forked from MISP/misp-galaxy
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmitre-pre-attack-attack-pattern.json
2789 lines (2789 loc) · 222 KB
/
mitre-pre-attack-attack-pattern.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"authors": [
"MITRE"
],
"category": "attack-pattern",
"description": "ATT&CK tactic",
"name": "Pre Attack - Attack Pattern",
"source": "https://github.com/mitre/cti",
"type": "mitre-pre-attack-attack-pattern",
"uuid": "03c13bec-1708-11e8-92a0-a747c0787089",
"values": [
{
"description": "Many mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). An adversary can submit multiple code samples to these stores deliberately designed to probe the stores' security analysis capabilities, with the goal of determining effective techniques to place malicious applications in the stores that could then be delivered to targeted devices. (Citation: Android Bouncer) (Citation: Adventures in BouncerLand) (Citation: Jekyll on iOS) (Citation: Fruit vs Zombies)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The app store operators (e.g., Apple and Google) may detect the attempts, but it would not be observable to those being attacked.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: An adversary can submit code remotely using throwaway accounts, although a registration fee may need to be paid for each new account (e.g., $99 for Apple and $25 for Google Play Store).",
"meta": {
"external_id": "PRE-T1170",
"kill_chain": [
"mitre-pre-attack:pre-attack:test-capabilities"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1170"
]
},
"uuid": "c9e85b80-39e8-42df-b275-86a2afcea9e8",
"value": "Test ability to evade automated mobile application security analysis performed by app stores - PRE-T1170"
},
{
"description": "Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: FireEyeAPT17)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will generally not have visibility into their infrastructure.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Building and testing infrastructure and obfuscating it to protect it against intrusions are a standard part of the adversary process in preparing to conduct an operation against a target.",
"meta": {
"external_id": "PRE-T1108",
"kill_chain": [
"mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1108"
]
},
"related": [
{
"dest-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39",
"value": "Obfuscate infrastructure - PRE-T1108"
},
{
"description": "Backup infrastructure allows an adversary to recover from environmental and system failures. It also facilitates recovery or movement to other infrastructure if the primary infrastructure is discovered or otherwise is no longer viable. (Citation: LUCKYCAT2012)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Infrastructure is (typically) outside of control/visibility of defender and as such as tools are staged for specific campaigns, it will not be obvious to those being attacked.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: The adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], commercial storage solutions).",
"meta": {
"external_id": "PRE-T1116",
"kill_chain": [
"mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1116"
]
},
"uuid": "a425598d-7c19-40f7-9aa3-ac20f0d5c2b2",
"value": "Create backup infrastructure - PRE-T1116"
},
{
"description": "An adversary may assess a target's operational security (OPSEC) practices in order to identify targeting options. A target may share different information in different settings or be more of less cautious in different environments. (Citation: Scasny2015) (Citation: EverstineAirStrikes)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender does not have access to information stored outside of defenders scope or visibility (e.g., log data for Facebook is not easily accessible). Defender has very infrequent visibility into an adversary's more detailed TTPs for developing people targets.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Information is out in the open for items that are available - part of this is ease of use for consumers to support the expected networking use case. OSINT can provide many avenues to gather intel which contain weaknesses. Developing and refining the methodology to exploit weak human targets has been done for years (e.g., spies).",
"meta": {
"external_id": "PRE-T1073",
"kill_chain": [
"mitre-pre-attack:pre-attack:people-weakness-identification"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1073"
]
},
"uuid": "d69c3e06-8311-4093-8e3e-0a8e06b15d92",
"value": "Assess targeting options - PRE-T1073"
},
{
"description": "Analysts may receive intelligence requirements from leadership and begin research process to satisfy a requirement. Part of this process may include delineating between needs and wants and thinking through all the possible aspects associating with satisfying a requirement. (Citation: FBIIntelligencePrimer)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"meta": {
"external_id": "PRE-T1012",
"kill_chain": [
"mitre-pre-attack:pre-attack:priority-definition-planning"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1012"
]
},
"uuid": "7863b7f1-c18a-4aad-a6cf-4aa6d8797531",
"value": "Receive operator KITs/KIQs tasking - PRE-T1012"
},
{
"description": "An adversary will require some physical hardware and software. They may only need a lightweight set-up if most of their activities will take place using on-line infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems. (Citation: NYTStuxnet)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Outside of highly specific or rare HW, nearly impossible to detect and track.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Ease and availability of current hardware and software, mobile phones (cash and go phones), and additional online technology simplifies adversary process to achieve this technique (and possibly without traceability). The adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS).",
"meta": {
"external_id": "PRE-T1112",
"kill_chain": [
"mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1112"
]
},
"uuid": "2141aea0-cf38-49aa-9e51-ac34092bc30a",
"value": "Procure required equipment and software - PRE-T1112"
},
{
"description": "Security defensive capabilities are designed to stop or limit unauthorized network traffic or other types of accesses. (Citation: OSFingerprinting2014) (Citation: NMAP WAF NSE)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Technically, the defender has the ability to detect. However, this is typically not performed as this type of traffic would likely not prompt the defender to take any actionable defense. In addition, this would require the defender to closely review their access logs for any suspicious activity (if the activity is even logged).\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: The adversary will have some insight into defenses based on dropped traffic or filtered responses. It is more difficult to pinpoint which defenses are implemented (e.g., [https://www.fireeye.com FireEye] WMPS, [https://www.hpe.com Hewlett Packard Enterprise] Tipping Point IPS).",
"meta": {
"external_id": "PRE-T1040",
"kill_chain": [
"mitre-pre-attack:pre-attack:technical-information-gathering"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1040"
]
},
"uuid": "04e93ca1-8415-4a46-8549-73b7c84f8dc3",
"value": "Identify security defensive capabilities - PRE-T1040"
},
{
"description": "Leadership or key decision makers may derive specific intelligence requirements from Key Intelligence Topics (KITs) or Key Intelligence Questions (KIQs). Specific intelligence requirements assist analysts in gathering information to establish a baseline of information about a topic or question and collection managers to clarify the types of information that should be collected to satisfy the requirement. (Citation: LowenthalCh4) (Citation: Heffter)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"meta": {
