HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 351,
"next": "https://unprotect.it/api/techniques/?format=api&page=3",
"previous": "https://unprotect.it/api/techniques/?format=api",
"results": [
{
"id": 320,
"key": "system-binary-proxy-execution-control-panel",
"unprotect_id": "T1218.002",
"name": "System Binary Proxy Execution: Control Panel",
"description": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.\r\n\r\nControl Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.\r\n\r\nMalicious Control Panel items can be delivered via Phishing campaigns or executed as part of multi-stage malware. Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.\r\n\r\nAdversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.",
"resources": "https://attack.mitre.org/techniques/T1218/002/",
"creation_date": "2023-03-04T23:27:05.191000Z",
"tags": "Defense Evasion,\r\ncontrol.exe,\r\nControl Panel (.cpl)\r\nCPlApplet function,\r\nbypass application allow lists,\r\nbypass file extension allow lists,\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls,\r\nDllEntryPoint,",
"modification_date": "2023-10-04T10:43:16.676000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 319,
"key": "system-binary-proxy-execution-compiled-html-file",
"unprotect_id": "T1218.001",
"name": "System Binary Proxy Execution: Compiled HTML File",
"description": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe).\r\n\r\nA custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe.",
"resources": "https://attack.mitre.org/techniques/T1218/001/",
"creation_date": "2023-03-04T23:21:47.629000Z",
"tags": "Defense Evasion,\r\nAPT38,\r\nAPT41,\r\nMicrosoft HTML Help system,\r\nhh.exe,\r\nbypass application application control,",
"modification_date": "2023-10-04T10:43:10.638000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 318,
"key": "subvert-trust-controls-code-signing-policy-modification",
"unprotect_id": "T1553.006",
"name": "Subvert Trust Controls: Code Signing Policy Modification",
"description": "Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system.\r\n\r\nSome of these security controls may be enabled by default, such as Driver Signature Enforcement (DSE) on Windows. Other such controls may be disabled by default but are configurable through application controls, such as only allowing signed Dynamic-Link Libraries (DLLs) to execute on a system. Since it can be useful for developers to modify default signature enforcement policies during the development and testing of applications, disabling of these features may be possible with elevated permissions.\r\n\r\nAdversaries may modify code signing policies in a number of ways, including through use of command-line or GUI utilities, Modify Registry, rebooting the computer in a debug/recovery mode, or by altering the value of variables in kernel memory. Examples of commands that can modify the code signing policy of a system include bcdedit.exe -set TESTSIGNING ON on Windows. Depending on the implementation, successful modification of a signing policy may require reboot of the compromised system. Additionally, some implementations can introduce visible artifacts for the user (ex: a watermark in the corner of the screen stating the system is in Test Mode). Adversaries may attempt to remove such artifacts.\r\n\r\nTo gain access to kernel memory to modify variables related to signature checks, such as modifying g_CiOptions to disable Driver Signature Enforcement, adversaries may conduct Exploitation for Privilege Escalation using a signed, but vulnerable driver.",
"resources": "https://attack.mitre.org/techniques/T1553/006/",
"creation_date": "2023-03-04T00:52:29.582000Z",
"tags": "Defense Evasion,\r\nexecution of unsigned code,\r\nexecution of self-signed code,\r\nDriver Signature Enforcement (DSE),\r\nbcdedit.exe -set TESTSIGNING ON,\r\ndisable RequireSigned,\r\ng_CiOptions,\r\nPrivilege Escalation,\r\nAPT39,\r\nenable TESTSIGNING,\r\ndisable driver signing verification,",
"modification_date": "2023-10-04T10:43:00.943000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 317,
"key": "subvert-trust-controls-mark-of-the-web-bypass",
"unprotect_id": "T1553.005",
"name": "Subvert Trust Controls: Mark-of-the-Web Bypass",
"description": "Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW. Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.\r\n\r\nAdversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.",
"resources": "https://attack.mitre.org/techniques/T1553/005/",
"creation_date": "2023-03-04T00:46:07.229000Z",
"tags": "Defense Evasion,\r\nMark-of-the-Web (MOTW) controls,\r\nNTFS Alternate Data Stream (ADS),\r\nZone.Identifier,\r\nWindows Defender SmartScreen,\r\ncompressed/archive (.arj, .gzip) format,\r\ndisk image (.iso, .vhd) file format,\r\nAPT29,",
"modification_date": "2023-10-04T10:44:22.140000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 316,
"key": "subvert-trust-controls-install-root-certificate",
"unprotect_id": "T1553.004",
"name": "Subvert Trust Controls: Install Root Certificate",
"description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\r\n\r\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.\r\n\r\nAtypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide Adversary-in-the-Middle capability for intercepting information transmitted over secure TLS/SSL communications.\r\n\r\nRoot certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.",
"resources": "https://attack.mitre.org/techniques/T1553/004/",
"creation_date": "2023-03-04T00:41:29.779000Z",
"tags": "Defense Evasion,\r\nroot certificate authority (CA),\r\ncloning root certificates,\r\nAdversary-in-the-Middle,\r\nroot CA,\r\nTrusted Publisher,\r\ncertutil,\r\nadd-trusted-cert,\r\ncertmgr.exe,",
"modification_date": "2023-10-04T10:42:58.127000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 315,
"key": "subvert-trust-controls-sip-and-trust-provider-hijacking",
"unprotect_id": "T1553.003",
"name": "Subvert Trust Controls: SIP and Trust Provider Hijacking",
