Data Driven Security - Project
David Barbero & Marta Vilà
Enero 2021
1 Objetivo
El objetivo de esta práctica es realizar un estudio de un seguido de incidentes que han recibido diferentes empresas de distintos sectores para poder determinar quién los ha producido así como investigar de qué manera se han podido realizar para futuras prevenciones. Finalmente, se intentará ver si se pueden, o no, predecir estos.
Para poder llevar a cabo este estudio se dispone de datasets que nos han sido proporcionados. Por un lado, tenemos la información de los incidentes a estudiar i, por otro, la información de un seguido de estándares que nos ayudaran a poder sacar conclusiones sobre los incidentes.
1.1 Datasets
#mitre.data <- readRDS(file = "data/mitredata.rds")
mitre.data <- mitre::getLatestDataSet()
incidents <- readRDS(file = "data/incidents.rds")1.2 Standards
Para poder resolver esta práctica, se han estudiado previamente los diferentes estándares con los que más adelante se trabajará para poder sacar conclusiones de los incidentes presentados.
Los estándares son los que se presentan a continuación. En el link que se proporciona se puede aprender en qué consisten y qué información nos proporcionan.
1.2.1 CVE
1.2.4 SHIELD
1.3 Packages
Para la realización de este proyecto se usan los siguientes packages de r:
|
|
|
2 Análisis exploratorio de los incidentes
Para poder empezar nuestro estudio, inicialmente se presentará el análisis exploratorio de nuestro dataset incidents para poder ver con qué tipo de información estamos trabajando.
Antes de empezar, por eso, vemos que tenemos una columna donde tenemos información en forma de matriz de modo que acabamos de arreglar el dataset con el que trabajaremos:
incidents <- incidents %>% unnest(mitre_attack)
apply(incidents, 2, function(x) length(unique(x)))
incidents <- incidents %>%
mutate_if(is.character, as.factor)
#Eliminamos duplicados
incidents <- dplyr::distinct(incidents)| first_event_ts | first_alert_ts | containment_ts | org | tactic | technique | id | industry |
|---|---|---|---|---|---|---|---|
| 2019-08-13 13:04:03 | 2019-08-13 13:04:03 | 2019-08-13 18:37:39 | 3c8cab02 | Initial Access | Spearphishing Link | T1192 | Construction |
| 2019-05-21 13:54:03 | 2019-05-21 13:54:03 | 2019-05-21 14:02:38 | ac33b693 | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-05-21 13:54:03 | 2019-05-21 13:54:03 | 2019-05-21 14:02:38 | ac33b693 | Persistence | BITS Jobs | T1197 | Manufacturing |
| 2019-05-21 19:17:03 | 2019-05-22 18:26:01 | 2019-05-22 18:37:01 | ccf43f76 | Execution | User Execution | T1204 | Manufacturing |
| 2019-05-21 19:17:03 | 2019-05-22 18:26:01 | 2019-05-22 18:37:01 | ccf43f76 | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-04-03 08:29:17 | 2019-04-03 08:30:07 | 2019-04-03 10:14:31 | 22fa5e5a | Execution | PowerShell | T1086 | Finance |
| 2019-07-05 11:12:00 | 2019-07-05 11:12:00 | 2019-07-05 11:56:58 | 2ac86da3 | Initial Access | Valid Accounts | T1078 | Accomodation |
| 2019-06-05 15:56:02 | 2019-06-05 15:56:02 | 2019-06-06 19:54:09 | 5aa2992c | Execution | Scripting | T1064 | Professional |
| 2019-09-10 16:24:03 | 2019-09-10 16:28:01 | 2019-09-10 16:34:31 | 98ec6fda | Execution | Third-Party Software | T1072 | Trade |
| 2019-06-11 14:45:03 | 2019-06-11 14:45:03 | 2019-06-11 16:13:19 | 5aa2992c | Execution | Scripting | T1064 | Professional |
| 2019-05-31 08:27:02 | 2019-05-31 08:27:02 | 2019-06-03 18:40:18 | 94330527 | Execution | User Execution | T1204 | Information |
| 2019-08-12 18:04:05 | 2019-08-12 18:05:00 | 2019-08-19 14:37:36 | d282ca2e | Lateral Movement | Windows Admin Shares | T1077 | Finance |
| 2019-08-12 18:04:05 | 2019-08-12 18:05:00 | 2019-08-19 14:37:36 | d282ca2e | Credential Access | LLMNR/NBT-NS Poisoning and Relay | T1171 | Finance |
| 2019-04-11 17:28:34 | 2019-04-11 17:29:00 | 2019-04-11 18:35:33 | 8922d54f | Initial Access | Spearphishing Link | T1192 | Information |
| 2019-06-07 16:17:01 | 2019-06-07 16:18:00 | 2019-06-07 17:03:41 | fb0ad6ea | Execution | Third-Party Software | T1072 | Educational |
| 2019-06-07 16:17:01 | 2019-06-07 16:18:00 | 2019-06-07 17:03:41 | fb0ad6ea | Persistence | BITS Jobs | T1197 | Educational |
| 2019-06-07 16:17:01 | 2019-06-07 16:18:00 | 2019-06-07 17:03:41 | fb0ad6ea | Execution | Scheduled Task | T1053 | Educational |
| 2019-06-20 19:37:04 | 2019-06-20 19:41:03 | 2019-06-20 20:19:01 | 9039e40e | Execution | Third-Party Software | T1072 | Entertainment |
| 2019-08-09 08:15:05 | 2019-08-09 08:15:05 | 2019-08-09 10:04:31 | 16258713 | Initial Access | Valid Accounts | T1078 | Information |
| 2019-08-21 13:24:05 | 2019-08-21 13:24:05 | 2019-08-21 15:09:45 | b52887d2 | Execution | Third-Party Software | T1072 | Retail |
| 2019-07-09 19:30:56 | 2019-07-09 19:32:02 | 2019-07-09 20:07:55 | db348605 | Initial Access | Spearphishing Link | T1192 | Manufacturing |
| 2019-07-07 03:00:04 | 2019-07-07 03:02:01 | 2019-07-08 08:26:14 | 217ac347 | Initial Access | Valid Accounts | T1078 | Healthcare |
| 2019-05-08 15:52:02 | 2019-05-08 15:53:00 | 2019-05-08 16:53:09 | 10cc3cd8 | Execution | PowerShell | T1086 | Manufacturing |
| 2019-04-30 14:21:03 | 2019-04-30 14:22:01 | 2019-04-30 15:01:52 | 98ec6fda | Execution | Third-Party Software | T1072 | Trade |
| 2019-05-12 20:43:00 | 2019-05-12 20:43:00 | 2019-05-13 13:25:35 | e8869b55 | Collection | Data Staged | T1074 | Manufacturing |
| 2019-05-12 20:43:00 | 2019-05-12 20:43:00 | 2019-05-13 13:25:35 | e8869b55 | Execution | Scheduled Task | T1053 | Manufacturing |
| 2019-05-12 20:43:00 | 2019-05-12 20:43:00 | 2019-05-13 13:25:35 | e8869b55 | Execution | User Execution | T1204 | Manufacturing |
| 2019-07-08 14:54:00 | 2019-07-08 14:55:00 | 2019-07-08 15:39:33 | e33435b1 | Execution | Scripting | T1064 | Finance |
| 2019-07-08 14:54:00 | 2019-07-08 14:55:00 | 2019-07-08 15:39:33 | e33435b1 | Execution | Third-Party Software | T1072 | Finance |
| 2019-05-21 15:34:32 | 2019-05-21 15:34:32 | 2019-05-21 15:56:09 | 8922d54f | Execution | Third-Party Software | T1072 | Information |
| 2019-08-16 12:57:05 | 2019-08-16 12:58:02 | 2019-08-16 14:53:05 | fa2f04f0 | Execution | Third-Party Software | T1072 | Finance |
| 2019-03-30 17:26:01 | 2019-03-30 17:26:01 | 2019-04-25 15:24:12 | cb9047bd | Initial Access | Valid Accounts | T1078 | Real Estate |
| 2019-05-23 14:01:59 | 2019-05-23 14:01:59 | 2019-05-23 14:29:30 | 8922d54f | Initial Access | Spearphishing Link | T1192 | Information |
| 2019-09-19 16:02:00 | 2019-09-19 16:02:01 | 2019-09-19 16:25:07 | 4f296ba7 | Execution | Third-Party Software | T1072 | Finance |
| 2019-09-19 16:02:00 | 2019-09-19 16:02:01 | 2019-09-19 16:25:07 | 4f296ba7 | Execution | PowerShell | T1086 | Finance |
| 2019-09-19 16:02:00 | 2019-09-19 16:02:01 | 2019-09-19 16:25:07 | 4f296ba7 | Defense Evasion | Indicator Blocking | T1054 | Finance |
| 2019-05-21 15:31:02 | 2019-05-21 15:32:00 | 2019-05-21 21:00:40 | 15e30feb | Execution | Third-Party Software | T1072 | Public |
| 2019-04-01 17:22:05 | 2019-04-01 17:23:00 | 2019-04-01 19:23:33 | 1abcf80b | Initial Access | Spearphishing Link | T1192 | Finance |
| 2019-09-26 18:54:02 | 2019-09-26 18:54:04 | 2019-09-26 19:02:44 | 6041707a | Execution | User Execution | T1204 | Information |
| 2019-09-26 18:54:02 | 2019-09-26 18:54:04 | 2019-09-26 19:02:44 | 6041707a | Execution | Third-Party Software | T1072 | Information |
| 2019-06-27 16:04:04 | 2019-06-27 16:04:04 | 2019-06-27 17:39:03 | 58e06e06 | Command and Control | Remote Access Tools | T1219 | Construction |
