
"url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/"
},
{
"source_name": "ActiveMalwareEnergy",
"description": "Dan Goodin. (2014, June 30). Active malware operation let attackers sabotage US energy industry. Retrieved March 9, 2017.",
"url": "https://arstechnica.com/information-technology/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/"
},
{
"source_name": "FBI Flash FIN7 USB",
"url": "https://www.losangeles.va.gov/documents/MI-000120-MW.pdf",
"description": "Federal Bureau of Investigation, Cyber Division. (2020, March 26). FIN7 Cyber Actors Targeting US Businesses Through USB Keystroke Injection Attacks. Retrieved October 14, 2020."
},
{
"source_name": "FireEye APT29",
"description": "FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.",
"url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf"
}
],
"created_by_ref": "The MITRE Corporation",
"name": "Malware",
"description": "Before compromising a victim, adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors, packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)\n\nAs with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.\n\nSome aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29)",
"id": "attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"modified": "2020-10-22T13:05:43.492Z",
"created": "2020-10-01T01:33:01.433Z",
"x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.",
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"PRE"
]
}