"description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. \r\n\r\nBecause of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all) and are identified by globally unique identifiers (GUIDs).\r\n\r\nSimilar to Code Signing, adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by:\r\n\r\nModifying the Dll and FuncName Registry values in HKLM\\SOFTWARE[\\WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP [6] (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).\r\n\r\nModifying the Dll and FuncName Registry values in HKLM\\SOFTWARE[WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData{SIP_GUID} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP [with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.\r\n\r\nModifying the DLL and Function Registry values in HKLM\\SOFTWARE[WOW6432Node]Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy{trust provider GUID} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).\r\nNote: The above hijacks are also possible without modifying the Registry via DLL Search Order Hijacking.\r\nHijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation.",
"resources": "https://attack.mitre.org/techniques/T1553/003/",
"creation_date": "2023-03-04T00:36:46.332000Z",
"tags": "Defense Evasion,\r\nmanipulate SIP,\r\nhijack SIP,\r\nmanipulate trust provider components,\r\nWindows Authenticode,\r\nWinVerifyTrust,\r\nsignature validation,\r\nSubject Interface Packages (SIPs),\r\nglobally unique identifiers (GUIDs),\r\nsubvert trust controls,\r\nbypass security policies,\r\nDll Registry value,\r\nFuncName Registry value,\r\nCryptSIPDllGetSignedDataMsg function,\r\nHKLM\\SOFTWARE[\\WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg{SIP_GUID},\r\nHKLM\\SOFTWARE[WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData{SIP_GUID},\r\nHKLM\\SOFTWARE[WOW6432Node]Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy{trust provider GUID},\r\nenable persistent code execution,",
"modification_date": "2023-10-04T10:44:22.284000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 314,
"key": "subvert-trust-controls-code-signing",
"unprotect_id": "T1553.002",
"name": "Subvert Trust Controls: Code Signing",
"description": "Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature, this activity will result in a valid signature.\r\n\r\nCode signing to verify software on first run can be used on modern Windows systems.\r\n\r\nCode signing certificates may be used to bypass security policies that require signed code to execute on a system.",
"resources": "https://attack.mitre.org/techniques/T1553/002/",
"creation_date": "2023-03-04T00:24:59.655000Z",
"tags": "Defense Evasion,\r\nfalsification of trusted signatures,\r\ncode signing,\r\nfalsifying certificates,\r\nself signed digital certificates,\r\nfake certificates,\r\nvalid CA,\r\ninvalid certificates,\r\nrevoked certificates,\r\nstolen certificates,\r\nforged certificates,\r\nAPT29,\r\nAPT41,",
"modification_date": "2023-10-04T10:44:59.378000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 313,
"key": "rootkit",
"unprotect_id": "T1014",
"name": "Rootkit",
"description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.\r\n\r\nRootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, network connections or System Firmware.",
"resources": "https://attack.mitre.org/techniques/T1014/",
"creation_date": "2023-02-24T04:26:41.720000Z",
"tags": "Defense Evasion,\r\nintercepting/hooking and modifying operating system API calls,\r\nhypervisor, \r\nMaster Boot Record, \r\nSystem Firmware,\r\nobfuscation of malware,\r\nobfuscation of payloads,\r\nobfuscation of system resource usage,\r\nAPT28,\r\npersistent remote access,",
"modification_date": "2023-10-04T10:44:05.739000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 312,
"key": "rogue-domain-controller",
"unprotect_id": "T1207",
"name": "Rogue Domain Controller",
"description": "Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.\r\n\r\nRegistering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. \r\n\r\nThis technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform SID-History Injection and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence.",
"resources": "https://attack.mitre.org/techniques/T1207/",
"creation_date": "2023-02-24T04:20:52.927000Z",
"tags": "Defense Evasion,\r\nPersistence,\r\nActive Directory manipulation,\r\nDCShadow,\r\nmimic Domain Controller (DC),\r\nnTDSDSA object,\r\nprivilege elevation,\r\nKRBTGT hash,\r\nbypass system logging and security monitors,\r\nbypass security information and event management (SIEM),\r\nalter and delete replication and metadata,\r\nSID-History Injection,\r\nmanipulate AD objects,",
"modification_date": "2023-10-04T10:44:29.580000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 311,
"key": "reflective-code-loading",
"unprotect_id": "T1620",
"name": "Reflective Code Loading",
"description": "Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).\r\n\r\nReflective code injection is very similar to Process Injection except that the \"injection\" loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.",
"resources": "https://attack.mitre.org/techniques/T1620/",
"creation_date": "2023-02-24T04:14:52.913000Z",
"tags": "Defense Evasion,\r\nmalicious code injection,\r\nexecuting payloads directly within process memory,\r\ncompiled binaries, \r\nanonymous files (only present in RAM), \r\nfileless executable code,\r\nevade process-based detections,\r\nmimic legitimate process,\r\nencrypted payload,\r\nobfuscated payload,",
"modification_date": "2023-10-04T10:44:18.491000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 310,
"key": "process-injection-listplanting",
"unprotect_id": "T1055.015",
"name": "Process Injection: ListPlanting",
"description": "Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.\r\n\r\nList-view controls are user interface windows used to display collections of items. Information about an application's list-view settings are stored within the process' memory in a SysListView32 control.\r\n\r\nListPlanting (a form of message-passing \"shatter attack\") may be performed by copying code into the virtual address space of a process that uses a list-view control then using that code as a custom callback for sorting the listed items. Adversaries must first copy code into the target process’ memory space, which can be performed various ways including by directly obtaining a handle to the SysListView32 child of the victim process window (via Windows API calls such as FindWindow and/or EnumWindows) or other Process Injection methods.\r\n\r\nSome variations of ListPlanting may allocate memory in the target process but then use window messages to copy the payload, to avoid the use of the highly monitored WriteProcessMemory function. For example, an adversary can use the PostMessage and/or SendMessage API functions to send LVM_SETITEMPOSITION and LVM_GETITEMPOSITION messages, effectively copying a payload 2 bytes at a time to the allocated memory.\r\n\r\nFinally, the payload is triggered by sending the LVM_SORTITEMS message to the SysListView32 child of the process window, with the payload within the newly allocated buffer passed and executed as the ListView_SortItems callback.",
