{
"type": "bundle",
"id": "bundle--ec701046-bab4-4487-b6b2-484aca1b7763",
"spec_version": "2.1",
"objects": [
//
// This is an existing STIX object where the custom properties are
// specified at the top-level
{
"type": "stix-extension",
"spec_version": "2.1",
"id": "stix-extension--d16f51fe-0fe7-4176-9fd2-addf7124b70c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-08-08T19:04:585Z",
"modified": "2020-08-08T19:04:585Z",
"labels": ["mitre-attack"],
"external_references": [
{
"source_name": "mitre-attack",
"description": "Extensions of the STIX spec for MITRE ATT&CK specific properties",
"url": "https://github.com/mitre/cti/blob/master/USAGE.md#extensions-of-the-stix-spec",
"hashes": {
"MD5": "f41fb12dd57a931339be614c08224f45",
"SHA-1": "7eefefd325230072fc941b848efa4384f8ad0453",
"SHA-256": "0db74c60d4ed4d02f4e67cede0341932f31c4b2ac1e99e6a857c2b987c1bf7e3"
}
}
],
"name": "MITRE ATT&CK Pattern extensions as Top-Level Properties",
"description": "This extension adds MITRE ATT&CK pattern extensions to the attack-pattern, malware, tool",
"schema": "https://github.com/mitre/cti/blob/master/schemas/stix-attack-extensions.json",
"version": "1.0",
"extension_types": [ "toplevel-property-extension" ],
"extension_properties": [
"is_subtechnique",
"platforms",
"permissions_required",
"detection",
"data_sources",
"contributors",
"mitre_version"
]
},
{
"type": "attack-pattern",
"spec_version": "2.1",
"id": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31T21:30:19.735Z",
"modified": "2020-06-09T20:46:00.758Z",
"extensions": {
"stix-extension--d16f51fe-0fe7-4176-9fd2-addf7124b70c": {
"extends_stix_object_definition": true
}
},
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1003",
"url": "https://attack.mitre.org/techniques/T1003"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"name": "OS Credential Dumping",
"description": "Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.\n\nSeveral of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"is_subtechnique": false,
"platforms": [
"Windows",
"Linux",
"macOS"
],
"permissions_required": [
"Administrator",
"SYSTEM",
"root"
],
"detection": "### Windows\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.\n\nHash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well. \n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like [Mimikatz](https://attack.mitre.org/software/S0002). [PowerShell](https://attack.mitre.org/techniques/T1086) scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, (Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nMonitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Note: Domain controllers may not log replication requests originating from the default domain controller account. (Citation: Harmj0y DCSync Sept 2015). Also monitor for network protocols (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests (Citation: Microsoft SAMR) from IPs not associated with known domain controllers. (Citation: AdSecurity DCSync Sept 2015)\n\n### Linux\nTo obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc//maps
, where the
directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.",
"data_sources": [
"API monitoring",
"Process monitoring",
"PowerShell logs",
"Process command-line parameters"
],
"contributors": [
"Vincent Le Toux",
"Ed Williams, Trustwave, SpiderLabs"
],
"mitre_version": "2.0"
},
//
// This is an existing STIX object where the custom properties are
// specified as a sub-component
//
{
"type": "stix-extension",
"spec_version": "2.1",
"id": "stix-extension--074d07ad-66e1-4f18-87b2-56027387a74b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-08-08T19:04:585Z",
"modified": "2020-08-08T19:04:585Z",
"labels": ["mitre-attack"],
"external_references": [
{
"source_name": "mitre-attack",
"description": "Extensions of the STIX spec",
"url": "https://github.com/mitre/cti/blob/master/USAGE.md#extensions-of-the-stix-spec",
"hashes": {
"MD5": "f41fb12dd57a931339be614c08224f45",
"SHA-1": "7eefefd325230072fc941b848efa4384f8ad0453",
"SHA-256": "0db74c60d4ed4d02f4e67cede0341932f31c4b2ac1e99e6a857c2b987c1bf7e3"
}
}
],
"name": "MITRE ATT&CK Pattern extensions as Sub-Component",
"description": "This extension adds MITRE ATT&CK pattern extensions to the attack-pattern, malware, tool",
"schema": "https://github.com/mitre/cti/blob/master/schemas/stix-attack-extensions.json",
"version": "1.0",
"extension_types": [ "property-extension" ]
},
{
"type": "attack-pattern",
"spec_version": "2.1",
"id": "attack-pattern--0bda01d5-4c1d-4062-8ee2-6872334383c3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-02T20:07:18.651Z",
"modified": "2020-03-29T01:10:52.360Z",
"name": "Direct Network Flood",
"description": "Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001) are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.\n\nBotnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)",
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1498.001",
"url": "https://attack.mitre.org/techniques/T1498/001"
}
],
"extensions": {
"stix-extension--stix-extension--074d07ad-66e1-4f18-87b2-56027387a74b": {
"is_subtechnique": true,
"data_sources": [
"Sensor health and status",
"Network protocol analysis",
"Netflow/Enclave netflow",
"Network intrusion detection system",
"Network device logs"
],
"detection": "Detection of a network flood can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a network flood event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.",
"mitre_version": "1.0",
"impact_type": [
"Availability"
],
"platforms": [
"Linux",
"macOS",
"Windows",
"AWS",
"GCP",
"Azure AD",
"SaaS",
"Azure",
"Office 365"
]
}
},
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "impact"
}
]
},
//
// This is custom object where the custom properties are specified
// as top-level
//
{
"type": "stix-extension",
"spec_version": "2.1",
"id": "stix-extension--758f45ab-f42c-4751-b8d8-09cce64603f1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-08-08T19:04:585Z",
"modified": "2020-08-08T19:04:585Z",
"revoked": false,
"labels": ["mitre-attack"],
"external_references": [
{
"source_name": "mitre-attack",
"description": "Extensions of the STIX spec",
"url": "https://github.com/mitre/cti/blob/master/USAGE.md#extensions-of-the-stix-spec",
"hashes": {
"MD5": "f41fb12dd57a931339be614c08224f45",
"SHA-1": "7eefefd325230072fc941b848efa4384f8ad0453",
"SHA-256": "0db74c60d4ed4d02f4e67cede0341932f31c4b2ac1e99e6a857c2b987c1bf7e3"
}
}
],
"name": "MITRE ATT&CK Pattern extensions as Top-Level Properties",
"description": "This extension adds MITRE ATT&CK pattern extensions to adding the Tactic, and Matrix objects",
"schema": "https://github.com/mitre/cti/blob/master/schemas/stix-attack-extensions.json",
"version": "1.0",
"extension_types": [ "new-sdo" ]
},
{
"type": "x-mitre-tactic",
"spec_version": "2.1",
"id": "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-10-17T00:14:20.652Z",
"modified": "2019-07-19T17:43:41.967Z",
"extensions": {
"stix-extension--758f45ab-f42c-4751-b8d8-09cce64603f1": {
"is_new_object": true
}
},
"external_references": [
{
"external_id": "TA0006",
"url": "https://attack.mitre.org/tactics/TA0006",
"source_name": "mitre-attack"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"name": "Credential Access",
"description": "The adversary is trying to steal account names and passwords.\n\nCredential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.",
"short_name": "credential-access"
}
]
}