| 2019-08-15 18:37:04 | 2019-08-15 18:37:04 | 2019-08-15 19:08:54 | 50dbe12d | Execution | Third-Party Software | T1072 | Professional |
| 2019-08-15 18:37:04 | 2019-08-15 18:37:04 | 2019-08-15 19:08:54 | 50dbe12d | Execution | PowerShell | T1086 | Professional |
| 2019-04-21 05:26:04 | 2019-04-21 05:27:00 | 2019-04-22 11:48:48 | bbf30fe0 | Collection | Data Staged | T1074 | Manufacturing |
| 2019-04-21 05:26:04 | 2019-04-21 05:27:00 | 2019-04-22 11:48:48 | bbf30fe0 | Execution | PowerShell | T1086 | Manufacturing |
| 2019-05-23 18:33:03 | 2019-05-23 18:32:54 | 2019-05-23 19:05:16 | f3d6e1ec | Execution | Third-Party Software | T1072 | Construction |
| 2019-06-23 02:32:05 | 2019-06-23 02:32:16 | 2019-06-26 09:54:34 | 054e7281 | Persistence | Registry Run Key | T1060 | Professional |
| 2019-08-29 19:21:01 | 2019-08-29 19:21:05 | 2019-08-29 20:03:05 | 5e4fc028 | Execution | Scripting | T1064 | Healthcare |
| 2019-08-29 19:21:01 | 2019-08-29 19:21:05 | 2019-08-29 20:03:05 | 5e4fc028 | Defense Evasion | Indicator Blocking | T1054 | Healthcare |
| 2019-05-07 14:42:05 | 2019-05-07 14:42:05 | 2019-05-09 06:39:31 | 8848ae62 | Initial Access | Valid Accounts | T1078 | Professional |
| 2019-05-20 19:19:05 | 2019-05-20 19:20:00 | 2019-05-20 19:40:00 | 6894fbae | Execution | Third-Party Software | T1072 | Administrative |
| 2019-09-10 14:35:05 | 2019-09-10 14:36:01 | 2019-09-12 17:42:16 | 992e05ed | Initial Access | Valid Accounts | T1078 | Trade |
| 2019-08-26 10:16:03 | 2019-08-26 10:16:03 | 2019-08-28 19:55:18 | 7a3d640b | Collection | Email Collection | T1114 | Utilities |
| 2019-04-08 12:13:31 | 2019-04-08 12:14:03 | 2019-04-08 12:38:08 | b72c651d | Execution | Regsvr32 | T1117 | Healthcare |
| 2019-04-08 12:13:31 | 2019-04-08 12:14:03 | 2019-04-08 12:38:08 | b72c651d | Execution | Third-Party Software | T1072 | Healthcare |
| 2019-05-15 12:11:01 | 2019-05-15 12:12:00 | 2019-05-16 20:51:49 | 134ca1c5 | Initial Access | Valid Accounts | T1078 | Manufacturing |
| 2019-06-03 12:37:04 | 2019-06-03 05:29:05 | 2019-06-03 13:31:26 | a7ceb140 | Execution | Scripting | T1064 | Information |
| 2019-04-14 10:59:01 | 2019-04-14 10:59:01 | 2019-04-14 12:16:28 | 8848ae62 | Initial Access | Valid Accounts | T1078 | Professional |
| 2019-09-04 03:54:00 | 2019-09-04 03:54:02 | 2019-09-04 05:06:52 | 50d25dff | Persistence | BITS Jobs | T1197 | Real Estate |
| 2019-09-04 03:54:00 | 2019-09-04 03:54:02 | 2019-09-04 05:06:52 | 50d25dff | Execution | Third-Party Software | T1072 | Real Estate |
| 2019-08-05 23:05:12 | 2019-08-05 23:05:12 | 2019-08-06 07:40:58 | 34b72429 | Execution | Third-Party Software | T1072 | Real Estate |
| 2019-08-05 23:05:12 | 2019-08-05 23:05:12 | 2019-08-06 07:40:58 | 34b72429 | Command and Control | Remote Access Tools | T1219 | Real Estate |
| 2019-09-18 18:07:02 | 2019-09-18 18:07:03 | 2019-09-18 18:27:54 | 7f1bebea | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-09-18 18:07:02 | 2019-09-18 18:07:03 | 2019-09-18 18:27:54 | 7f1bebea | Execution | PowerShell | T1086 | Manufacturing |
| 2019-04-25 16:04:02 | 2019-04-25 16:05:00 | 2019-04-25 16:12:36 | de1209e4 | Collection | Data Staged | T1074 | Real Estate |
| 2019-04-25 16:04:02 | 2019-04-25 16:05:00 | 2019-04-25 16:12:36 | de1209e4 | Execution | PowerShell | T1086 | Real Estate |
| 2019-09-04 13:46:03 | 2019-09-04 13:48:00 | 2019-09-04 14:05:22 | 15eab339 | Execution | Third-Party Software | T1072 | Information |
| 2019-09-18 23:53:03 | 2019-09-18 23:55:05 | 2019-09-19 08:17:09 | 4f296ba7 | Execution | User Execution | T1204 | Finance |
| 2019-09-18 23:53:03 | 2019-09-18 23:55:05 | 2019-09-19 08:17:09 | 4f296ba7 | Execution | PowerShell | T1086 | Finance |
| 2019-05-06 13:47:01 | 2019-05-06 13:47:01 | 2019-05-06 16:38:17 | 3ccabee7 | Execution | Third-Party Software | T1072 | Retail |
| 2019-05-06 13:47:01 | 2019-05-06 13:47:01 | 2019-05-06 16:38:17 | 3ccabee7 | Defense Evasion | Obfuscated Files or Information | T1027 | Retail |
| 2019-05-06 13:47:01 | 2019-05-06 13:47:01 | 2019-05-06 16:38:17 | 3ccabee7 | Execution | PowerShell | T1086 | Retail |
| 2019-08-29 15:59:04 | 2019-08-29 15:59:05 | 2019-08-29 16:40:12 | 0d3a549d | Execution | Third-Party Software | T1072 | Trade |
| 2019-09-07 09:14:00 | 2019-09-07 09:15:04 | 2019-09-09 02:57:21 | 94330527 | Execution | User Execution | T1204 | Information |
| 2019-05-22 07:11:04 | 2019-05-22 07:11:04 | 2019-05-22 08:38:29 | 7c757208 | Execution | Third-Party Software | T1072 | Administrative |
| 2019-07-04 11:09:05 | 2019-07-04 11:11:02 | 2019-07-08 18:22:59 | fd42c0e9 | Initial Access | Valid Accounts | T1078 | Trade |
| 2019-09-05 19:15:04 | 2019-09-05 19:17:02 | 2019-09-09 03:15:09 | 4ead1475 | Execution | User Execution | T1204 | Healthcare |
| 2019-06-25 19:58:01 | 2019-06-25 19:58:03 | 2019-06-26 12:48:35 | f732043a | Execution | Third-Party Software | T1072 | Finance |
| 2019-04-07 06:57:01 | 2019-04-07 06:58:00 | 2019-04-07 11:18:53 | c7469192 | Initial Access | Valid Accounts | T1078 | Information |
| 2019-06-03 12:27:03 | 2019-06-03 12:28:01 | 2019-06-03 13:38:11 | 7b18b611 | Execution | User Execution | T1204 | Construction |
| 2019-06-03 12:27:03 | 2019-06-03 12:28:01 | 2019-06-03 13:38:11 | 7b18b611 | Execution | Third-Party Software | T1072 | Construction |
| 2019-06-03 12:27:03 | 2019-06-03 12:28:01 | 2019-06-03 13:38:11 | 7b18b611 | Execution | Scripting | T1064 | Construction |
| 2019-07-10 14:49:00 | 2019-07-10 14:49:00 | 2019-07-10 14:58:10 | d282ca2e | Initial Access | Valid Accounts | T1078 | Finance |
| 2019-07-29 11:27:41 | 2019-07-29 11:28:52 | 2019-07-29 11:30:57 | 10cc3cd8 | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-07-29 11:27:41 | 2019-07-29 11:28:52 | 2019-07-29 11:30:57 | 10cc3cd8 | Execution | PowerShell | T1086 | Manufacturing |
| 2019-08-22 11:05:03 | 2019-08-22 11:07:02 | 2019-08-22 12:25:33 | 01aa9757 | Execution | PowerShell | T1086 | Retail |
| 2019-08-21 11:12:01 | 2019-08-21 11:12:04 | 2019-08-21 11:47:36 | b52887d2 | Execution | User Execution | T1204 | Retail |
| 2019-09-09 04:38:03 | 2019-09-09 04:39:05 | 2019-09-09 04:56:51 | 5aa2992c | Execution | User Execution | T1204 | Professional |
| 2019-09-16 14:37:02 | 2019-09-16 14:37:03 | 2019-09-19 00:16:56 | eda014b4 | Initial Access | Valid Accounts | T1078 | Healthcare |
| 2019-08-16 18:24:26 | 2019-08-16 18:26:01 | 2019-08-16 18:38:57 | 60a6c857 | Execution | User Execution | T1204 | Healthcare |
| 2019-09-15 14:31:01 | 2019-09-15 14:31:01 | 2019-09-19 00:08:03 | 6ff08365 | Initial Access | Valid Accounts | T1078 | Administrative |
| 2019-09-17 17:28:04 | 2019-09-17 17:30:03 | 2019-09-17 17:50:20 | 34b72429 | Initial Access | Valid Accounts | T1078 | Real Estate |
| 2019-06-05 07:14:03 | 2019-06-05 07:14:03 | 2019-06-05 10:00:38 | 5aa2992c | Initial Access | Spearphishing Link | T1192 | Professional |
| 2019-07-04 11:14:02 | 2019-07-04 11:14:02 | 2019-07-09 14:20:28 | a0aac98b | Initial Access | Valid Accounts | T1078 | Real Estate |
| 2019-07-23 17:01:00 | 2019-07-23 17:01:01 | 2019-07-23 17:15:34 | 7b18b611 | Execution | Third-Party Software | T1072 | Construction |
| 2019-05-21 14:04:04 | 2019-05-21 14:05:00 | 2019-05-21 14:08:40 | 10cc3cd8 | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-05-21 14:04:04 | 2019-05-21 14:05:00 | 2019-05-21 14:08:40 | 10cc3cd8 | Persistence | BITS Jobs | T1197 | Manufacturing |