"resources": "https://attack.mitre.org/techniques/T1055/015/",
"creation_date": "2023-02-24T04:11:30.064000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\ninject malicious code into hijacked processes,\r\nevade detection from security products,\r\nSysListView32 control,\r\nmessage-passing shatter attack\r\ncustom callback,\r\nFindWindow,\r\nEnumWindows,\r\nwindow messages,\r\nLVM_SETITEMPOSITION message,\r\nLVM_GETITEMPOSITION message,\r\nLVM_SORTITEMS message,\r\nListView_SortItems callback,\r\nWriteProcessMemory function,",
"modification_date": "2023-10-04T10:44:02.072000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 309,
"key": "process-injection-process-doppelganging",
"unprotect_id": "T1055.013",
"name": "Process Injection: Process Doppelgänging",
"description": "Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nWindows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction.\r\n\r\nAlthough deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. \r\n\r\nAdversaries may abuse TxF to a perform a file-less variation of Process Injection. Similar to Process Hollowing, process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging's use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext.\r\n\r\nProcess Doppelgänging is implemented in 4 steps:\r\n\r\nTransact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.\r\nLoad – Create a shared section of memory and load the malicious executable.\r\nRollback – Undo changes to original executable, effectively removing malicious code from the file system.\r\nAnimate – Create a process from the tainted section of memory and initiate execution.\r\nThis behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelgänging may evade detection from security products since the execution is masked under a legitimate process.",
"resources": "https://attack.mitre.org/techniques/T1055/013/",
"creation_date": "2023-02-24T04:06:01.468000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nWindows Transactional NTFS (TxF),\r\nTxF application programming interface (API),\r\nfile-less variation of Process Injection,\r\nreplacing memory of a legitimate process with malicious code,\r\nTxF transaction,\r\nevade detection from security products, \r\nmimic legitimate process,\r\nabuse NTFS transactions,",
"modification_date": "2023-10-04T10:44:17.444000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 308,
"key": "process-injection-process-hollowing",
"unprotect_id": "T1055.012",
"name": "Process Injection: Process Hollowing",
"description": "Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nProcess hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.\r\n\r\nThis is very similar to Thread Local Storage but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process.",
"resources": "https://attack.mitre.org/techniques/T1055/012/",
"creation_date": "2023-02-24T03:59:59.456000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\ninject suspended and hollowed processes,\r\nCreateProcess,\r\nZwUnmapViewOfSection,\r\nNtUnmapViewOfSection,\r\nVirtualAllocEx, \r\nWriteProcessMemory, \r\nSetThreadContext, \r\nResumeThread,\r\nreallocating space with malicious code,\r\npermission inheritance,",
"modification_date": "2023-10-04T10:44:16.612000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 307,
"key": "process-injection-extra-window-memory-injection",
"unprotect_id": "T1055.011",
"name": "Process Injection: Extra Window Memory Injection",
"description": "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nBefore creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. \r\n\r\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.\r\n\r\nExecution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread. More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process.\r\n\r\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process.",
"resources": "https://attack.mitre.org/techniques/T1055/011/",
"creation_date": "2023-02-24T03:54:55.312000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation.\r\nmalicious code injection,\r\nmemory access,\r\nevade process-based defenses,\r\nprivilege escalation,\r\nwriting payloads to shared sections,\r\noverwrite function pointer,",
"modification_date": "2023-10-04T10:44:16.353000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 306,
"key": "process-injection-thread-local-storage",
"unprotect_id": "T1055.005",
"name": "Process Injection: Thread Local Storage",
"description": "Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nTLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process’ memory space using other Process Injection techniques such as Process Hollowing.\r\n\r\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process.",
"resources": "https://attack.mitre.org/techniques/T1055/005/",
"creation_date": "2023-02-24T03:34:35.743000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nthread local storage (TLS) callbacks,\r\nevade process-based defenses,\r\nprivilege escalation,\r\nmimic legitimate process,\r\nprocess injection,",
"modification_date": "2023-10-04T10:42:48.678000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 305,
"key": "process-injection-asynchronous-procedure-call",
"unprotect_id": "T1055.004",
"name": "Process Injection: Asynchronous Procedure Call",
"description": "Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nAPC injection is commonly performed by attaching malicious code to the APC Queue of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibrayA pointing to a malicious DLL).\r\n\r\nA variation of APC injection, dubbed \"Early Bird injection\", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. AtomBombing is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.\r\n\r\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process.",
"resources": "https://attack.mitre.org/techniques/T1055/004/",