"external_id": "PRE-T1007",
"kill_chain": [
"mitre-pre-attack:pre-attack:priority-definition-planning"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1007"
]
},
"uuid": "15d5eaa4-597a-47fd-a692-f2bed434d904",
"value": "Derive intelligence requirements - PRE-T1007"
},
{
"description": "The use of algorithms in malware to periodically generate a large number of domain names which function as rendezvous points for malware command and control servers. (Citation: DamballaDGA) (Citation: DambballaDGACyberCriminals)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: It is possible to detect the use of DGAs; however, defenders have largely not been successful at mitigating the domains because they are generally registered less than an hour before they are used and disposed of within 24 hours.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This technique does not require a significant amount of sophistication while still being highly effective. It was popularized by the Conficker worms but is prevalent in crimeware such as Murofet and BankPatch.",
"meta": {
"external_id": "PRE-T1100",
"kill_chain": [
"mitre-pre-attack:pre-attack:adversary-opsec"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1100"
]
},
"uuid": "274164c6-4297-42d4-84b5-2369e51013fe",
"value": "Domain Generation Algorithms (DGA) - PRE-T1100"
},
{
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nThe utilization of resources not owned by the adversary to launch exploits or operations. This includes utilizing equipment that was previously compromised or leveraging access gained by other methods (such as compromising an employee at a business partner location). (Citation: CitizenLabGreatCannon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: While possible to detect, it requires a broader vantage point than is typical that provides increased insight and conducts extensive data analysis and correlation between events.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Conducting technique requires either nation-state level capabilities or large amounts of financing to coordinate multiple 3rd party resources to gain desired insight.",
"meta": {
"external_id": "PRE-T1152",
"kill_chain": [
"mitre-pre-attack:pre-attack:launch"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1152"
]
},
"uuid": "2c8a9df4-52a9-4770-94b3-5e95ab7d59f9",
"value": "Leverage compromised 3rd party resources - PRE-T1152"
},
{
"description": "Execution of code and network communications often result in logging or other system or network forensic artifacts. An adversary can run their code to identify what is recorded under different conditions. This may result in changes to their code or adding additional actions (such as deleting a record from a log) to the code. (Citation: EDB-39007) (Citation: infosec-covering-tracks)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary controls the test and defender likely has no visibility.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary has full control of environment to determine what level of auditing and traces exist on a system after execution.",
"meta": {
"external_id": "PRE-T1135",
"kill_chain": [
"mitre-pre-attack:pre-attack:test-capabilities"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1135"
]
},
"uuid": "a16e4004-caac-4a0b-acd5-486f8fda1665",
"value": "Review logs and residual traces - PRE-T1135"
},
{
"description": "Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on technologies within the organization which could be valuable in attack or provide insight in to possible security weaknesses or limitations in detection or protection mechanisms. (Citation: JobPostingThreat)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Impossible to differentiate between an adversary and a normal user when accessing open/public information.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Publicly posted information by design. Providing too much detail in the job posting could aid the adversary in learning more about the target's environment and possible technical weaknesses/deficiencies.",
"meta": {
"external_id": "PRE-T1025",
"kill_chain": [
"mitre-pre-attack:pre-attack:technical-information-gathering"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1025"
]
},
"related": [
{
"dest-uuid": "7718e92f-b011-4f88-b822-ae245a1de407",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "c721b235-679a-4d76-9ae9-e08921fccf84",
"value": "Identify job postings and needs/gaps - PRE-T1025"
},
{
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nEmails with malicious attachments are designed to get a user to open/execute the attachment in order to deliver malware payloads. (Citation: APT1)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Many technologies exist to scan content and/or emulate a workstation prior to the target receiving and executing the attachment (detonation chambers) in order to reduce malicious emails and attachments being delivered to the intended target. However, encryption continues to be a stumbling block. In addition, there are a variety of commercial technologies available that enable users to screen for phishing messages and which are designed to enhance email security.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Sending the emails is the simple part, ensuring they make it to the target (e.g., not being filtered) may be challenging. Over time, an adversary refines their techniques to minimize detection by making their emails seem legitimate in structure and content.",
"meta": {
"external_id": "PRE-T1144",
"kill_chain": [
"mitre-pre-attack:pre-attack:launch"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1144"
]
},
"uuid": "e24a9f99-cb76-42a3-a50b-464668773e97",
"value": "Spear phishing messages with malicious attachments - PRE-T1144"
},
{
"description": "Fake certificates can be acquired by legal process or coercion. Or, an adversary can trick a Certificate Authority into issuing a certificate. These fake certificates can be used as a part of Man-in-the-Middle attacks. (Citation: SubvertSSL)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The certificate authority who is hacked cannot easily see they've been compromised, but [https://www.google.com Google] has caught on to this occurring in previous attacks such as DigiNotar (Citation: DigiNotar2016) and [https://www.verisign.com Verisign].\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: One example of it occurring in the real world is the DigiNotar (Citation: DigiNotar2016) case. To be able to do this usually requires sophisticated skills and is traditionally done by a nation state to spy on its citizens.",
"meta": {
"external_id": "PRE-T1115",
"kill_chain": [
"mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1115"
]
},
"uuid": "54a42187-a20c-4e4e-ba31-8d15c9e1f57f",
"value": "SSL certificate acquisition for trust breaking - PRE-T1115"
},
{
"description": "Proxies act as an intermediary for clients seeking resources from other systems. Using a proxy may make it more difficult to track back the origin of a network communication. (Citation: APT1)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defenders with standard capabilities will traditionally be able to see the first hop but not all the subsequent earlier hops an adversary takes to be able to conduct reconnaissance.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Proxies are readily available for the adversary with both free and cost-based options available.",
"meta": {
"external_id": "PRE-T1081",