| 2019-07-01 11:02:03 | 2019-07-01 11:02:03 | 2019-07-01 11:17:29 | 5aa2992c | Execution | Scripting | T1064 | Professional |
| 2019-09-04 04:48:02 | 2019-09-04 04:48:02 | 2019-09-04 07:43:58 | ccf43f76 | Execution | User Execution | T1204 | Manufacturing |
| 2019-04-10 08:09:00 | 2019-04-10 08:10:00 | 2019-04-10 11:24:30 | b52887d2 | Execution | PowerShell | T1086 | Retail |
| 2019-05-28 17:07:00 | 2019-05-28 17:07:00 | 2019-05-28 20:22:48 | b56e9237 | Execution | User Execution | T1204 | Professional |
| 2019-06-04 06:49:04 | 2019-06-04 06:49:04 | 2019-06-04 13:26:52 | 8cea5e51 | Impact | Resource Hijacking | T1496 | Retail |
| 2019-08-28 14:00:00 | 2019-08-28 14:00:03 | 2019-08-28 14:06:44 | 46789fa1 | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-04-23 17:01:04 | 2019-04-23 17:01:04 | 2019-04-23 17:08:46 | 6041707a | Initial Access | Valid Accounts | T1078 | Information |
| 2019-06-20 12:51:02 | 2019-07-09 18:55:03 | 2019-07-09 19:22:35 | 1f93cb38 | Execution | Third-Party Software | T1072 | Accomodation |
| 2019-06-19 20:16:03 | 2019-06-19 20:16:03 | 2019-06-19 20:35:03 | 947510c2 | Execution | Third-Party Software | T1072 | Educational |
| 2019-06-19 20:16:03 | 2019-06-19 20:16:03 | 2019-06-19 20:35:03 | 947510c2 | Persistence | BITS Jobs | T1197 | Educational |
| 2019-08-30 12:38:02 | 2019-08-30 12:38:03 | 2019-09-04 14:21:13 | 00275457 | Execution | Scripting | T1064 | Trade |
| 2019-04-18 21:38:01 | 2019-04-18 21:38:01 | 2019-04-23 16:11:25 | 79b445c4 | Initial Access | Valid Accounts | T1078 | Trade |
| 2019-09-09 14:36:05 | 2019-09-09 14:37:00 | 2019-09-12 17:14:44 | aada0d58 | Initial Access | Valid Accounts | T1078 | Finance |
| 2019-08-05 15:23:03 | 2019-08-05 15:23:03 | 2019-08-05 15:31:41 | 45160643 | Execution | PowerShell | T1086 | Finance |
| 2019-08-05 15:23:03 | 2019-08-05 15:23:03 | 2019-08-05 15:31:41 | 45160643 | Execution | Third-Party Software | T1072 | Finance |
| 2019-08-19 15:22:05 | 2019-08-19 15:24:03 | 2019-08-19 16:53:59 | 9039e40e | Execution | Third-Party Software | T1072 | Entertainment |
| 2019-06-12 13:17:00 | 2019-06-12 13:17:00 | 2019-06-12 13:56:11 | bbfab332 | Initial Access | Spearphishing Link | T1192 | Entertainment |
| 2019-05-10 03:05:00 | 2019-05-10 03:05:00 | 2019-05-10 17:01:08 | 8cea5e51 | Command and Control | Fallback Channels | T1008 | Retail |
| 2019-09-30 20:44:00 | 2019-09-30 20:44:01 | 2019-09-30 21:13:48 | b00e0833 | Execution | PowerShell | T1086 | Professional |
| 2019-04-15 23:14:59 | 2019-04-15 23:15:37 | 2019-04-16 08:37:30 | 6b527356 | Initial Access | Spearphishing Link | T1192 | Information |
| 2019-04-28 09:59:04 | 2019-04-28 09:59:04 | 2019-04-29 16:06:50 | 98ec6fda | Initial Access | Valid Accounts | T1078 | Trade |
| 2019-09-11 14:31:02 | 2019-09-11 14:31:03 | 2019-09-11 18:37:14 | 81fee249 | Initial Access | Valid Accounts | T1078 | Finance |
| 2019-04-08 09:58:00 | 2019-04-08 09:58:00 | 2019-04-23 19:06:51 | 9039e40e | Execution | Third-Party Software | T1072 | Entertainment |
| 2019-08-11 08:08:25 | 2019-08-11 08:23:23 | 2019-08-11 13:53:22 | b9b84418 | Collection | Email Collection | T1114 | Retail |
| 2019-05-21 17:57:00 | 2019-05-21 17:57:00 | 2019-05-21 18:11:18 | 00275457 | Execution | Third-Party Software | T1072 | Trade |
| 2019-07-08 11:47:02 | 2019-07-08 11:47:02 | 2019-07-08 15:01:17 | 10cc3cd8 | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-07-08 11:47:02 | 2019-07-08 11:47:02 | 2019-07-08 15:01:17 | 10cc3cd8 | Execution | Scripting | T1064 | Manufacturing |
| 2019-09-23 23:21:03 | 2019-09-23 23:22:00 | 2019-09-24 02:48:57 | 3c8cab02 | Initial Access | Spearphishing Link | T1192 | Construction |
| 2019-07-20 12:02:02 | 2019-07-20 12:02:03 | 2019-07-20 21:00:50 | 7a3d640b | Execution | Rundll32 | T1085 | Utilities |
| 2019-05-14 05:26:05 | 2019-05-14 05:26:05 | 2019-05-14 13:24:50 | dc1f57f9 | Execution | User Execution | T1204 | Utilities |
| 2019-05-14 05:26:05 | 2019-05-14 05:26:05 | 2019-05-14 13:24:50 | dc1f57f9 | Credential Access | Brute Force | T1110 | Utilities |
| 2019-06-26 15:37:48 | 2019-06-26 15:39:07 | 2019-06-26 16:21:11 | 98ec6fda | Execution | PowerShell | T1086 | Trade |
| 2019-04-11 02:32:03 | 2019-04-11 02:33:00 | 2019-04-11 11:22:55 | 8848ae62 | Initial Access | Spearphishing Link | T1192 | Professional |
| 2019-06-03 14:07:00 | 2019-06-03 14:08:00 | 2019-06-03 18:31:57 | 6e74fcb7 | Initial Access | Spearphishing Link | T1192 | Professional |
| 2019-07-08 17:50:02 | 2019-07-08 17:50:03 | 2019-07-09 02:29:29 | 00275457 | Execution | Third-Party Software | T1072 | Trade |
| 2019-07-08 17:50:02 | 2019-07-08 17:50:03 | 2019-07-09 02:29:29 | 00275457 | Execution | Scripting | T1064 | Trade |
| 2019-05-23 07:22:02 | 2019-05-23 07:22:02 | 2019-06-21 14:24:43 | 17a84413 | Execution | User Execution | T1204 | Construction |
| 2019-09-17 20:15:01 | 2019-09-17 20:16:04 | 2019-09-18 07:40:21 | ac33b693 | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-06-28 12:11:01 | 2019-06-28 12:12:00 | 2019-06-28 16:25:48 | fe25e5d9 | Initial Access | Spearphishing Link | T1192 | Trade |
| 2019-03-30 07:59:55 | 2019-03-30 07:59:55 | 2019-04-01 12:19:24 | ac33b693 | Initial Access | Spearphishing Link | T1192 | Manufacturing |
| 2019-06-12 18:27:01 | 2019-06-12 18:27:01 | 2019-06-12 18:44:31 | d28b76fc | Execution | User Execution | T1204 | Manufacturing |
| 2019-04-24 17:22:00 | 2019-04-24 17:22:00 | 2019-04-25 16:24:08 | cf74a26b | Execution | Windows Management Instrumentation | T1047 | Healthcare |
| 2019-07-10 18:39:03 | 2019-07-10 18:40:01 | 2019-07-11 17:52:41 | 8cea5e51 | Initial Access | Spearphishing Link | T1192 | Retail |
| 2019-01-26 13:11:04 | 2019-01-26 13:11:04 | 2019-04-02 18:30:05 | b56e9237 | Initial Access | Valid Accounts | T1078 | Professional |
| 2019-05-21 14:47:05 | 2019-05-21 14:47:05 | 2019-05-21 15:33:43 | 39aa24e3 | Execution | Third-Party Software | T1072 | Retail |
| 2019-04-25 15:25:04 | 2019-04-25 15:25:04 | 2019-05-14 19:36:07 | fac8bcdd | Execution | User Execution | T1204 | Manufacturing |
| 2019-04-25 15:25:04 | 2019-04-25 15:25:04 | 2019-05-14 19:36:07 | fac8bcdd | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-09-18 14:31:03 | 2019-09-18 14:31:05 | 2019-09-18 14:49:13 | ccf43f76 | Execution | PowerShell | T1086 | Manufacturing |
| 2019-06-23 23:19:02 | 2019-06-23 23:19:02 | 2019-06-24 01:15:49 | 98ec6fda | Execution | PowerShell | T1086 | Trade |
| 2019-07-02 18:47:03 | 2019-07-02 18:48:00 | 2019-07-03 13:58:32 | 43b014bf | Initial Access | Spearphishing Link | T1192 | Administrative |
| 2019-08-14 14:31:02 | 2019-08-14 14:31:02 | 2019-08-14 15:40:08 | ee29357b | Execution | Third-Party Software | T1072 | Finance |
| 2019-06-03 14:03:03 | 2019-06-03 14:03:03 | 2019-06-04 11:11:31 | 3ccabee7 | Initial Access | Valid Accounts | T1078 | Retail |
| 2019-09-10 20:52:01 | 2019-09-10 20:52:01 | 2019-09-23 07:42:03 | 9dc35ce9 | Execution | PowerShell | T1086 | Professional |
| 2019-09-10 20:52:01 | 2019-09-10 20:52:01 | 2019-09-23 07:42:03 | 9dc35ce9 | Execution | Third-Party Software | T1072 | Professional |
| 2019-07-18 14:31:02 | 2019-07-18 14:31:02 | 2019-07-19 13:58:14 | c7469192 | Initial Access | Valid Accounts | T1078 | Information |
| 2019-09-10 14:35:03 | 2019-09-10 14:35:04 | 2019-09-10 15:36:36 | b4acf800 | Initial Access | Valid Accounts | T1078 | Construction |
| 2019-09-19 19:45:05 | 2019-09-19 19:46:00 | 2019-09-20 09:17:15 | d282ca2e | Initial Access | Spearphishing Link | T1192 | Finance |