"creation_date": "2023-02-24T03:30:19.124000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nasynchronous procedure call (APC) queue,\r\nevade process-based defenses,\r\nprivilege elevation,\r\nmimic legitimate process,\r\nAPC injection,\r\nOpenThread,\r\nQueueUserAPC,\r\nLoadLibrayA,\r\nEarly Bird injection,\r\nAtomBombing,\r\nmalicious code injection,",
"modification_date": "2023-10-04T10:44:29.416000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 304,
"key": "process-injection-thread-execution-hijacking",
"unprotect_id": "T1055.003",
"name": "Process Injection: Thread Execution Hijacking",
"description": "Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nThread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread , VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.\r\n\r\nThis is very similar to Process Hollowing but targets an existing process rather than creating a process in a suspended state.\r\n\r\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process.",
"resources": "https://attack.mitre.org/techniques/T1055/003/",
"creation_date": "2023-02-24T03:21:21.181000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nevade process-based defenses,\r\nOpenThread,\r\nSuspendThread,\r\nVirtualAllocEx,\r\nWriteProcessMemory,\r\nSetThreadContext, \r\nResumeThread,\r\nexisting process,\r\nmimic legitimate process,",
"modification_date": "2023-10-04T10:42:44.290000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 303,
"key": "process-injection-portable-executable-injection",
"unprotect_id": "T1055.002",
"name": "Process Injection: Portable Executable Injection",
"description": "Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nPE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. \r\n\r\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process.",
"resources": "https://attack.mitre.org/techniques/T1055/002/",
"creation_date": "2023-02-16T00:25:09.855000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nexecuting arbitrary code in live process,\r\nvirtual address space,\r\nVirtualAllocEx,\r\nWriteProcessMemory,\r\nCreateRemoteThread,",
"modification_date": "2023-10-04T10:44:16.090000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 302,
"key": "process-injection-dynamic-link-library-injection",
"unprotect_id": "T1055.001",
"name": "Process Injection: Dynamic-link Library Injection",
"description": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.\r\n\r\nDLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). \r\n\r\nVariations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).\r\n\r\nAnother variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module's AddressOfEntryPoint before starting a new thread in the target process. This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.\r\n\r\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process.",
"resources": "https://attack.mitre.org/techniques/T1055/001/",
"creation_date": "2023-02-16T00:21:00.773000Z",
"tags": "Defense Evasion, \r\nPrivilege Escalation,\r\nexecuting arbitrary code in live process,\r\nnative Windows API calls,\r\nVirtualAllocEx, \r\nWriteProcessMemory,\r\nCreateRemoteThread,\r\nLoadLibrary,\r\nreflective DLL injection,\r\nself-mapping DLL,\r\nModule Stomping,\r\nModule Overloading,\r\nDLL Hollowing,\r\nconceal injected code,\r\nAddressOfEntryPoint,\r\nmalicious injection,\r\nencrypted DLLs,",
"modification_date": "2023-10-04T10:44:15.834000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 301,
"key": "pre-os-boot-bootkit",
"unprotect_id": "T1542.003",
"name": "Pre-OS Boot: Bootkit",
"description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\r\n\r\nA bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. \r\n\r\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.",
"resources": "https://attack.mitre.org/techniques/T1542/003/",
"creation_date": "2023-02-16T00:02:44.948000Z",
"tags": "Persistence, \r\nDefense Evasion,\r\nboot sector modification,\r\nMaster Boot Record (MBR),\r\nVolume Boot Record (VBR),\r\nboot loader,\r\nboot drive overwrite,\r\nAPT28,\r\nAPT41,\r\nransomware,",
"modification_date": "2023-10-04T10:42:43.557000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 300,
"key": "pre-os-boot-component-firmware",
"unprotect_id": "T1542.002",
"name": "Pre-OS Boot: Component Firmware",
"description": "Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components/devices that may not have the same capability or level of integrity checking.\r\n\r\nMalicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.",
"resources": "https://attack.mitre.org/techniques/T1542/002/",
"creation_date": "2023-02-15T23:58:24.350000Z",
"tags": "Persistence, \r\nDefense Evasion,\r\nmodify component firmware,\r\nexecute adversary code,\r\npatching legitimate device firmware,\r\noverwrite firmware,",
"modification_date": "2023-10-04T10:44:15.571000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 299,
"key": "pre-os-boot-system-firmware",
"unprotect_id": "T1542.001",
"name": "Pre-OS Boot: System Firmware",
"description": "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.\r\n\r\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.",
"resources": "https://attack.mitre.org/techniques/T1542/001/",
"creation_date": "2023-02-15T23:41:24.674000Z",
"tags": "Persistence, \r\nDefense Evasion,\r\nBIOS (Basic Input/Output System),\r\nUnified Extensible Firmware Interface (UEFI),\r\nExtensible Firmware Interface (EFI),\r\noverwrite system firmware,\r\nmalicious firmware updates,\r\nrootkit,\r\nBIOS modification,",
"modification_date": "2023-10-04T10:44:06.969000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 298,
"key": "obfuscated-files-or-information-embedded-payloads",
"unprotect_id": "T1027.009",
"name": "Obfuscated Files or Information: Embedded Payloads",
"description": "Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets.\r\n\r\nAdversaries may embed payloads in various file formats to hide payloads. This is similar to Steganography, though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.\r\n\r\nFor example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary. Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.\r\n\r\nEmbedded content may also be used as Process Injection payloads used to infect benign system processes. These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.",