"kill_chain": [
"mitre-pre-attack:pre-attack:adversary-opsec"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1081"
]
},
"uuid": "b14f6692-b613-44bb-9f30-8381a5ff10d5",
"value": "Proxy/protocol relays - PRE-T1081"
},
{
"description": "Domain Names are the human readable names used to represent one or more IP addresses. IP addresses are the unique identifier of computing devices on a network. Both pieces of information are valuable to an adversary who is looking to understand the structure of a network. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Public or easily obtainable information by design.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: AS and IANA data are easily available, existing research tools.",
"meta": {
"external_id": "PRE-T1027",
"kill_chain": [
"mitre-pre-attack:pre-attack:technical-information-gathering"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1027"
]
},
"uuid": "23ecb7e0-0340-43d9-80a5-8971fe866ddf",
"value": "Determine domain and IP address space - PRE-T1027"
},
{
"description": "A remote access tool (RAT) is a piece of software that allows a remote user to control a system as if they had physical access to that system. An adversary may utilize existing RATs, modify existing RATs, or create their own RAT. (Citation: ActiveMalwareEnergy)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary will likely use code repositories, but development will be performed on their local systems.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Many successful RATs exist for re-use/tailoring in addition to those an adversary may choose to build from scratch. The adversary's capabilities, target sensitivity, and needs will likely determine whether a previous RAT is modified for use a new one is built from scratch.",
"meta": {
"external_id": "PRE-T1128",
"kill_chain": [
"mitre-pre-attack:pre-attack:build-capabilities"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1128"
]
},
"uuid": "9755ecdc-deb0-40e6-af49-713cb0f8ed92",
"value": "Remote access tool development - PRE-T1128"
},
{
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nA technique to push an [https://www.apple.com/ios iOS] or [https://www.android.com Android] MMS-type message to the target which does not require interaction on the part of the target to be successful. (Citation: BlackHat Stagefright) (Citation: WikiStagefright)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: For non-corporate cellular devices not joined to the corporate network, it is not possible to detect an adversary's use of the technique because messages traverse networks outside of the control of the employer. For corporate cellular devices which are joined to the corporate network, monitoring of messages and ability to patch against push attacks is possible, assuming they are fully monitored.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Easily executed technique to push an MMS-type message to the target which does not require interaction on the part of the target to be successful.",
"meta": {
"external_id": "PRE-T1150",
"kill_chain": [
"mitre-pre-attack:pre-attack:launch"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1150"
]
},
"uuid": "702dc95d-3266-42dc-9eef-4a19e2445148",
"value": "Push-notification client-side exploit - PRE-T1150"
},
{
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nClicking on links in email, opening attachments, or visiting websites that result in drive by downloads can all result in compromise due to users performing actions of a cyber nature. (Citation: AnonHBGary)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Some environments have anti-spearphishing mechanisms to detect or block the link before it reaches the user.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Users unwittingly click on spearphishing links frequently, despite training designed to educate about the perils of spearphishing.",
"meta": {
"external_id": "PRE-T1163",
"kill_chain": [
"mitre-pre-attack:pre-attack:compromise"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1163"
]
},
"uuid": "0440f60f-9056-4791-a740-8eae96eb61fa",
"value": "Authorized user performs requested cyber action - PRE-T1163"
},
{
"description": "Once they have been created, intelligence requirements, Key Intelligence Topics (KITs), and Key Intelligence Questions (KIQs) are submitted into a central management system. (Citation: ICD204) (Citation: KIT-Herring)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"meta": {
"external_id": "PRE-T1014",
"kill_chain": [
"mitre-pre-attack:pre-attack:priority-definition-direction"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1014"
]
},
"uuid": "03da0598-ed46-4a73-bf43-0313b3522400",
"value": "Submit KITs, KIQs, and intelligence requirements - PRE-T1014"
},
{
"description": "The use of credentials by an adversary with the intent to hide their true identity and/or portray them self as another person or entity. An adversary may use misattributable credentials in an attack to convince a victim that credentials are legitimate and trustworthy when this is not actually the case. (Citation: FakeSSLCerts)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: If a previous incident identified the credentials used by an adversary, defenders can potentially use these credentials to track the adversary through reuse of the same credentials.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: An adversary can easily create and use misattributable credentials to obtain servers, build environment, [https://aws.amazon.com AWS] accounts, etc. Many service providers require some form of identifiable information such as a phone number or email address, but there are several avenues to acquire these consistent with the misattributable identity.",
"meta": {
"external_id": "PRE-T1099",
"kill_chain": [
"mitre-pre-attack:pre-attack:adversary-opsec"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1099"
]
},
"uuid": "31fa5b03-1ede-4fab-8a68-ed831fcf4899",
"value": "Misattributable credentials - PRE-T1099"
},
{
"description": "Strategic plans outline the mission, vision, and goals for an adversary at a high level in relation to the key partners, topics, and functions the adversary carries out. (Citation: KPMGChina5Year) (Citation: China5YearPlans) (Citation: ChinaUN)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"meta": {
"external_id": "PRE-T1008",
"kill_chain": [
"mitre-pre-attack:pre-attack:priority-definition-planning"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1008"
]
},
"uuid": "ec739e26-d097-4804-b04a-54dd81ff11e0",
"value": "Create strategic plan - PRE-T1008"
},
{
"description": "Once a 3rd party vendor has been identified as being of interest it can be probed for vulnerabilities just like the main target would be. (Citation: Zetter2015Threats) (Citation: WSJTargetBreach)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: 3rd parties would most likely not report network scans to their partners. Target network would not know that their 3rd party partners were being used as a vector.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: The difficult part is enumerating all 3rd parties. Finding major partners would not be difficult. Significantly easier with insider knowledge. Vulnerability scanning the 3rd party networks is trivial.",
"meta": {
"external_id": "PRE-T1075",
"kill_chain": [
"mitre-pre-attack:pre-attack:organizational-weakness-identification"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1075"
]
},
"uuid": "1def484d-2343-470d-8925-88f45b5f9615",
"value": "Assess vulnerability of 3rd party vendors - PRE-T1075"
},
{