| 2019-09-19 19:45:05 | 2019-09-19 19:46:00 | 2019-09-20 09:17:15 | d282ca2e | Command and Control | Remote Access Tools | T1219 | Finance |
| 2019-04-17 04:52:23 | 2019-04-17 04:54:00 | 2019-04-17 10:11:46 | a168a3bc | Execution | Regsvr32 | T1117 | Other Services |
| 2019-04-12 21:39:03 | 2019-04-12 21:40:02 | 2019-04-15 11:29:35 | ccf43f76 | Initial Access | Drive-by Compromise | T1189 | Manufacturing |
| 2019-05-08 17:35:04 | 2019-05-08 17:36:01 | 2019-05-08 18:07:50 | 8922d54f | Defense Evasion | Obfuscated Files or Information | T1027 | Information |
| 2019-05-08 17:35:04 | 2019-05-08 17:36:01 | 2019-05-08 18:07:50 | 8922d54f | Execution | PowerShell | T1086 | Information |
| 2019-05-08 17:35:04 | 2019-05-08 17:36:01 | 2019-05-08 18:07:50 | 8922d54f | Execution | Third-Party Software | T1072 | Information |
| 2019-08-05 12:34:04 | 2019-08-05 12:34:04 | 2019-08-05 13:04:28 | 0930b5b4 | Execution | PowerShell | T1086 | Administrative |
| 2019-08-05 12:34:04 | 2019-08-05 12:34:04 | 2019-08-05 13:04:28 | 0930b5b4 | Execution | Third-Party Software | T1072 | Administrative |
| 2019-03-28 14:01:01 | 2019-03-28 14:01:01 | 2019-04-02 10:10:42 | 1abcf80b | Initial Access | Spearphishing Link | T1192 | Finance |
| 2019-09-26 12:48:00 | 2019-09-26 12:48:01 | 2019-09-26 12:55:55 | 8cea5e51 | Execution | PowerShell | T1086 | Retail |
| 2019-09-26 12:48:00 | 2019-09-26 12:48:01 | 2019-09-26 12:55:55 | 8cea5e51 | Execution | Third-Party Software | T1072 | Retail |
| 2019-07-04 10:04:03 | 2019-07-04 10:04:03 | 2019-08-07 15:14:24 | b52887d2 | Defense Evasion | Masquerading | T1036 | Retail |
| 2019-04-05 07:49:05 | 2019-04-05 07:49:05 | 2019-04-05 18:16:23 | 2ac86da3 | Execution | User Execution | T1204 | Accomodation |
| 2019-04-05 07:49:05 | 2019-04-05 07:49:05 | 2019-04-05 18:16:23 | 2ac86da3 | Defense Evasion | Disabling Security Tools | T1089 | Accomodation |
| 2019-04-05 07:49:05 | 2019-04-05 07:49:05 | 2019-04-05 18:16:23 | 2ac86da3 | Execution | Third-Party Software | T1072 | Accomodation |
| 2019-09-04 01:52:01 | 2019-09-04 01:57:03 | 2019-09-04 13:29:34 | 16258713 | Initial Access | Valid Accounts | T1078 | Information |
| 2019-08-29 13:50:00 | 2019-08-29 13:50:04 | 2019-08-29 14:05:25 | 8922d54f | Initial Access | Spearphishing Link | T1192 | Information |
| 2019-09-10 14:38:05 | 2019-09-10 14:40:02 | 2019-09-10 15:28:55 | 04ca0d53 | Initial Access | Valid Accounts | T1078 | Professional |
| 2019-07-21 14:35:04 | 2019-07-21 14:36:04 | 2019-07-21 15:26:46 | a7ceb140 | Initial Access | Valid Accounts | T1078 | Information |
| 2019-05-01 17:31:00 | 2019-05-01 17:31:00 | 2019-05-03 20:49:08 | b52887d2 | Initial Access | Spearphishing Link | T1192 | Retail |
| 2019-05-28 19:07:05 | 2019-05-28 19:06:26 | 2019-05-28 19:33:39 | 4a0fe446 | Execution | PowerShell | T1086 | Management |
| 2019-08-19 13:24:25 | 2019-08-19 13:25:36 | 2019-08-19 15:51:22 | e612ba50 | Execution | User Execution | T1204 | Professional |
| 2019-05-22 20:04:05 | 2019-05-22 20:04:05 | 2019-05-22 20:33:42 | 9516d73d | Execution | User Execution | T1204 | Retail |
| 2019-05-22 20:04:05 | 2019-05-22 20:04:05 | 2019-05-22 20:33:42 | 9516d73d | Execution | Third-Party Software | T1072 | Retail |
| 2019-09-10 14:38:04 | 2019-09-10 14:38:05 | 2019-09-10 15:23:01 | 74a9450e | Initial Access | Valid Accounts | T1078 | Finance |
| 2019-05-16 15:26:01 | 2019-05-16 15:25:39 | 2019-05-16 17:10:38 | 4b8b9b94 | Execution | PowerShell | T1086 | Mining |
| 2019-05-16 15:26:01 | 2019-05-16 15:25:39 | 2019-05-16 17:10:38 | 4b8b9b94 | Defense Evasion | Obfuscated Files or Information | T1027 | Mining |
| 2019-04-03 08:44:59 | 2019-04-03 08:46:07 | 2019-04-03 10:05:30 | 0086f99f | Execution | PowerShell | T1086 | Manufacturing |
| 2019-08-15 12:56:02 | 2019-08-15 12:56:03 | 2019-08-15 17:08:19 | d5e6b2e5 | Execution | Third-Party Software | T1072 | Professional |
| 2019-04-15 06:24:02 | 2019-04-15 06:24:02 | 2019-04-15 08:26:37 | 7781c909 | Execution | Third-Party Software | T1072 | Professional |
| 2019-09-12 14:38:03 | 2019-09-12 14:38:05 | 2019-09-12 15:54:06 | e0bd147e | Initial Access | Valid Accounts | T1078 | Professional |
| 2019-07-01 15:21:00 | 2019-07-01 15:19:33 | 2019-07-01 15:35:00 | 98ec6fda | Execution | User Execution | T1204 | Trade |
| 2019-05-16 13:26:03 | 2019-05-16 13:27:00 | 2019-05-21 13:44:40 | bbfab332 | Execution | Third-Party Software | T1072 | Entertainment |
| 2019-05-16 13:26:03 | 2019-05-16 13:27:00 | 2019-05-21 13:44:40 | bbfab332 | Execution | PowerShell | T1086 | Entertainment |
| 2019-05-23 19:03:05 | 2019-05-23 19:04:00 | 2019-05-23 20:27:13 | fa2f04f0 | Execution | Third-Party Software | T1072 | Finance |
| 2019-04-02 11:21:02 | 2019-04-02 11:20:48 | 2019-04-02 13:30:49 | 22fa5e5a | Execution | PowerShell | T1086 | Finance |
| 2019-07-19 17:29:05 | 2019-07-19 17:29:05 | 2019-07-19 19:10:46 | ccf43f76 | Execution | User Execution | T1204 | Manufacturing |
| 2019-09-10 14:39:01 | 2019-09-10 14:39:02 | 2019-09-10 15:24:47 | 10cc3cd8 | Initial Access | Valid Accounts | T1078 | Manufacturing |
| 2019-04-17 15:30:01 | 2019-04-17 15:31:00 | 2019-04-17 16:02:38 | 8848ae62 | Initial Access | Valid Accounts | T1078 | Professional |
| 2019-09-20 18:53:04 | 2019-09-20 18:53:05 | 2019-09-20 19:03:45 | 16258713 | Execution | User Execution | T1204 | Information |
| 2019-09-20 18:53:04 | 2019-09-20 18:53:05 | 2019-09-20 19:03:45 | 16258713 | Defense Evasion | Disabling Security Tools | T1089 | Information |
| 2019-09-11 10:29:01 | 2019-09-11 10:29:02 | 2019-09-11 10:36:40 | 8758f0b5 | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-09-05 14:37:00 | 2019-09-05 14:37:01 | 2019-09-06 19:36:05 | 46789fa1 | Initial Access | Valid Accounts | T1078 | Manufacturing |
| 2019-05-16 19:19:03 | 2019-05-16 19:18:44 | 2019-05-16 20:38:21 | 00275457 | Initial Access | Spearphishing Link | T1192 | Trade |
| 2019-09-26 14:27:00 | 2019-09-26 14:27:01 | 2019-09-26 15:12:37 | 8cea5e51 | Execution | Third-Party Software | T1072 | Retail |
| 2019-07-05 14:30:03 | 2019-07-05 14:30:04 | 2019-07-08 18:04:35 | 3ece5c28 | Initial Access | Valid Accounts | T1078 | Professional |
| 2019-04-25 16:47:02 | 2019-04-25 16:48:00 | 2019-04-25 19:23:48 | 60a6c857 | Execution | PowerShell | T1086 | Healthcare |
| 2019-04-25 16:47:02 | 2019-04-25 16:48:00 | 2019-04-25 19:23:48 | 60a6c857 | Execution | Third-Party Software | T1072 | Healthcare |
| 2019-09-27 18:13:02 | 2019-09-27 18:14:05 | 2019-09-28 08:52:37 | 9516d73d | Initial Access | Spearphishing Link | T1192 | Retail |
| 2019-08-27 13:39:03 | 2019-08-27 13:39:05 | 2019-08-27 14:10:58 | 0930b5b4 | Execution | Third-Party Software | T1072 | Administrative |
| 2019-05-29 14:21:00 | 2019-05-29 14:22:00 | 2019-05-29 14:38:32 | 8e4f1156 | Execution | PowerShell | T1086 | Finance |
| 2019-05-29 14:21:00 | 2019-05-29 14:22:00 | 2019-05-29 14:38:32 | 8e4f1156 | Execution | Third-Party Software | T1072 | Finance |
| 2019-05-08 17:26:03 | 2019-05-08 17:26:03 | 2019-05-09 11:08:47 | c85f7397 | Initial Access | Valid Accounts | T1078 | Professional |
| 2019-05-03 12:34:00 | 2019-05-03 12:35:00 | 2019-05-21 11:04:35 | bbfab332 | Defense Evasion | Obfuscated Files or Information | T1027 | Entertainment |
| 2019-06-25 11:31:05 | 2019-06-25 11:32:00 | 2019-06-25 12:12:54 | bf1e56e4 | Execution | PowerShell | T1086 | Administrative |
| 2019-04-30 16:20:02 | 2019-04-30 16:20:02 | 2019-05-09 13:34:00 | 947510c2 | Execution | Scheduled Task | T1053 | Educational |