"resources": "https://attack.mitre.org/techniques/T1027/009/",
"creation_date": "2023-02-15T23:33:22.130000Z",
"tags": "Defense Evasion,\r\nconceal malicious code,\r\nobfuscate malicious payloads,\r\nSubvert Trust Controls,\r\nembedded payloads,\r\nnested payloads,\r\nProcess Injection payloads,\r\nencrypted communications module,",
"modification_date": "2023-10-04T10:42:36.663000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 297,
"key": "obfuscated-files-or-information-stripped-payloads",
"unprotect_id": "T1027.008",
"name": "Obfuscated Files or Information: Stripped Payloads",
"description": "Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s linker when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.\r\n\r\nAdversaries may use stripped payloads in order to make malware analysis more difficult. For example, compilers and other tools may provide features to remove or obfuscate strings and symbols. Adversaries have also used stripped payload formats to evade detection and analysis. The lack of human-readable information may directly hinder detection and analysis of payloads",
"resources": "https://attack.mitre.org/techniques/T1027/008/",
"creation_date": "2023-02-15T23:22:37.393000Z",
"tags": "Defense Evasion,\r\nRemove human readable information,\r\noperating system linker,\r\nobfuscate malicious code,",
"modification_date": "2023-10-04T10:42:32.815000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 296,
"key": "obfuscated-files-or-information-dynamic-api-resolution",
"unprotect_id": "T1027.007",
"name": "Obfuscated Files or Information: Dynamic API Resolution",
"description": "Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various Native API functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.\r\n\r\nAPI functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.\r\n\r\nTo avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to Software Packing, dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.\r\n\r\nVarious methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as GetProcAddress() and LoadLibrary(). These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of Deobfuscate/Decode Files or Information during execution)",
"resources": "https://attack.mitre.org/techniques/T1027/007/",
"creation_date": "2023-02-15T23:19:52.827000Z",
"tags": "Defense Evasion,\r\nobfuscate API functions,\r\ndynamic API resolution,\r\nconceal malicious functionality,\r\nimport address table (IAT),\r\nmanipulate file signatures,\r\nGetProcAddress(),\r\nLoadLibrary(),\r\nEncrypt hashes,\r\nDeobfuscate files,\r\nDecode files,\r\ndynamic Windows hashing algorithm,",
"modification_date": "2023-10-04T10:42:41.519000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 295,
"key": "obfuscated-files-or-information-html-smuggling",
"unprotect_id": "T1027.006",
"name": "Obfuscated Files or Information: HTML Smuggling",
"description": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.\r\n\r\nAdversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. Deobfuscate/Decode Files or Information), potentially bypassing content filters.\r\n\r\nFor example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.",
"resources": "https://attack.mitre.org/techniques/T1027/006/",
"creation_date": "2023-02-15T23:15:42.900000Z",
"tags": "Defense Evasion,\r\nbypass content filters,\r\nmalicious HTML files,\r\nMIME files,\r\nHTML5 download attribute,\r\nJavaScript Blobs,\r\ntext/plain, \r\ntext/html,\r\nData URLs,\r\nmsSaveBlob,\r\nAPT29,",
"modification_date": "2023-10-04T10:44:14.626000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 294,
"key": "obfuscated-files-or-information-indicator-removal-from-tools",
"unprotect_id": "T1027.005",
"name": "Obfuscated Files or Information: Indicator Removal from Tools",
"description": "Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\r\n\r\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.",
"resources": "https://attack.mitre.org/techniques/T1027/005/",
"creation_date": "2023-02-15T23:07:19.194000Z",
"tags": "Defense Evasion,\r\nmalicious file modification,\r\npayload modification,\r\nsignature evasion,\r\nunique hash,\r\nAPT3,",
"modification_date": "2023-10-04T10:42:26.127000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 293,
"key": "obfuscated-files-or-information-compile-after-delivery",
"unprotect_id": "T1027.004",
"name": "Obfuscated Files or Information: Compile After Delivery",
"description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.\r\n\r\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.",
"resources": "https://attack.mitre.org/techniques/T1027/004/",
"creation_date": "2023-02-15T23:04:18.334000Z",
"tags": "Defense Evasion,\r\nuncompiled code,\r\ncompile malicious code,\r\nexecute malicious code,\r\nencrypted malicious code,",
"modification_date": "2023-10-04T10:44:13.657000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 292,
"key": "obfuscated-files-or-information-steganography",
"unprotect_id": "T1027.003",
"name": "Obfuscated Files or Information: Steganography",
"description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.\r\n\r\nDuqu was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.\r\n\r\nBy the end of 2017, a threat group used Invoke-PSImage to hide PowerShell commands in an image file (.png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.",
"resources": "https://attack.mitre.org/techniques/T1027/003/",
"creation_date": "2023-02-15T23:01:45.898000Z",
"tags": "Defense Evasion,\r\nconceal information,\r\nconceal payloads,\r\nInvoke-PSImage,\r\nAPT37,\r\nhidden malicious portable executable,\r\nembedded image files,\r\nobfuscated files,",
"modification_date": "2023-10-04T10:44:14.469000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 291,
"key": "obfuscated-files-or-information-software-packing",
"unprotect_id": "T1027.002",
"name": "Obfuscated Files or Information: Software Packing",
"description": "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.\r\n\r\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses",
"resources": "https://attack.mitre.org/techniques/T1027/002/",
"creation_date": "2023-02-15T22:57:33.440000Z",
"tags": "Defense Evasion,\r\ncompressing executables,\r\nencrypting executables,\r\navoiding signature-based detection,\r\npacked payloads,\r\nobfuscating malicious payloads,\r\nMPRESS,\r\nUPX,\r\nVirtual machine software protection,\r\nAPT29,\r\nAPT3,\r\nAPT38,\r\nAPT39,",