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nAttempt to use default vendor credentials, brute force credentials, or previously obtained legitimate credentials to authenticate remotely. This access could be to a web portal, through a VPN, or in a phone app. (Citation: Remote Access Healthcare) (Citation: RDP Point of Sale)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: This is possible with diligent monitoring of login anomalies, expected user behavior/location. If the adversary uses legitimate credentials, it may go undetected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Attempt to use default vendor credentials, brute force credentials, or previously obtained legitimate credentials. This is increasingly difficult to obtain access when two-factor authentication mechanisms are employed.",
"meta": {
"external_id": "PRE-T1158",
"kill_chain": [
"mitre-pre-attack:pre-attack:launch"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1158"
]
},
"uuid": "4dfb98ea-03cc-4a9c-a3a7-b22e14f126c4",
"value": "Authentication attempt - PRE-T1158"
},
{
"description": "Domain Registration Hijacking is the act of changing the registration of a domain name without the permission of the original registrant. (Citation: ICANNDomainNameHijacking)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Generally not easily detectable unless domain registrar provides alerting on any updates.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Requires adversary to gain access to an email account for person listed as the domain registrar/POC. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or take advantage of renewal process gaps.",
"meta": {
"external_id": "PRE-T1103",
"kill_chain": [
"mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1103"
]
},
"uuid": "aadaee0d-794c-4642-8293-7ec22a99fb1a",
"value": "Domain registration hijacking - PRE-T1103"
},
{
"description": "Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This can be done offline after the data has been collected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts.",
"meta": {
"external_id": "PRE-T1077",
"kill_chain": [
"mitre-pre-attack:pre-attack:organizational-weakness-identification"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1077"
]
},
"related": [
{
"dest-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc",
"value": "Analyze organizational skillsets and deficiencies - PRE-T1077"
},
{
"description": "Active scanning is the act of sending transmissions to end nodes, and analyzing the responses, in order to identify information about the communications system. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: This technique is an expected and voluminous activity when on the Internet. Active scanning techniques/tools typically generate benign traffic that does not require further investigation by a defender since there is no actionable defense to execute. The high volume of this activity makes it burdensome for any defender to chase and therefore often ignored.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Various available tools and data sources for scouting and detecting address, routing, version numbers, patch levels, protocols/services running, etc.",
"meta": {
"external_id": "PRE-T1031",
"kill_chain": [
"mitre-pre-attack:pre-attack:technical-information-gathering"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1031"
]
},
"uuid": "7f2d3da6-7e34-44a3-9e7f-905455339726",
"value": "Conduct active scanning - PRE-T1031"
},
{
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nA technique used to compromise victims wherein the victims visit a compromised website that redirects their browser to a malicious web site, such as an exploit kit's landing page. The exploit kit landing page will probe the victim's operating system, web browser, or other software to find an exploitable vulnerability to infect the victim. (Citation: GeorgeDriveBy) (Citation: BellDriveBy)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: With the use of malware detonation chambers (e.g., for web or email traffic), this improves detection. Encryption and other techniques reduces the efficacy of these defenses.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Placing an exploit on a public web site for driveby types of delivery is not impossible. However, gaining access to a web site with high enough traffic to meet specific objectives could be the challenge.",
"meta": {
"external_id": "PRE-T1149",
"kill_chain": [
"mitre-pre-attack:pre-attack:launch"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1149"
]
},
"uuid": "58d0b955-ae3d-424a-a537-2804dab38793",
"value": "Unconditional client-side exploitation/Injected Website/Driveby - PRE-T1149"
},
{
"description": "An adversary can test the detections of malicious emails or files by using publicly available services, such as virus total, to see if their files or emails cause an alert. They can also use similar services that are not openly available and don't publicly publish results or they can test on their own internal infrastructure. (Citation: WiredVirusTotal)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: If using a common service like [https://www.virustotal.com VirusTotal], it is possible to detect. If the adversary uses a hostile, less well-known service, the defender would not be aware.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Easy to automate upload/email of a wide range of data packages.",
"meta": {
"external_id": "PRE-T1069",
"kill_chain": [
"mitre-pre-attack:pre-attack:technical-weakness-identification"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1069"
]
},
"uuid": "57061a8a-d7c5-42a9-be60-f79526b95bf6",
"value": "Test signature detection - PRE-T1069"
},
{
"description": "A technique in which a fully qualified domain name has multiple IP addresses assigned to it which are swapped with extreme frequency, using a combination of round robin IP address and short Time-To-Live (TTL) for a DNS resource record. (Citation: HoneynetFastFlux) (Citation: MisnomerFastFlux) (Citation: MehtaFastFluxPt1) (Citation: MehtaFastFluxPt2)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: In general, detecting usage of fast flux DNS is difficult due to web traffic load balancing that services client requests quickly. In single flux cases only IP addresses change for static domain names. In double flux cases, nothing is static. Defenders such as IPS, domain registrars, and service providers are likely in the best position for detection.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Fast flux is generally simple for an adversary to set up and offers several advantages. Such advantages include limited audit trails for defenders to find, ease of operation for an adversary to maintain, and support for main nodes.",
"meta": {
"external_id": "PRE-T1102",
"kill_chain": [
"mitre-pre-attack:pre-attack:adversary-opsec"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1102"
]
},
"uuid": "248cbfdd-fec4-451b-b2a9-e46d4b268e30",
"value": "Fast Flux DNS - PRE-T1102"
},
{
"description": "Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: No technical means to detect an adversary collecting technical information about a target. Any detection would be based upon strong OPSEC policy implementation.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Very effective technique for the adversary that does not require any formal training and relies upon finding just one person who exhibits poor judgement.",
"meta": {
"external_id": "PRE-T1026",
"kill_chain": [
"mitre-pre-attack:pre-attack:technical-information-gathering"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1026"
]
},
"related": [
{
"dest-uuid": "af358cad-eb71-4e91-a752-236edc237dae",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1",
"value": "Conduct social engineering - PRE-T1026"
},
{