| 2019-04-30 16:20:02 | 2019-04-30 16:20:02 | 2019-05-09 13:34:00 | 947510c2 | Execution | Third-Party Software | T1072 | Educational |
| 2019-07-25 14:42:03 | 2019-07-25 14:42:03 | 2019-07-25 15:07:17 | d7adf91d | Execution | PowerShell | T1086 | Healthcare |
| 2019-07-25 14:42:03 | 2019-07-25 14:42:03 | 2019-07-25 15:07:17 | d7adf91d | Execution | Third-Party Software | T1072 | Healthcare |
| 2019-06-06 16:05:07 | 2019-06-06 16:05:07 | 2019-06-07 11:28:23 | db348605 | Initial Access | Spearphishing Link | T1192 | Manufacturing |
| 2019-06-19 18:33:03 | 2019-06-19 18:33:03 | 2019-06-19 18:59:44 | 9039e40e | Execution | Third-Party Software | T1072 | Entertainment |
| 2019-08-31 03:56:02 | 2019-08-31 03:57:03 | 2019-08-31 04:30:16 | 01aa9757 | Execution | Scripting | T1064 | Retail |
| 2019-08-02 10:38:02 | 2019-08-02 10:38:02 | 2019-08-02 13:05:15 | c7469192 | Collection | Email Collection | T1114 | Information |
| 2019-04-30 19:15:54 | 2019-04-30 19:45:00 | 2019-04-30 19:47:15 | ac33b693 | Initial Access | Valid Accounts | T1078 | Manufacturing |
| 2019-09-10 14:32:05 | 2019-09-10 14:33:03 | 2019-09-10 15:10:34 | c1e93fbc | Initial Access | Valid Accounts | T1078 | Finance |
| 2019-05-02 17:54:03 | 2019-05-02 17:54:03 | 2019-05-02 18:06:36 | 4b8b9b94 | Initial Access | Valid Accounts | T1078 | Mining |
| 2019-08-28 13:05:01 | 2019-08-28 13:05:03 | 2019-08-28 13:17:47 | 18f7b3f3 | Execution | Third-Party Software | T1072 | Utilities |
| 2019-09-14 14:38:05 | 2019-09-14 14:40:01 | 2019-09-23 15:03:57 | a168a3bc | Initial Access | Valid Accounts | T1078 | Other Services |
| 2019-06-07 12:12:01 | 2019-06-07 12:13:00 | 2019-06-07 14:52:54 | 8848ae62 | Initial Access | Spearphishing Link | T1192 | Professional |
| 2019-06-25 02:43:03 | 2019-06-25 02:44:05 | 2019-08-03 16:10:41 | 7a3d640b | Command and Control | Remote Access Tools | T1219 | Utilities |
| 2019-08-27 14:26:03 | 2019-08-27 14:26:03 | 2019-08-27 14:58:57 | 8922d54f | Execution | Third-Party Software | T1072 | Information |
| 2019-04-15 09:54:02 | 2019-04-15 09:54:02 | 2019-04-15 15:04:10 | 054e7281 | Initial Access | Valid Accounts | T1078 | Professional |
| 2019-09-11 14:36:02 | 2019-09-11 14:37:00 | 2019-09-11 15:26:26 | 46969b5e | Initial Access | Valid Accounts | T1078 | Finance |
| 2019-05-20 05:04:00 | 2019-05-20 05:04:00 | 2019-05-20 12:07:34 | 3f0c361f | Execution | User Execution | T1204 | Manufacturing |
| 2019-09-06 14:06:02 | 2019-09-06 14:07:01 | 2019-09-08 15:49:13 | d8fbb22f | Collection | Data Staged | T1074 | Entertainment |
| 2019-05-22 17:29:02 | 2019-05-22 17:30:00 | 2019-05-22 18:12:25 | 4b8b9b94 | Execution | PowerShell | T1086 | Mining |
| 2019-05-22 17:29:02 | 2019-05-22 17:30:00 | 2019-05-22 18:12:25 | 4b8b9b94 | Execution | Third-Party Software | T1072 | Mining |
| 2019-09-10 14:33:03 | 2019-09-10 14:34:01 | 2019-09-12 17:34:24 | 62038750 | Initial Access | Valid Accounts | T1078 | Retail |
| 2019-06-20 12:51:02 | 2019-06-20 12:51:02 | 2019-07-09 19:22:35 | 1f93cb38 | Execution | Third-Party Software | T1072 | Accomodation |
| 2019-09-06 16:56:05 | 2019-09-06 16:57:00 | 2019-09-06 18:23:46 | 10cc3cd8 | Defense Evasion | Indicator Blocking | T1054 | Manufacturing |
| 2019-04-30 20:46:37 | 2019-04-30 20:48:00 | 2019-04-30 21:53:29 | 8922d54f | Initial Access | Spearphishing Link | T1192 | Information |
| 2019-04-15 14:10:47 | 2019-04-15 14:11:41 | 2019-04-15 14:14:36 | 00275457 | Defense Evasion | Obfuscated Files or Information | T1027 | Trade |
| 2019-06-11 18:03:57 | 2019-06-11 18:03:57 | 2019-06-14 21:03:42 | ac33b693 | Initial Access | Spearphishing Link | T1192 | Manufacturing |
| 2019-04-19 15:46:01 | 2019-04-19 15:47:00 | 2019-04-19 19:59:04 | 8cea5e51 | Execution | Third-Party Software | T1072 | Retail |
| 2019-04-19 15:46:01 | 2019-04-19 15:47:00 | 2019-04-19 19:59:04 | 8cea5e51 | Execution | PowerShell | T1086 | Retail |
| 2019-04-28 23:08:01 | 2019-04-28 23:08:01 | 2019-04-30 00:55:29 | 7781c909 | Execution | Third-Party Software | T1072 | Professional |
| 2019-09-02 14:32:00 | 2019-09-02 14:32:02 | 2019-09-03 10:32:16 | cb9047bd | Initial Access | Valid Accounts | T1078 | Real Estate |
| 2019-07-17 08:22:05 | 2019-07-17 08:23:03 | 2019-07-17 10:15:04 | 130308f2 | Execution | Third-Party Software | T1072 | Trade |
| 2019-07-17 08:22:05 | 2019-07-17 08:23:03 | 2019-07-17 10:15:04 | 130308f2 | Execution | PowerShell | T1086 | Trade |
| 2019-09-23 07:03:03 | 2019-09-23 07:03:04 | 2019-09-23 08:30:05 | 01aa9757 | Execution | User Execution | T1204 | Retail |
| 2019-04-24 09:57:03 | 2019-04-24 09:58:00 | 2019-04-24 10:21:13 | fb0ad6ea | Initial Access | Valid Accounts | T1078 | Educational |
| 2019-09-16 22:26:04 | 2019-09-16 22:27:05 | 2019-09-16 22:47:27 | 73cd3dc5 | Execution | Third-Party Software | T1072 | Trade |
| 2019-09-16 16:26:00 | 2019-09-16 16:27:02 | 2019-09-16 17:25:24 | 50d25dff | Execution | Third-Party Software | T1072 | Real Estate |
| 2019-09-16 16:26:00 | 2019-09-16 16:27:02 | 2019-09-16 17:25:24 | 50d25dff | Execution | Scripting | T1064 | Real Estate |
| 2019-05-29 14:34:02 | 2019-05-29 14:35:00 | 2019-05-29 15:03:15 | 7ed03d0f | Execution | PowerShell | T1086 | Finance |
| 2019-05-22 20:34:05 | 2019-05-22 20:35:00 | 2019-05-22 21:14:05 | fa2f04f0 | Execution | PowerShell | T1086 | Finance |
| 2019-05-22 20:34:05 | 2019-05-22 20:35:00 | 2019-05-22 21:14:05 | fa2f04f0 | Execution | Third-Party Software | T1072 | Finance |
| 2019-05-22 20:34:05 | 2019-05-22 20:35:00 | 2019-05-22 21:14:05 | fa2f04f0 | Execution | User Execution | T1204 | Finance |
| 2019-05-31 08:27:02 | 2019-05-31 08:27:02 | 2019-06-03 19:20:18 | 94330527 | Execution | User Execution | T1204 | Information |
| 2019-07-16 12:22:05 | 2019-07-16 12:24:02 | 2019-07-21 05:50:24 | 73cd3dc5 | Initial Access | Spearphishing Link | T1192 | Trade |
| 2019-09-05 17:34:00 | 2019-09-05 17:34:04 | 2019-09-05 17:57:49 | 3c8cab02 | Initial Access | Spearphishing Link | T1192 | Construction |
| 2019-05-07 16:31:16 | 2019-05-07 16:31:16 | 2019-05-07 17:11:10 | 4b8b9b94 | Defense Evasion | Obfuscated Files or Information | T1027 | Mining |
| 2019-05-21 17:31:01 | 2019-05-21 17:31:01 | 2019-05-24 11:20:05 | bf1e56e4 | Execution | User Execution | T1204 | Administrative |
| 2019-05-09 11:46:04 | 2019-05-09 11:47:00 | 2019-05-09 11:52:06 | b52887d2 | Defense Evasion | Obfuscated Files or Information | T1027 | Retail |
| 2019-05-09 11:46:04 | 2019-05-09 11:47:00 | 2019-05-09 11:52:06 | b52887d2 | Execution | PowerShell | T1086 | Retail |
| 2019-08-30 15:05:05 | 2019-08-30 15:06:00 | 2019-08-30 15:39:04 | 288a9a89 | Execution | PowerShell | T1086 | Finance |
| 2019-04-11 15:48:00 | 2019-04-11 15:48:00 | 2019-04-11 20:11:03 | d282ca2e | Initial Access | Spearphishing Link | T1192 | Finance |
| 2019-04-12 02:39:39 | 2019-04-12 02:39:39 | 2019-07-17 07:52:16 | 27d56d69 | Execution | Service Execution | T1035 | Healthcare |
| 2019-07-22 15:00:56 | 2019-07-22 15:04:45 | 2019-07-22 15:36:28 | 95f16f10 | Execution | PowerShell | T1086 | Construction |
| 2019-07-25 13:24:04 | 2019-07-25 13:24:04 | 2019-07-25 13:35:11 | 62e43f7d | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-07-25 13:24:04 | 2019-07-25 13:24:04 | 2019-07-25 13:35:11 | 62e43f7d | Execution | PowerShell | T1086 | Manufacturing |
| 2019-08-28 11:56:05 | 2019-08-28 11:58:00 | 2019-08-28 12:08:02 | df9fcae4 | Initial Access | Spearphishing Link | T1192 | Manufacturing |