"modification_date": "2023-10-04T10:44:14.775000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 290,
"key": "obfuscated-files-or-information-binary-padding",
"unprotect_id": "T1027.001",
"name": "Obfuscated Files or Information: Binary Padding",
"description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.\r\n\r\nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures. The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware. Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.",
"resources": "https://attack.mitre.org/techniques/T1027/001/",
"creation_date": "2023-02-15T22:53:34.910000Z",
"tags": "Defense Evasion,\r\nchecksum manipulation,\r\navoid hash-based blocklists, \r\navoid static anti-virus signatures,\r\nappend junk data,\r\nappend random binary data,\r\nmaximum file size,\r\nAPT29,\r\nAPT32,\r\nmaximum file size,",
"modification_date": "2023-10-04T10:44:11.581000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 289,
"key": "modify-registry",
"unprotect_id": "T1112",
"name": "Modify Registry",
"description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\r\n\r\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.\r\n\r\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. \r\n\r\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.",
"resources": "https://attack.mitre.org/techniques/T1112/",
"creation_date": "2023-02-10T03:43:23.404000Z",
"tags": "Defense Evasion,\r\nAPT19,\r\nAPT32,\r\nAPT38,\r\nAPT41,\r\nWindows Registry,\r\nRegistry keys,\r\nRegistry modifications,\r\npseudo-hidden keys,\r\nremote Registry service,\r\nUAC bypass,",
"modification_date": "2023-10-04T10:44:14.208000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 288,
"key": "modify-authentication-process-hybrid-identity",
"unprotect_id": "T1556.007",
"name": "Modify Authentication Process: Hybrid Identity",
"description": "Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.\r\n\r\nMany organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Azure AD includes three options for synchronizing identities between Active Directory and Azure AD:\r\n\r\nPassword Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Azure AD, allowing authentication to Azure AD to take place entirely in the cloud\r\nPass Through Authentication (PTA), in which Azure AD authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory\r\nActive Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Azure AD\r\nAD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges.\r\n\r\nBy modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the AzureADConnectAuthenticationAgentService process that authorizes all attempts to authenticate to Azure AD, as well as records user credentials. In environments using AD FS, an adversary may edit the Microsoft.IdentityServer.Servicehost configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.\r\n\r\nIn some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Azure AD tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Azure AD environment as any user.",
"resources": "https://attack.mitre.org/techniques/T1556/007/",
"creation_date": "2023-02-10T03:35:30.421000Z",
"tags": "Credential Access, \r\nDefense Evasion, \r\nPersistence,\r\nbackdoor cloud authentication processes,\r\nbypass authentication mechanisms, \r\nmodifying authentication processes,\r\naccess credentials, \r\nenable persistent access,\r\nActive Directory, \r\nAzure AD,\r\nPassword Hash Synchronization (PHS),\r\nPass Through Authentication (PTA),\r\nActive Directory Federation Services (ADFS),\r\nAzureADConnectAuthenticationAgentService,\r\nMicrosoft.IdentityServer.Servicehost configuration file,\r\nhybrid identity authentication process,\r\ncredentia harvesting,\r\nAPT29,\r\ninject malicious DLL,",
"modification_date": "2023-10-04T10:42:27.062000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 287,
"key": "modify-authentication-process-multi-factor-authentication",
"unprotect_id": "T1556.006",
"name": "Modify Authentication Process: Multi-Factor Authentication",
"description": "Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.\r\n\r\nOnce adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as Multi-Factor Authentication Request Generation, adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.\r\n\r\nFor example, modifying the Windows hosts file (C:\\windows\\system32\\drivers\\etc\\hosts) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a \"fail open\" policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA. \r\n\r\nDepending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim's network environment.",
"resources": "https://attack.mitre.org/techniques/T1556/006/",
"creation_date": "2023-02-10T03:28:56.884000Z",
"tags": "Credential Access, \r\nDefense Evasion, \r\nPersistence,\r\ndisable multi-factor authentication (MFA),\r\nAzure AD Conditional Access Policies,\r\npatching MFA programs,\r\npatching MFA configurations,",
"modification_date": "2023-10-04T10:44:13.951000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 286,
"key": "modify-authentication-process-reversible-encryption",
"unprotect_id": "T1556.005",
"name": "Modify Authentication Process: Reversible Encryption",
"description": "An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.\r\n\r\nIf the property is enabled and/or a user changes their password after it is enabled, an adversary may be able to obtain the plaintext of passwords created/changed after the property was enabled. To decrypt the passwords, an adversary needs four components:\r\n\r\nEncrypted password (G$RADIUSCHAP) from the Active Directory user-structure userParameters\r\n16 byte randomly-generated value (G$RADIUSCHAPKEY) also from userParameters\r\nGlobal LSA secret (G$MSRADIUSCHAPKEY)\r\nStatic key hardcoded in the Remote Access Subauthentication DLL (RASSFM.DLL)\r\nWith this information, an adversary may be able to reproduce the encryption key and subsequently decrypt the encrypted password value.\r\n\r\nAn adversary may set this property at various scopes through Local Group Policy Editor, user properties, Fine-Grained Password Policy (FGPP), or via the ActiveDirectory PowerShell module. For example, an adversary may implement and apply a FGPP to users or groups if the Domain Functional Level is set to \"Windows Server 2008\" or higher. In PowerShell, an adversary may make associated changes to user settings using commands similar to Set-ADUser -AllowReversiblePasswordEncryption $true.",