"description": "A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: TrendmicroHideoutsLease)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Hard to differentiate from standard business operations.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Wide variety of cloud/VPS/hosting/compute/storage solutions available for adversary to acquire freely or at a low cost.",
"meta": {
"external_id": "PRE-T1106",
"kill_chain": [
"mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1106"
]
},
"related": [
{
"dest-uuid": "286cc500-4291-45c2-99a1-e760db176402",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6",
"value": "Acquire and/or use 3rd party infrastructure services - PRE-T1106"
},
{
"description": "Obfuscation is the act of creating code that is more difficult to understand. Encoding transforms the code using a publicly available format. Encryption transforms the code such that it requires a key to reverse the encryption. (Citation: CylanceOpCleaver)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Detecting encryption is easy, decrypting/deobfuscating is hard.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Various solutions exist for the adversary to use. This technique is commonly used to prevent attribution and evade detection.",
"meta": {
"external_id": "PRE-T1096",
"kill_chain": [
"mitre-pre-attack:pre-attack:adversary-opsec"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1096"
]
},
"uuid": "357e137c-7589-4af1-895c-3fbad35ea4d2",
"value": "Obfuscate or encrypt code - PRE-T1096"
},
{
"description": "Understanding organizational skillsets and deficiencies could provide insight in to weakness in defenses, or opportunities for exploitation. (Citation: FakeLinkedIn)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: No access to who is consuming the job postings to know what is being observed.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Job postings have to be made public for contractors and many times have the name of the organization being supported.",
"meta": {
"external_id": "PRE-T1074",
"kill_chain": [
"mitre-pre-attack:pre-attack:people-weakness-identification"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1074"
]
},
"related": [
{
"dest-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
},
{
"dest-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41",
"value": "Analyze organizational skillsets and deficiencies - PRE-T1074"
},
{
"description": "An adversary could distribute malicious software development tools (e.g., compiler) that hide malicious behavior in software built using the tools. (Citation: PA XcodeGhost) (Citation: Reflections on Trusting Trust)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Developers could check a hash or signature of their development tools to ensure that they match expected values (e.g., Apple provides instructions of how to do so for its Xcode developer tool), but developers may not always do so.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: The adversary would need to either replace the tools provided at the official download location or influence developers to download the tools from an adversary-controlled third-party download location. Desktop operating systems (e.g., Windows, macOS) are increasingly encouraging use of vendor-provided official app stores to distribute software, which utilize code signing and increase the difficulty of replacing development tools with malicious versions.",
"meta": {
"external_id": "PRE-T1171",
"kill_chain": [
"mitre-pre-attack:pre-attack:stage-capabilities"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1171"
]
},
"uuid": "d2c4206a-a431-4494-834d-52944a79e9f4",
"value": "Distribute malicious software development tools - PRE-T1171"
},
{
"description": "Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an signed piece of code even if they don't know who issued the certificate or who the author is. (Citation: DiginotarCompromise)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not know what certificates an adversary acquires from a 3rd party. Defender will not know prior to public disclosure if a 3rd party has had their certificate compromised.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: It is trivial to purchase code signing certificates within an organization; many exist and are available at reasonable cost. It is complex to factor or steal 3rd party code signing certificates for use in malicious mechanisms",
"meta": {
"external_id": "PRE-T1109",
"kill_chain": [
"mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1109"
]
},
"related": [
{
"dest-uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983",
"value": "Acquire or compromise 3rd party signing certificates - PRE-T1109"
},
{
"description": "Both newly built personas and pre-compromised personas may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Unless there is some threat intelligence reporting, these users are hard to differentiate.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: The only difference between an adversary conducting this technique and a typical user, is the adversary's intent - to target an individual for compromise.",
"meta": {
"external_id": "PRE-T1119",
"kill_chain": [
"mitre-pre-attack:pre-attack:persona-development"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1119"
]
},
"uuid": "271e6d40-e191-421a-8f87-a8102452c201",
"value": "Develop social network persona digital footprint - PRE-T1119"
},
{
"description": "A technique used by the adversary similar to Dynamic DNS with the exception that the use of multiple DNS infrastructures likely have whois records. (Citation: KrebsStLouisFed)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: This is by design captured in public registration logs. Various tools and services exist to track/query/monitor domain name registration information. However, tracking multiple DNS infrastructures will likely require multiple tools/services or more advanced analytics.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Requires more planning, but feasible.",
"meta": {
"external_id": "PRE-T1104",
"kill_chain": [
"mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1104"
]
},
"uuid": "616238cb-990b-4c71-8f50-d8b10ed8ce6b",
"value": "Use multiple DNS infrastructures - PRE-T1104"
},
{
"description": "Many applications use third-party software libraries, often without full knowledge of the behavior of the libraries by the application developer. For example, mobile applications often incorporate advertising libraries to generate revenue for the application developer. Vulnerabilities in these third-party libraries could potentially be exploited in any application that uses the library, and even if the vulnerabilities are fixed, many applications may still use older, vulnerable versions of the library. (Citation: Flexera News Vulnerabilities) (Citation: Android Security Review 2015) (Citation: Android Multidex RCE)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Open source software has great appeal mostly due to the time savings and that it is free. However, using this code without assessing it's security is akin to blindly executing third party software. Companies often do not dedicate the time to appropriately detect and scan for vulnerabilities. The mainstream mobile application stores scan applications for some known vulnerabilities. For example, Google's Android Application Security Improvement Program identifies and alerts developers to vulnerabilities present in their applications from use of the Vungle, Apache Cordova, WebView SSL, GnuTLS, and Vitamio third-party libraries. However, these scans are not likely to cover all vulnerable libraries, developers may not always act on the results, and the results may not be made available to impacted end users of the applications.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Developers commonly use open source libraries such that where an adversary can easily discover known vulnerabilities and create exploits. It is also generally easy to decompile arbitrary mobile applications to determine what libraries they use, and similarly use this information to correlate against known CVEs and exploit packages.",