| 2019-05-27 15:32:01 | 2019-05-27 15:32:01 | 2019-05-28 10:53:41 | 16258713 | Initial Access | Valid Accounts | T1078 | Information |
| 2019-05-21 15:32:04 | 2019-05-21 15:32:04 | 2019-05-21 16:02:39 | 90de5c23 | Execution | PowerShell | T1086 | Retail |
| 2019-05-21 15:32:04 | 2019-05-21 15:32:04 | 2019-05-21 16:02:39 | 90de5c23 | Execution | Third-Party Software | T1072 | Retail |
| 2019-04-26 12:13:02 | 2019-04-26 12:13:02 | 2019-04-26 12:20:47 | ccf43f76 | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-05-13 19:45:04 | 2019-05-13 19:43:09 | 2019-05-13 20:04:59 | 4b8b9b94 | Execution | Third-Party Software | T1072 | Mining |
| 2019-05-13 19:45:04 | 2019-05-13 19:43:09 | 2019-05-13 20:04:59 | 4b8b9b94 | Execution | PowerShell | T1086 | Mining |
| 2019-08-20 17:31:02 | 2019-08-20 17:31:03 | 2019-08-21 07:33:49 | 0cf83eaa | Initial Access | Spearphishing Link | T1192 | Manufacturing |
| 2019-04-10 15:28:03 | 2019-04-10 15:29:00 | 2019-04-11 21:20:43 | 074a904e | Initial Access | Spearphishing Link | T1192 | Professional |
| 2019-05-20 21:06:29 | 2019-05-20 21:06:29 | 2019-05-21 00:38:00 | f3d6e1ec | Persistence | BITS Jobs | T1197 | Construction |
| 2019-04-15 17:12:01 | 2019-04-15 17:12:01 | 2019-04-17 21:08:09 | 2ac86da3 | Execution | User Execution | T1204 | Accomodation |
| 2019-04-15 17:12:01 | 2019-04-15 17:12:01 | 2019-04-17 21:08:09 | 2ac86da3 | Execution | Third-Party Software | T1072 | Accomodation |
| 2019-06-19 17:49:05 | 2019-06-19 17:48:38 | 2019-06-19 18:52:42 | 9b235bf0 | Execution | Third-Party Software | T1072 | Transportation |
| 2019-05-02 14:55:04 | 2019-05-02 14:55:04 | 2019-05-03 13:06:42 | 803534ac | Execution | Third-Party Software | T1072 | Professional |
| 2019-07-06 11:02:03 | 2019-07-06 11:06:01 | 2019-07-08 07:50:52 | dddd3dce | Initial Access | Valid Accounts | T1078 | Trade |
| 2019-05-06 19:59:04 | 2019-05-06 19:57:46 | 2019-05-10 16:31:45 | b041a104 | Initial Access | Spearphishing Link | T1192 | Information |
| 2019-06-28 04:33:59 | 2019-06-28 04:33:59 | 2019-06-28 07:40:14 | 5aa2992c | Execution | Scripting | T1064 | Professional |
| 2019-05-31 17:56:01 | 2019-05-31 17:57:00 | 2019-05-31 18:13:07 | 2b0a0794 | Execution | Third-Party Software | T1072 | Utilities |
| 2019-05-31 17:56:01 | 2019-05-31 17:57:00 | 2019-05-31 18:13:07 | 2b0a0794 | Execution | PowerShell | T1086 | Utilities |
| 2019-09-12 14:33:01 | 2019-09-12 14:33:04 | 2019-09-22 23:20:48 | efeb5f4c | Initial Access | Valid Accounts | T1078 | Professional |
| 2019-04-24 13:35:05 | 2019-04-24 13:35:05 | 2019-04-24 14:14:22 | ccf43f76 | Initial Access | Drive-by Compromise | T1189 | Manufacturing |
| 2019-04-24 13:35:05 | 2019-04-24 13:35:05 | 2019-04-24 14:14:22 | ccf43f76 | Execution | User Execution | T1204 | Manufacturing |
| 2019-05-10 16:26:04 | 2019-05-10 16:27:00 | 2019-05-10 17:32:16 | 50dbe12d | Defense Evasion | Obfuscated Files or Information | T1027 | Professional |
| 2019-05-10 16:26:04 | 2019-05-10 16:27:00 | 2019-05-10 17:32:16 | 50dbe12d | Execution | PowerShell | T1086 | Professional |
| 2019-05-10 16:26:04 | 2019-05-10 16:27:00 | 2019-05-10 17:32:16 | 50dbe12d | Execution | Third-Party Software | T1072 | Professional |
| 2019-05-30 16:37:05 | 2019-05-30 16:37:05 | 2019-06-24 14:58:31 | 64043864 | Execution | Third-Party Software | T1072 | Retail |
| 2019-05-30 16:37:05 | 2019-05-30 16:37:05 | 2019-06-24 14:58:31 | 64043864 | Execution | PowerShell | T1086 | Retail |
| 2019-09-17 19:08:00 | 2019-09-17 19:08:03 | 2019-09-17 19:45:50 | cf74a26b | Execution | Third-Party Software | T1072 | Healthcare |
| 2019-05-01 09:04:04 | 2019-05-01 09:04:04 | 2019-05-01 13:51:56 | 76ebb224 | Initial Access | Spearphishing Link | T1192 | Information |
| 2019-08-03 18:39:04 | 2019-08-03 18:39:04 | 2019-08-05 15:02:12 | 6041707a | Collection | Email Collection | T1114 | Information |
| 2019-08-03 18:39:04 | 2019-08-03 18:39:04 | 2019-08-05 15:02:12 | 6041707a | Initial Access | Valid Accounts | T1078 | Information |
| 2019-08-14 11:52:05 | 2019-08-14 11:53:02 | 2019-08-14 14:33:24 | 01aa9757 | Initial Access | Spearphishing Link | T1192 | Retail |
| 2019-09-30 09:23:17 | 2019-09-30 09:25:17 | 2019-09-30 09:32:18 | 10cc3cd8 | Execution | PowerShell | T1086 | Manufacturing |
| 2019-09-30 09:23:17 | 2019-09-30 09:25:17 | 2019-09-30 09:32:18 | 10cc3cd8 | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-09-07 14:30:01 | 2019-09-07 14:31:00 | 2019-09-08 07:22:11 | 25979a43 | Initial Access | Valid Accounts | T1078 | Professional |
| 2019-09-12 14:38:02 | 2019-09-12 14:39:01 | 2019-09-23 18:25:52 | e612ba50 | Initial Access | Valid Accounts | T1078 | Professional |
| 2019-08-29 20:05:03 | 2019-08-29 20:05:03 | 2019-08-29 20:22:12 | 03ae7598 | Initial Access | Spearphishing Link | T1192 | Healthcare |
| 2019-09-06 15:39:00 | 2019-09-06 15:41:01 | 2019-09-07 01:14:13 | 3c8cab02 | Initial Access | Spearphishing Link | T1192 | Construction |
| 2019-05-09 13:42:47 | 2019-05-09 13:44:06 | 2019-05-09 15:13:28 | 4b8b9b94 | Defense Evasion | Obfuscated Files or Information | T1027 | Mining |
| 2019-07-31 21:56:02 | 2019-07-31 21:58:05 | 2019-07-31 22:03:04 | 174640ec | Initial Access | Valid Accounts | T1078 | Real Estate |
| 2019-09-20 16:00:03 | 2019-09-20 16:01:01 | 2019-09-20 16:20:11 | 10cc3cd8 | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-08-07 17:26:16 | 2019-08-07 17:29:03 | 2019-08-07 17:59:54 | 3f0c361f | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-09-10 14:38:04 | 2019-09-10 14:40:00 | 2019-09-10 15:40:18 | 8d283466 | Initial Access | Valid Accounts | T1078 | Healthcare |
| 2019-04-13 16:44:02 | 2019-04-13 16:44:02 | 2019-04-13 17:00:12 | c7469192 | Initial Access | Valid Accounts | T1078 | Information |
| 2019-06-28 12:44:05 | 2019-06-28 12:44:05 | 2019-06-28 12:53:27 | 689d477c | Execution | Third-Party Software | T1072 | Finance |
| 2019-09-08 19:23:02 | 2019-09-08 19:23:02 | 2019-09-09 02:44:59 | 5aa2992c | Execution | User Execution | T1204 | Professional |
| 2019-07-03 14:54:00 | 2019-07-03 14:54:01 | 2019-07-03 15:27:20 | d66f932a | Execution | Third-Party Software | T1072 | Finance |
| 2019-07-03 14:54:00 | 2019-07-03 14:54:01 | 2019-07-03 15:27:20 | d66f932a | Command and Control | Remote Access Tools | T1219 | Finance |
| 2019-05-03 09:57:01 | 2019-05-03 09:58:00 | 2019-05-03 10:07:34 | 8922d54f | Defense Evasion | Obfuscated Files or Information | T1027 | Information |
| 2019-05-03 09:57:01 | 2019-05-03 09:58:00 | 2019-05-03 10:07:34 | 8922d54f | Execution | Third-Party Software | T1072 | Information |
| 2019-09-12 14:35:02 | 2019-09-12 14:35:03 | 2019-09-22 23:24:53 | 2617075e | Initial Access | Valid Accounts | T1078 | Finance |
| 2019-08-30 15:14:02 | 2019-08-30 15:14:04 | 2019-08-30 15:36:31 | 45160643 | Execution | Third-Party Software | T1072 | Finance |
| 2019-09-06 15:37:04 | 2019-09-06 15:38:02 | 2019-09-06 16:01:22 | 03ae7598 | Execution | Third-Party Software | T1072 | Healthcare |
| 2019-06-07 15:18:02 | 2019-06-07 15:20:01 | 2019-06-07 15:49:19 | 3c8517d0 | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-06-07 15:18:02 | 2019-06-07 15:20:01 | 2019-06-07 15:49:19 | 3c8517d0 | Persistence | BITS Jobs | T1197 | Manufacturing |
| 2019-06-11 06:04:05 | 2019-06-11 06:04:05 | 2019-06-11 07:49:50 | 5aa2992c | Execution | Scripting | T1064 | Professional |
| 2019-09-10 14:36:00 | 2019-09-10 14:36:03 | 2019-09-10 15:17:49 | 3ccabee7 | Initial Access | Valid Accounts | T1078 | Retail |