"resources": "https://attack.mitre.org/techniques/T1556/005/",
"creation_date": "2023-02-10T03:25:12.537000Z",
"tags": "Credential Access, \r\nDefense Evasion, \r\nPersistence,\r\nActive Directory authentication encryption properties,\r\nAllowReversiblePasswordEncryption,\r\nG$RADIUSCHAP,\r\nG$RADIUSCHAPKEY,\r\nG$MSRADIUSCHAPKEY,\r\nRemote Access Subauthentication DLL (RASSFM.DLL),\r\nreproduce encryption key,\r\npassword decryption,\r\nLocal Group Policy Editor,\r\nFine-Grained Password Policy (FGPP),",
"modification_date": "2023-10-04T10:44:13.801000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 285,
"key": "modify-authentication-process-password-filter-dll",
"unprotect_id": "T1556.002",
"name": "Modify Authentication Process: Password Filter DLL",
"description": "Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.\r\n\r\nWindows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation.\r\n\r\nAdversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.",
"resources": "https://attack.mitre.org/techniques/T1556/002/",
"creation_date": "2023-02-10T03:20:31.344000Z",
"tags": "Credential Access, \r\nDefense Evasion, \r\nPersistence,\r\npassword filter dynamic link libraries (DLLs),\r\ncredential harvesting,\r\nplain-text credentials,\r\nLocal Security Authority (LSA),\r\nSecurity Accounts Manager (SAM),",
"modification_date": "2023-10-04T10:44:13.502000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 284,
"key": "modify-authentication-process-domain-controller-authentication",
"unprotect_id": "T1556.001",
"name": "Modify Authentication Process: Domain Controller Authentication",
"description": "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.\r\n\r\nMalware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: Skeleton Key). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.",
"resources": "https://attack.mitre.org/techniques/T1556/001/",
"creation_date": "2023-02-10T03:10:04.658000Z",
"tags": "Credential Access, \r\nDefense Evasion, \r\nPersistence,\r\nbypass authentication mechanisms,\r\ninject false credentials,\r\nSkeleton key,\r\nLSASS,\r\ndomain authentication,\r\nNTLM authentication,\r\nenterprise domain controller authentication,",
"modification_date": "2023-10-04T10:44:13.353000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 283,
"key": "modify-authentication-process",
"unprotect_id": "T1556",
"name": "Modify Authentication Process",
"description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.\r\n\r\nAdversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.",
"resources": "https://attack.mitre.org/techniques/T1556/",
"creation_date": "2023-02-10T01:46:27.392000Z",
"tags": "Credential Access, \r\nDefense Evasion, \r\nPersistence,\r\nmodify authentication mechanisms,\r\nLocal Security Authentication Server (LSASS),\r\nSecurity Accounts Manager (SAM),\r\nbypass authentication mechanisms\r\ncredential reveal,\r\nbypass access controls,\r\nintercept private keys,",
"modification_date": "2023-10-04T10:44:13.207000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 282,
"key": "masquerading-double-file-extension",
"unprotect_id": "T1036.007",
"name": "Masquerading: Double File Extension",
"description": "Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.\r\n\r\nAdversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access into a user’s system via Spearphishing Attachment then User Execution. For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.\r\n\r\nCommon file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.",
"resources": "https://attack.mitre.org/techniques/T1036/007/",
"creation_date": "2023-02-10T01:32:55.344000Z",
"tags": "Defense Evasion,\r\nhidden file types,\r\nhide file types,\r\nsecondary file extension,\r\nconceal malicious file types,\r\nuser execution,\r\nhidden malware,\r\ndual-extension,",
"modification_date": "2023-10-04T10:44:00.071000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 281,
"key": "masquerading-match-legitimate-name-or-location",
"unprotect_id": "T1036.005",
"name": "Masquerading: Match Legitimate Name or Location",
"description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.\r\n\r\nAdversaries may also use the same icon of the file they are trying to mimic.",
"resources": "https://attack.mitre.org/techniques/T1036/005/",
"creation_date": "2023-02-10T01:26:42.267000Z",
"tags": "Defense Evasion,\r\ncommonly trusted directory,\r\nmimic legitimate trusted program,\r\ntrusted namespaces,\r\ntrusted filenames,\r\nmimic icon,\r\nhidden payloads,\r\nmalicious shortcuts,\r\nAPT1,\r\nAPT28,\r\nAPT29,\r\nAPT32,\r\nAPT39,\r\nAPT41,",
"modification_date": "2023-10-04T10:42:21.011000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 280,
"key": "masquerading-masquerade-task-or-service",
"unprotect_id": "T1036.004",
"name": "Masquerading: Masquerade Task or Service",
"description": "Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description. Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.\r\n\r\nTasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.",
"resources": "https://attack.mitre.org/techniques/T1036/004/",
"creation_date": "2023-02-10T01:14:05.681000Z",
"tags": "Defense Evasion,\r\nscheduled tasks,\r\nscheduled tasks,\r\nmimic legitimate task,\r\nmimic legitimate service,\r\nAPT-C-36,\r\nAPT29,\r\nAPT32,\r\nAPT41,",
"modification_date": "2023-10-04T10:42:15.739000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 279,
"key": "masquerading-rename-system-utilities",
"unprotect_id": "T1036.003",
"name": "Masquerading: Rename System Utilities",
"description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.",
"resources": "https://attack.mitre.org/techniques/T1036/003/",
"creation_date": "2023-02-10T01:10:22.955000Z",
"tags": "Defense Evasion,\r\nrename legitimate file,\r\nAPT32,\r\nreplace legitimate system file,",
"modification_date": "2023-10-04T10:44:10.569000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 278,
"key": "masquerading-right-to-left-override",
"unprotect_id": "T1036.002",
"name": "Masquerading: Right-to-Left Override",
"description": "Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\u202Egnp.js will be displayed as photo_high_resj.png.\r\n\r\nAdversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with Spearphishing Attachment/Malicious File since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity. RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.",