"meta": {
"external_id": "PRE-T1166",
"kill_chain": [
"mitre-pre-attack:pre-attack:technical-weakness-identification"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1166"
]
},
"uuid": "ad124f84-52d2-40e3-95dd-cfdd44eae6ef",
"value": "Identify vulnerabilities in third-party software libraries - PRE-T1166"
},
{
"description": "DNS Calc is a technique in which the octets of an IP address are used to calculate the port for command and control servers from an initial DNS request. (Citation: CrowdstrikeNumberedPanda) (Citation: FireEyeDarwinsAPTGroup) (Citation: Rapid7G20Espionage)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: There are not currently available tools that provide the ability to conduct this calculation to detect this type of activity.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This technique assists the adversary in bypassing egress filtering designed to prevent unauthorized communication. It has been used by APT12, but not otherwise widely reported. Some botnets are hardcoded to be able to use this technique.",
"meta": {
"external_id": "PRE-T1101",
"kill_chain": [
"mitre-pre-attack:pre-attack:adversary-opsec"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1101"
]
},
"uuid": "7823039f-e2d5-4997-853c-ec983631206b",
"value": "DNSCalc - PRE-T1101"
},
{
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nExternally facing systems allow connections from outside the network as a normal course of operations. Externally facing systems may include, but are not limited to, websites, web portals, email, DNS, FTP, VPN concentrators, and boarder routers and firewalls. These systems could be in a demilitarized zone (DMZ) or may be within other parts of the internal environment. (Citation: CylanceOpCleaver) (Citation: DailyTechAntiSec)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Most DMZs are monitored but are also designed so that if they are compromised, the damage/risk is limited.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: DMZ environments are specifically designed to be isolated because one assumes they will ultimately be compromised by the adversary.",
"meta": {
"external_id": "PRE-T1165",
"kill_chain": [
"mitre-pre-attack:pre-attack:compromise"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1165"
]
},
"uuid": "4aeafdb3-eb0b-4e8e-b93f-95cd499088b4",
"value": "Compromise of externally facing system - PRE-T1165"
},
{
"description": "Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the technology or interconnections that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain) (Citation: RSA-supply-chain)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Difficult, if not impossible to detect, because the adversary may collect this information from external sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Supply chain diversity of sourcing increases adversary difficulty with accurate mapping. Industry practice has moved towards agile sourcing.",
"meta": {
"external_id": "PRE-T1023",
"kill_chain": [
"mitre-pre-attack:pre-attack:technical-information-gathering"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1023"
]
},
"related": [
{
"dest-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
},
{
"dest-uuid": "59369f72-3005-4e54-9095-3d00efcece73",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "78e41091-d10d-4001-b202-89612892b6ff",
"value": "Identify supply chains - PRE-T1023"
},
{
"description": "Dumpster diving is looking through waste for information on technology, people, and/or organizational items of interest. (Citation: FriedDumpsters)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Strong physical security and monitoring will detect this behavior if performed on premises.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Not difficult if waste is placed in an unsecured or minimally secured area before collection.",
"meta": {
"external_id": "PRE-T1063",
"kill_chain": [
"mitre-pre-attack:pre-attack:organizational-information-gathering"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1063"
]
},
"uuid": "6c79d654-6506-4f33-b48f-c80babdcc52d",
"value": "Dumpster dive - PRE-T1063"
},
{
"description": "For a computing resource to be accessible to the public, domain names and IP addresses must be registered with an authorized organization. (Citation: Google Domains WHOIS) (Citation: FunAndSun2012) (Citation: Scasny2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Open access to DNS registration/routing information is inherent in Internet architecture.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Proliferation of DNS information makes registration information functionally freely available.",
"meta": {
"external_id": "PRE-T1028",
"kill_chain": [
"mitre-pre-attack:pre-attack:technical-information-gathering"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1028"
]
},
"uuid": "46017368-6e09-412b-a29c-385be201cc03",
"value": "Obtain domain/IP registration information - PRE-T1028"
},
{
"description": "Business relationship information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. (Citation: 11StepsAttackers)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Exception to the rule is if the adversary tips off the target that others have been asking about the relationship with them.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Requires an intensive process. In some industries, business relationships may be public in order to generate business, but this is not the case for all industries and all relationships.",
"meta": {
"external_id": "PRE-T1060",
"kill_chain": [
"mitre-pre-attack:pre-attack:organizational-information-gathering"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1060"
]
},
"related": [
{
"dest-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a",
"value": "Identify business relationships - PRE-T1060"
},
{
"description": "Anonymity services reduce the amount of information available that can be used to track an adversary's activities. Multiple options are available to hide activity, limit tracking, and increase anonymity. (Citation: TOR Design) (Citation: Stratfor2012)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Depends on service. Some are easy to detect, but are hard to trace (e.g., [https://torproject.org TOR]).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Easy access to anonymizers, quasi-anonymous services like remailers, [https://torproject.org TOR], relays, burner phones, etc.",
"meta": {
"external_id": "PRE-T1083",
"kill_chain": [
"mitre-pre-attack:pre-attack:adversary-opsec"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1083"
]
},
"uuid": "d3dca536-8bf0-4e43-97c1-44a2353c3d69",
"value": "Anonymity services - PRE-T1083"
},
{
"description": "Command and Control (C2 or C&C) is a method by which the adversary communicates with malware. An adversary may use a variety of protocols and methods to execute C2 such as a centralized server, peer to peer, IRC, compromised web sites, or even social media. (Citation: HAMMERTOSS2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary will likely use code repositories, but development will be performed on their local systems.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: C2 over commonly used and permitted protocols provides the necessary cover and access.",
"meta": {