| 2019-04-12 19:00:02 | 2019-04-12 19:46:02 | 2019-04-12 19:57:30 | ccf43f76 | Execution | PowerShell | T1086 | Manufacturing |
| 2019-08-19 18:41:04 | 2019-08-19 18:43:00 | 2019-08-19 19:17:00 | 3ccabee7 | Initial Access | Valid Accounts | T1078 | Retail |
| 2019-06-21 07:30:18 | 2019-06-21 07:30:18 | 2019-06-24 12:07:28 | 8922d54f | Initial Access | Valid Accounts | T1078 | Information |
| 2019-07-22 14:39:24 | 2019-07-22 15:55:04 | 2019-07-22 16:11:31 | 8922d54f | Initial Access | Valid Accounts | T1078 | Information |
| 2019-07-22 14:31:02 | 2019-07-22 14:31:02 | 2019-07-22 14:35:22 | d1025733 | Initial Access | Valid Accounts | T1078 | Public |
| 2019-04-13 02:50:00 | 2019-04-13 02:51:02 | 2019-04-15 14:01:02 | e8869b55 | Collection | Data Staged | T1074 | Manufacturing |
| 2019-06-05 20:36:00 | 2019-06-05 20:36:00 | 2019-06-06 12:15:22 | fa2f04f0 | Initial Access | Spearphishing Link | T1192 | Finance |
| 2019-09-23 13:50:05 | 2019-09-23 13:51:01 | 2019-09-23 13:52:00 | 8922d54f | Execution | Windows Management Instrumentation | T1047 | Information |
| 2019-09-23 13:50:05 | 2019-09-23 13:51:01 | 2019-09-23 13:52:00 | 8922d54f | Execution | Third-Party Software | T1072 | Information |
| 2019-08-04 11:06:02 | 2019-08-04 11:06:02 | 2019-08-05 12:27:37 | f05fc023 | Execution | User Execution | T1204 | Other Services |
| 2019-07-22 17:34:24 | 2019-07-22 17:35:05 | 2019-07-22 18:10:35 | 3861f206 | Execution | PowerShell | T1086 | Professional |
| 2019-06-22 15:04:58 | 2019-06-25 03:21:00 | 2019-06-25 15:14:54 | db348605 | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-04-09 18:10:02 | 2019-04-09 18:11:00 | 2019-04-12 11:44:00 | bed58001 | Initial Access | Spearphishing Link | T1192 | Professional |
| 2019-09-13 14:33:05 | 2019-09-13 14:34:01 | 2019-09-13 14:41:12 | 20b115a2 | Initial Access | Valid Accounts | T1078 | Real Estate |
| 2019-04-26 18:49:01 | 2019-04-26 18:49:01 | 2019-04-26 18:59:22 | 8848ae62 | Initial Access | Valid Accounts | T1078 | Professional |
| 2019-05-02 17:03:02 | 2019-05-02 22:35:20 | 2019-05-03 08:39:56 | a0a37559 | Defense Evasion | Obfuscated Files or Information | T1027 | Finance |
| 2019-05-02 17:03:02 | 2019-05-02 22:35:20 | 2019-05-03 08:39:56 | a0a37559 | Execution | Third-Party Software | T1072 | Finance |
| 2019-05-02 17:03:02 | 2019-05-02 22:35:20 | 2019-05-03 08:39:56 | a0a37559 | Execution | PowerShell | T1086 | Finance |
| 2019-05-02 17:03:02 | 2019-05-02 22:35:20 | 2019-05-03 08:39:56 | a0a37559 | Execution | User Execution | T1204 | Finance |
| 2019-04-10 12:33:16 | 2019-04-10 12:33:16 | 2019-04-10 15:58:25 | ac33b693 | Initial Access | Valid Accounts | T1078 | Manufacturing |
| 2019-04-12 20:15:01 | 2019-04-12 20:16:00 | 2019-04-12 20:27:22 | 288a9a89 | Defense Evasion | Obfuscated Files or Information | T1027 | Finance |
| 2019-04-03 07:59:18 | 2019-04-03 08:00:21 | 2019-04-03 09:04:07 | b52887d2 | Execution | PowerShell | T1086 | Retail |
| 2019-08-06 14:00:51 | 2019-08-06 14:51:35 | 2019-08-11 16:18:52 | bfb647fe | Initial Access | Valid Accounts | T1078 | Professional |
| 2019-08-29 15:05:00 | 2019-08-29 15:06:01 | 2019-08-29 16:55:45 | 8922d54f | Execution | Third-Party Software | T1072 | Information |
| 2019-08-26 12:37:02 | 2019-08-26 12:37:03 | 2019-08-26 21:04:36 | 054e7281 | Persistence | Registry Run Key | T1060 | Professional |
| 2019-07-08 00:00:00 | 2019-07-08 00:00:00 | 2019-08-03 03:19:18 | 4cefe35f | Initial Access | Spearphishing Link | T1192 | Public |
| 2019-05-28 12:31:03 | 2019-05-28 12:31:03 | 2019-05-28 19:23:27 | bbfab332 | Execution | User Execution | T1204 | Entertainment |
| 2019-07-04 10:04:03 | 2019-07-04 10:04:03 | 2019-08-07 13:14:24 | b52887d2 | Defense Evasion | Masquerading | T1036 | Retail |
| 2019-07-29 07:12:14 | 2019-07-29 07:23:01 | 2019-07-29 13:57:55 | 8922d54f | Initial Access | Valid Accounts | T1078 | Information |
| 2019-07-03 11:43:02 | 2019-07-03 11:43:03 | 2019-07-03 11:56:27 | ccf43f76 | Defense Evasion | Obfuscated Files or Information | T1027 | Manufacturing |
| 2019-09-20 17:20:02 | 2019-09-20 17:20:03 | 2019-09-20 17:50:30 | 9dc35ce9 | Execution | PowerShell | T1086 | Professional |
| 2019-09-20 17:20:02 | 2019-09-20 17:20:03 | 2019-09-20 17:50:30 | 9dc35ce9 | Execution | Third-Party Software | T1072 | Professional |
| 2019-09-10 14:37:02 | 2019-09-10 14:38:00 | 2019-09-10 15:46:20 | c70938a5 | Initial Access | Valid Accounts | T1078 | Information |
| 2019-09-09 14:30:02 | 2019-09-09 14:30:03 | 2019-09-12 17:02:51 | 0cf83eaa | Initial Access | Valid Accounts | T1078 | Manufacturing |
| 2019-05-22 13:46:04 | 2019-05-22 13:47:00 | 2019-05-22 14:11:57 | 09d70d99 | Execution | Third-Party Software | T1072 | Finance |
| 2019-05-22 13:46:04 | 2019-05-22 13:47:00 | 2019-05-22 14:11:57 | 09d70d99 | Persistence | BITS Jobs | T1197 | Finance |
| 2019-08-13 17:43:03 | 2019-08-13 17:44:00 | 2019-08-23 03:19:33 | 9516d73d | Initial Access | Spearphishing Link | T1192 | Retail |
| 2019-09-13 14:05:05 | 2019-09-13 14:06:00 | 2019-09-16 09:46:05 | d8fbb22f | Execution | Scripting | T1064 | Entertainment |
| 2019-09-26 14:32:00 | 2019-09-26 14:32:00 | 2019-09-26 15:05:22 | 5aa2992c | Execution | User Execution | T1204 | Professional |
| 2019-09-16 17:23:03 | 2019-09-16 17:24:02 | 2019-09-16 17:33:05 | bfb647fe | Initial Access | Spearphishing Link | T1192 | Professional |
| 2019-09-11 14:36:02 | 2019-09-11 14:39:04 | 2019-09-11 15:44:51 | 98ec6fda | Initial Access | Valid Accounts | T1078 | Trade |
| 2019-05-07 23:45:03 | 2019-05-07 23:45:03 | 2019-05-08 10:42:14 | fa2f04f0 | Defense Evasion | Obfuscated Files or Information | T1027 | Finance |
| 2019-05-07 23:45:03 | 2019-05-07 23:45:03 | 2019-05-08 10:42:14 | fa2f04f0 | Execution | Third-Party Software | T1072 | Finance |
| 2019-05-07 23:45:03 | 2019-05-07 23:45:03 | 2019-05-08 10:42:14 | fa2f04f0 | Execution | PowerShell | T1086 | Finance |
| 2019-09-23 13:15:04 | 2019-09-23 13:16:02 | 2019-09-27 18:16:44 | 2a87c494 | Initial Access | Spearphishing Link | T1192 | Finance |
| 2019-07-24 13:03:08 | 2019-07-24 13:03:43 | 2019-07-24 13:39:10 | 10cc3cd8 | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-05-23 16:53:34 | 2019-05-23 16:53:34 | 2019-05-23 19:11:31 | ac33b693 | Initial Access | Valid Accounts | T1078 | Manufacturing |
| 2019-06-28 13:26:02 | 2019-06-28 13:26:02 | 2019-07-01 22:17:58 | e73ed498 | Execution | Rundll32 | T1085 | Healthcare |
| 2019-06-24 13:50:05 | 2019-06-24 13:50:05 | 2019-06-24 13:56:18 | db348605 | Initial Access | Spearphishing Link | T1192 | Manufacturing |
| 2019-09-05 19:20:01 | 2019-09-05 19:21:01 | 2019-09-06 23:15:59 | ddd4811c | Execution | Third-Party Software | T1072 | Healthcare |
| 2019-09-05 19:37:00 | 2019-09-05 19:37:04 | 2019-09-06 15:15:59 | 3c8cab02 | Execution | Scheduled Task | T1053 | Construction |
| 2019-09-05 19:37:00 | 2019-09-05 19:37:04 | 2019-09-06 15:15:59 | 3c8cab02 | Execution | Third-Party Software | T1072 | Construction |
| 2019-05-22 15:45:04 | 2019-05-22 15:45:04 | 2019-05-22 16:10:47 | f6f06e0d | Execution | PowerShell | T1086 | Information |
| 2019-06-17 13:54:02 | 2019-06-17 13:54:02 | 2019-06-18 15:34:21 | 8922d54f | Initial Access | Valid Accounts | T1078 | Information |
| 2019-08-29 10:18:05 | 2019-08-29 10:18:05 | 2019-08-29 20:00:07 | 17a84413 | Initial Access | Spearphishing Link | T1192 | Construction |
| 2019-05-21 15:44:01 | 2019-05-21 15:42:57 | 2019-05-22 14:57:00 | 672cb463 | Execution | Third-Party Software | T1072 | Retail |