"resources": "https://attack.mitre.org/techniques/T1036/002/",
"creation_date": "2023-02-10T01:05:54.520000Z",
"tags": "Defense Evasion,\r\nRTLO, \r\nRLO,\r\nobfuscate filenames,\r\nreverse executable names,",
"modification_date": "2023-10-04T10:42:29.587000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 277,
"key": "masquerading-invalid-code-signature",
"unprotect_id": "T1036.001",
"name": "Masquerading: Invalid Code Signature",
"description": "Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.\r\n\r\nUnlike Code Signing, this activity will not result in a valid signature.",
"resources": "https://attack.mitre.org/techniques/T1036/001/",
"creation_date": "2023-02-10T00:56:50.010000Z",
"tags": "Defense Evasion,\r\nImpersonating valid code signatures,\r\nAPT37,\r\ninvalid code signatures ,\r\ninvalid digital certificates,\r\nunverified signatures,\r\nfake certificates,\r\nrevoked certificates,",
"modification_date": "2023-10-04T10:44:06.718000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 275,
"key": "indirect-command-execution",
"unprotect_id": "T1202",
"name": "Indirect Command Execution",
"description": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. \r\n\r\nAdversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.",
"resources": "https://attack.mitre.org/techniques/T1202/",
"creation_date": "2023-02-07T05:39:23.235000Z",
"tags": "Defense Evasion,\r\nCommand execution concealment,\r\nperform arbitrary execution,\r\nExploit CLIs,",
"modification_date": "2023-10-04T10:44:06.576000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 274,
"key": "indicator-removal-clear-persistence",
"unprotect_id": "T1070.009",
"name": "Indicator Removal: Clear Persistence",
"description": "Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.\r\n\r\nIn some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.",
"resources": "https://attack.mitre.org/techniques/T1070/009/",
"creation_date": "2023-02-07T05:35:59.751000Z",
"tags": "Defense Evasion,\r\nevidence removal,\r\nevidence clean-up,\r\nartifacts of persistence removal,\r\nregistry key removal,",
"modification_date": "2023-10-04T10:44:05.889000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 273,
"key": "indicator-removal-clear-mailbox-data",
"unprotect_id": "T1070.008",
"name": "Indicator Removal: Clear Mailbox Data",
"description": "Adversaries may modify mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails or logs generated by the application or operating system, such as export requests.\r\n\r\nAdversaries may manipulate email mailbox data to remove logs and artifacts, such as evidence of Phishing/Internal Spearphishing, Email Collection, Mail Protocols for command and control, or email-based exfiltration such as Exfiltration Over Alternative Protocol. For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell PowerShell module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.",
"resources": "",
"creation_date": "2023-02-07T05:33:13.414000Z",
"tags": "Defense Evasion,\r\nexport mailbox data,\r\ndelete mailbox data,\r\nExfiltration Over Alternative Protocol,\r\nRemove-MailboxExportRequest,",
"modification_date": "2023-10-04T10:40:14.313000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 272,
"key": "indicator-removal-clear-network-connection-history-and-configurations",
"unprotect_id": "T1070.007",
"name": "Indicator Removal: Clear Network Connection History and Configurations",
"description": "Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system from behaviors that require network connections, such as Remote Services or External Remote Services. Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\r\n\r\nNetwork connection history may be stored in various locations on a system. For example, RDP connection history may be stored in Windows Registry values under:\r\n\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\r\nWindows may also store information about recent RDP connections in files such as C:\\Users\\%username%\\Documents\\Default.rdp and C:\\Users\\%username%\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache\\. \r\n\r\nMalicious network connections may also require changes to network configuration settings, such as Disable or Modify System Firewall or tampering to enable Proxy. Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.",
"resources": "https://attack.mitre.org/techniques/T1070/007/",
"creation_date": "2023-02-07T03:00:35.870000Z",
"tags": "Defense Evasion,\r\nNetwork history deletion,\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default,\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers,\r\nC:\\Users\\%username%\\Documents\\Default.rdp,\r\nC:\\Users\\%username%\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache,\r\ndisable firewall rule,\r\nmodify firewall,\r\nadd firewall rule,\r\nmodify network configuration,\r\nbypass firewall rule,\r\nenable Proxy,",
"modification_date": "2023-10-04T10:44:29.265000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 271,
"key": "indicator-removal-network-share-connection-removal",
"unprotect_id": "T1070.005",
"name": "Indicator Removal: Network Share Connection Removal",
"description": "Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \\system\\share /delete command.",
"resources": "https://attack.mitre.org/techniques/T1070/005/",
"creation_date": "2023-02-07T01:10:50.149000Z",
"tags": "Defense Evasion,\r\nnet use \\system\\share /delete,\r\nSMB share,\r\ndisconnect network shares,",
"modification_date": "2023-10-04T10:43:54.694000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 270,
"key": "indicator-removal-file-deletion",
"unprotect_id": "T1070.004",
"name": "Indicator Removal: File Deletion",
"description": "Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\r\n\r\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. An example of built-in Command and Scripting Interpreter functions is del on Windows.",
"resources": "https://attack.mitre.org/techniques/T1070/004/",
"creation_date": "2023-02-07T01:08:44.043000Z",
"tags": "Defense Evasion,\r\ninfection clean-up,\r\ndel,\r\nevidence removal,",
"modification_date": "2023-10-04T10:43:35.632000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
}
]
}