"external_id": "PRE-T1129",
"kill_chain": [
"mitre-pre-attack:pre-attack:build-capabilities"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1129"
]
},
"uuid": "8e211ec9-5dfc-4915-aff4-84d5908f0336",
"value": "C2 protocol development - PRE-T1129"
},
{
"description": "For attacks incorporating social engineering the utilization of an on-line persona is important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites ([https://www.facebook.com Facebook], [https://www.linkedin.com LinkedIn], [https://twitter.com Twitter], [https://plus.google.com Google+], etc.). (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Unless there is some threat intelligence reporting, these users are hard to differentiate.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Performing activities like typical users, but with specific intent in mind.",
"meta": {
"external_id": "PRE-T1118",
"kill_chain": [
"mitre-pre-attack:pre-attack:persona-development"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1118"
]
},
"uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4",
"value": "Build social network persona - PRE-T1118"
},
{
"description": "Once divided into the most granular parts, analysts work with collection managers to task the collection management system with requirements and sub-requirements. (Citation: Heffter) (Citation: JP2-01)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"meta": {
"external_id": "PRE-T1017",
"kill_chain": [
"mitre-pre-attack:pre-attack:priority-definition-direction"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1017"
]
},
"uuid": "b93bd611-da4e-4c84-a40f-325b712bed67",
"value": "Task requirements - PRE-T1017"
},
{
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nSpearphishing for information is a specific variant of spearphishing. Spearphishing for information is different from other forms of spearphishing in that it it doesn't leverage malicious code. All forms of spearphishing are elctronically delivered social engineering targeted at a specific individual, company, or industry. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials, without involving malicious code. Spearphishing for information frequently involves masquerading as a source with a reason to collect information (such as a system administrator or a bank) and providing a user with a website link to visit. The given website often closely resembles a legitimate site in appearance and has a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Spearphishing for information may also try to obtain information directly through the exchange of emails, instant messengers or other electronic conversation means. (Citation: ATTACKREF GRIZZLY STEPPE JAR)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Depending on the specific method of phishing, the detections can vary. For emails, filtering based on DKIP+SPF or header analysis can help detect when the email sender is spoofed. When it comes to following links, network intrusion detection systems (NIDS), firewalls, removing links, exploding shortened links, proxy monitoring, blocking uncategorized sites, and site reputation based filtering can all provide detection opportunities.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Sending emails is trivial, and, over time, an adversary can refine their technique to minimize detection by making their emails seem legitimate in structure and content.",
"meta": {
"external_id": "PRE-T1174",
"kill_chain": [
"mitre-pre-attack:pre-attack:technical-information-gathering"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1174"
]
},
"uuid": "b182f29c-2505-4b32-a000-0440ef189f59",
"value": "Spearphishing for Information - PRE-T1174"
},
{
"description": "Domain Names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. (Citation: PWCSofacy2014)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: This is by design captured in public registration logs. Various tools and services exist to track/query/monitor domain name registration information.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Proliferation of DNS TLDs and registrars. Adversary may choose domains that are similar to legitimate domains (aka \"domain typosquatting\" or homoglyphs).",
"meta": {
"external_id": "PRE-T1105",
"kill_chain": [
"mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1105"
]
},
"uuid": "45242287-2964-4a3e-9373-159fad4d8195",
"value": "Buy domain name - PRE-T1105"
},
{
"description": "Technology usage patterns include identifying if users work offsite, connect remotely, or other possibly less restricted/secured access techniques. (Citation: SANSRemoteAccess)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Physical observations, OSINT for remote access instructions, and other techniques are not detectable.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Determine if users work offsite, connect remotely, or other possibly less restricted/secured access techniques.",
"meta": {
"external_id": "PRE-T1041",
"kill_chain": [
"mitre-pre-attack:pre-attack:technical-information-gathering"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1041"
]
},
"uuid": "194bff4f-c218-40df-bea3-1ace715de8dd",
"value": "Identify technology usage patterns - PRE-T1041"
},
{
"description": "Business relationship information includes the associates of a target and may be discovered via social media sites such as [https://www.linkedin.com LinkedIn] or public press releases announcing new partnerships between organizations or people (such as key hire announcements in industry articles). This information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. (Citation: RSA-APTRecon) (Citation: Scasny2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender. Much of this information is widely known and difficult to obscure.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Made easier by today's current social media.",
"meta": {
"external_id": "PRE-T1049",
"kill_chain": [
"mitre-pre-attack:pre-attack:people-information-gathering"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1049"
]
},
"related": [
{
"dest-uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549",
"value": "Identify business relationships - PRE-T1049"
},
{
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nMany mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). These app stores scan submitted applications for malicious behavior. However, applications can evade these scans by downloading and executing new code at runtime that was not included in the original application package. (Citation: Fruit vs Zombies) (Citation: Android Hax) (Citation: Execute This!) (Citation: HT Fake News App) (Citation: Anywhere Computing kill 2FA) (Citation: Android Security Review 2015)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Third-party mobile application security analysis services exist that scan for use of these techniques in iOS and Android applications. Additionally, Google specifically calls out the ability to \"identify attacks that require connection to a server and dynamic downloading of code\" in its Android Security 2015 Year in Review report. However, many applications use these techniques as part of their legitimate operation, increasing the difficulty of detecting or preventing malicious use.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Runtime code execution techniques and examples of their use are widely documented on both Apple iOS and Android.",
"meta": {
"external_id": "PRE-T1172",
"kill_chain": [
"mitre-pre-attack:pre-attack:launch"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1172"
]
},
"uuid": "41086474-e6de-4fac-bb69-640db7fdf3d2",
"value": "Runtime code download and execution - PRE-T1172"
},
{
"description": "Analysts assess current information available against requirements that outline needs and wants as part of the research baselining process to begin satisfying a requirement. (Citation: CyberAdvertisingChar) (Citation: CIATradecraft) (Citation: ForensicAdversaryModeling) (Citation: CyberAdversaryBehavior)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"meta": {
"external_id": "PRE-T1013",
"kill_chain": [
"mitre-pre-attack:pre-attack:priority-definition-planning"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1013"
]
},
"uuid": "8e927b19-04a6-4aaa-a42f-4f0a53411d27",
"value": "Assess current holdings, needs, and wants - PRE-T1013"
},
{
"description": "Templates and branding materials may be used by an adversary to add authenticity to social engineering message. (Citation: Scasny2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary may download templates or branding from publicly available presentations that the defender can't monitor.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Some branding information is publicly available when a corporation publishes their briefings to the internet which provides insight into branding information and template materials. An exhaustive list of templating and branding is likely not available on the internet.",
"meta": {
"external_id": "PRE-T1058",
"kill_chain": [
"mitre-pre-attack:pre-attack:organizational-information-gathering"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1058"
]
},
"uuid": "68b45999-bb0c-4829-bbd0-75d6dac57c94",
"value": "Obtain templates/branding materials - PRE-T1058"
},
{
"description": "Dynamic DNS is a method of automatically updating a name in the DNS system. Providers offer this rapid reconfiguration of IPs to hostnames as a service. (Citation: DellMirage2012)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not know at first use what is valid or hostile traffic without more context. It is possible, however, for defenders to see if the PTR record for an address is hosted by a known DDNS provider. There is potential to assign some level of risk based on this.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Flexible and re-configurable command and control servers, along with deniable ownership and reduced cost of ownership.",
"meta": {
"external_id": "PRE-T1088",
"kill_chain": [
"mitre-pre-attack:pre-attack:adversary-opsec"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1088"
]
},
"related": [
{
"dest-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "20a66013-8dab-4ca3-a67d-766c842c561c",
"value": "Dynamic DNS - PRE-T1088"
},
{
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nEmails with malicious links are designed to get a user to click on the link in order to deliver malware payloads. (Citation: GoogleDrive Phishing) (Citation: RSASEThreat)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Defenders can implement mechanisms to analyze links and identify levels of concerns. However, the adversary has the advantage of creating new links or finding ways to obfuscate the link so that common detection lists can not identify it. Detection of a malicious link could be identified once the file has been downloaded.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Sending emails is trivial and expected. The adversary needs to ensure links don't get tampered, removed, or flagged as a previously black-listed site.",
"meta": {
"external_id": "PRE-T1146",
"kill_chain": [
"mitre-pre-attack:pre-attack:launch"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1146"
]
},
"uuid": "489a7797-01c3-4706-8cd1-ec56a9db3adc",
"value": "Spear phishing messages with malicious links - PRE-T1146"
},
{
"description": "During production and distribution, the placement of software, firmware, or a CPU chip in a computer, handheld, or other electronic device that enables an adversary to gain illegal entrance. (Citation: McDRecall) (Citation: SeagateMaxtor)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The number of elements and components in a supply chain of HW or SW is vast and detecting an implant is complex for SW, but more complex for HW.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Access to the supply chain by an adversary can be a challenging endeavor, depending on what element is attempting to be subverted.",
"meta": {
"external_id": "PRE-T1142",
"kill_chain": [
"mitre-pre-attack:pre-attack:stage-capabilities"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1142"
]
},
"uuid": "388f3a5c-2cdd-466c-9159-b507fa429fcd",
"value": "Hardware or software supply chain implant - PRE-T1142"
},
{
"description": "The secondary level tactical element the adversary seeks to attack is the specific network or area of a network that is vulnerable to attack. Within the corporate network example, the secondary level tactical element might be a SQL server or a domain controller with a known vulnerability. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12 (R)) (Citation: DoD Cyber 2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. May change for special use cases or adversary and defender overlays.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This is the normal adversary targeting cycle where they utilize our poor OPSEC practices to their advantage.",
"meta": {
"external_id": "PRE-T1021",
"kill_chain": [
"mitre-pre-attack:pre-attack:target-selection"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1021"
]
},
"uuid": "b9148981-152a-4a19-95c1-962803f5c9af",
"value": "Determine secondary level tactical element - PRE-T1021"
},
{
"description": "An adversary may stage software and tools for use during later stages of an attack. The software and tools may be placed on systems legitimately in use by the adversary or may be placed on previously compromised infrastructure. (Citation: APT1) (Citation: RedOctober)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Infrastructure is (typically) outside of control/visibility of defender and as such as tools are staged for specific campaigns, it will not be observable to those being attacked.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS providers).",
"meta": {
"external_id": "PRE-T1139",
"kill_chain": [
"mitre-pre-attack:pre-attack:stage-capabilities"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1139"
]
},
"uuid": "e8471f43-2742-4fd7-9af7-8ed1330ada37",
"value": "Upload, install, and configure software/tools - PRE-T1139"
},
{
"description": "Leadership organizes Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) into three types of categories and creates more if necessary. An example of a description of key players KIT would be when an adversary assesses the cyber defensive capabilities of a nation-state threat actor. (Citation: Herring1999)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.",
"meta": {
"external_id": "PRE-T1005",
"kill_chain": [
"mitre-pre-attack:pre-attack:priority-definition-planning"
],
"refs": [
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1005"
]
},
"uuid": "a86a21a4-6304-4df3-aa6d-08114c47d48f",
"value": "Assign KITs/KIQs into categories - PRE-T1005"
},
{
"description": "An adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way. (Citation: Li2014ExploitKits) (Citation: RecurlyGHOST)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This can be done offline after the data has been collected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Analyze technical scanning results to identify weaknesses in the configuration or architecture. Many of the common tools highlight these weakness automatically (e.g., software security scanning tools or published vulnerabilities about commonly used libraries).",
"meta": {
"external_id": "PRE-T1070",
"kill_chain": [
"mitre-pre-attack:pre-attack:technical-weakness-identification"
],
"refs": [