| 2019-07-08 08:29:00 | 2019-07-08 08:29:04 | 2019-07-08 08:47:34 | 5aa2992c | Execution | Scripting | T1064 | Professional |
| 2019-08-21 00:00:00 | 2019-08-21 11:13:02 | 2019-08-21 11:22:57 | 50dbe12d | Execution | Third-Party Software | T1072 | Professional |
| 2019-06-08 01:29:00 | 2019-06-08 01:30:00 | 2019-06-08 01:39:13 | 5dcf5d35 | Execution | Third-Party Software | T1072 | Healthcare |
| 2019-04-12 19:26:22 | 2019-04-12 19:49:02 | 2019-04-13 00:50:43 | 8922d54f | Initial Access | Spearphishing Link | T1192 | Information |
| 2019-04-26 22:01:00 | 2019-04-26 22:01:00 | 2019-04-26 23:45:00 | 94330527 | Lateral Movement | Remote File Copy | T1105 | Information |
| 2019-04-26 22:01:00 | 2019-04-26 22:01:00 | 2019-04-26 23:45:00 | 94330527 | Execution | Third-Party Software | T1072 | Information |
| 2019-08-29 13:34:04 | 2019-08-29 13:34:05 | 2019-08-29 14:44:55 | e33435b1 | Execution | Scripting | T1064 | Finance |
| 2019-08-29 13:34:04 | 2019-08-29 13:34:05 | 2019-08-29 14:44:55 | e33435b1 | Execution | Third-Party Software | T1072 | Finance |
| 2019-06-27 11:33:04 | 2019-06-27 11:34:01 | 2019-08-16 18:15:50 | 03ae7598 | Command and Control | Remote Access Tools | T1219 | Healthcare |
| 2019-04-10 16:18:13 | 2019-04-10 16:18:13 | 2019-04-10 16:52:36 | 15eab339 | Execution | PowerShell | T1086 | Information |
| 2019-04-10 16:18:13 | 2019-04-10 16:18:13 | 2019-04-10 16:52:36 | 15eab339 | Execution | Third-Party Software | T1072 | Information |
| 2019-04-10 16:18:13 | 2019-04-10 16:18:13 | 2019-04-10 16:52:36 | 15eab339 | Credential Access | Brute Force | T1110 | Information |
| 2019-04-10 16:18:13 | 2019-04-10 16:18:13 | 2019-04-10 16:52:36 | 15eab339 | Lateral Movement | Windows Admin Shares | T1077 | Information |
| 2019-04-10 16:18:13 | 2019-04-10 16:18:13 | 2019-04-10 16:52:36 | 15eab339 | Persistence | New Service | T1050 | Information |
| 2019-04-11 19:49:00 | 2019-04-11 19:50:00 | 2019-04-12 10:53:25 | 7b18b611 | Initial Access | Spearphishing Link | T1192 | Construction |
| 2019-05-21 17:12:02 | 2019-05-21 17:13:00 | 2019-05-21 17:52:23 | dab94505 | Execution | Third-Party Software | T1072 | Trade |
| 2019-05-21 17:12:02 | 2019-05-21 17:13:00 | 2019-05-21 17:52:23 | dab94505 | Persistence | BITS Jobs | T1197 | Trade |
| 2019-08-08 17:41:00 | 2019-08-08 17:41:00 | 2019-08-08 18:52:06 | 98ec6fda | Persistence | BITS Jobs | T1197 | Trade |
| 2019-06-20 19:08:01 | 2019-06-20 19:08:01 | 2019-06-20 19:18:04 | 50dbe12d | Execution | Third-Party Software | T1072 | Professional |
| 2019-09-04 11:58:00 | 2019-09-04 11:56:32 | 2019-09-04 12:02:32 | 8cea5e51 | Execution | Windows Management Instrumentation | T1047 | Retail |
| 2019-09-04 11:58:00 | 2019-09-04 11:56:32 | 2019-09-04 12:02:32 | 8cea5e51 | Execution | Third-Party Software | T1072 | Retail |
| 2019-09-10 14:36:01 | 2019-09-10 14:36:03 | 2019-09-12 17:46:50 | ee29357b | Initial Access | Valid Accounts | T1078 | Finance |
| 2019-07-17 12:48:05 | 2019-07-17 12:48:05 | 2019-07-17 13:26:57 | 6b527356 | Initial Access | Drive-by Compromise | T1189 | Information |
| 2019-07-17 12:48:05 | 2019-07-17 12:48:05 | 2019-07-17 13:26:57 | 6b527356 | Execution | Third-Party Software | T1072 | Information |
| 2019-07-17 12:48:05 | 2019-07-17 12:48:05 | 2019-07-17 13:26:57 | 6b527356 | Command and Control | Remote Access Tools | T1219 | Information |
| 2019-04-04 14:40:01 | 2019-04-04 14:41:00 | 2019-04-04 15:05:22 | 39aa24e3 | Execution | PowerShell | T1086 | Retail |
| 2019-05-21 17:29:05 | 2019-05-21 17:30:01 | 2019-05-21 17:54:05 | 288a9a89 | Execution | Third-Party Software | T1072 | Finance |
| 2019-04-05 10:10:05 | 2019-04-05 10:10:05 | 2019-04-08 15:16:03 | 054e7281 | Execution | User Execution | T1204 | Professional |
| 2019-07-07 14:31:02 | 2019-07-07 14:32:04 | 2019-07-08 13:11:41 | 126973df | Initial Access | Valid Accounts | T1078 | Other Services |
| 2019-09-14 14:38:00 | 2019-09-14 14:39:03 | 2019-09-23 05:54:04 | 803534ac | Initial Access | Valid Accounts | T1078 | Professional |
| 2019-08-06 08:41:27 | 2019-08-29 15:15:03 | 2019-08-29 15:36:58 | 01aa9757 | Execution | Third-Party Software | T1072 | Retail |
| 2019-08-07 16:21:04 | 2019-08-07 16:21:05 | 2019-08-07 16:32:36 | 81f75e9b | Execution | Third-Party Software | T1072 | Finance |
| 2019-04-15 07:17:20 | 2019-04-15 07:17:49 | 2019-04-15 09:30:50 | 217ac347 | Initial Access | Spearphishing Link | T1192 | Healthcare |
| 2019-07-18 14:30:05 | 2019-07-18 14:30:05 | 2019-07-19 13:18:09 | 36ba7a34 | Initial Access | Valid Accounts | T1078 | Utilities |
| 2019-09-12 14:38:03 | 2019-09-12 14:39:03 | 2019-09-12 15:28:43 | 1abcf80b | Initial Access | Valid Accounts | T1078 | Finance |
| 2019-08-21 14:36:59 | 2019-08-21 14:38:18 | 2019-08-21 14:47:48 | 0930b5b4 | Execution | Third-Party Software | T1072 | Administrative |
| 2019-08-21 14:36:59 | 2019-08-21 14:38:18 | 2019-08-21 14:47:48 | 0930b5b4 | Execution | PowerShell | T1086 | Administrative |
| 2019-04-10 14:01:02 | 2019-04-10 14:02:00 | 2019-04-10 15:00:03 | ccf43f76 | Initial Access | Drive-by Compromise | T1189 | Manufacturing |
| 2019-04-10 14:01:02 | 2019-04-10 14:02:00 | 2019-04-10 15:00:03 | ccf43f76 | Execution | User Execution | T1204 | Manufacturing |
| 2019-09-02 14:08:03 | 2019-09-02 14:16:04 | 2019-09-02 15:45:12 | 98ec6fda | Execution | Third-Party Software | T1072 | Trade |
| 2019-07-10 14:44:03 | 2019-07-10 14:44:03 | 2019-07-11 00:04:27 | 672cb463 | Initial Access | Valid Accounts | T1078 | Retail |
| 2019-06-05 12:50:01 | 2019-06-05 12:57:03 | 2019-06-05 13:11:27 | a7ceb140 | Execution | User Execution | T1204 | Information |
| 2019-06-05 12:32:00 | 2019-06-05 12:32:00 | 2019-06-07 16:14:37 | 76ebb224 | Execution | User Execution | T1204 | Information |
| 2019-09-11 14:35:04 | 2019-09-11 14:36:03 | 2019-09-22 23:12:32 | bbf30fe0 | Initial Access | Valid Accounts | T1078 | Manufacturing |
| 2019-08-27 11:35:52 | 2019-08-27 11:36:43 | 2019-08-27 12:19:42 | 3f0c361f | Execution | PowerShell | T1086 | Manufacturing |
| 2019-09-27 09:22:00 | 2019-09-27 09:22:01 | 2019-09-27 09:27:49 | 50d25dff | Execution | Third-Party Software | T1072 | Real Estate |
| 2019-05-15 16:25:00 | 2019-05-15 16:25:01 | 2019-05-15 17:37:14 | fb0ad6ea | Execution | Third-Party Software | T1072 | Educational |
| 2019-05-15 16:25:00 | 2019-05-15 16:25:01 | 2019-05-15 17:37:14 | fb0ad6ea | Persistence | BITS Jobs | T1197 | Educational |
| 2019-04-02 17:14:01 | 2019-04-02 17:14:01 | 2019-04-02 18:33:26 | 8848ae62 | Initial Access | Valid Accounts | T1078 | Professional |
| 2019-05-28 14:49:04 | 2019-05-28 14:48:31 | 2019-05-28 15:23:13 | 00275457 | Execution | Third-Party Software | T1072 | Trade |
| 2019-08-29 13:58:03 | 2019-08-29 13:59:03 | 2019-08-29 14:27:58 | 0930b5b4 | Defense Evasion | Obfuscated Files or Information | T1027 | Administrative |
| 2019-09-08 01:48:03 | 2019-09-08 01:48:04 | 2019-09-08 10:52:55 | 5dcf5d35 | Execution | Third-Party Software | T1072 | Healthcare |
| 2019-07-08 14:35:02 | 2019-07-08 14:36:04 | 2019-07-08 19:24:16 | 7186763d | Initial Access | Valid Accounts | T1078 | Finance |
| 2019-09-17 18:04:03 | 2019-09-17 18:05:00 | 2019-09-17 18:30:19 | 86932650 | Execution | PowerShell | T1086 | Management |
| 2019-06-11 12:20:03 | 2019-06-11 12:21:00 | 2019-06-11 13:25:33 | 58e9d2d4 | Execution | Third-Party Software | T1072 | Information |
| 2019-06-11 12:20:03 | 2019-06-11 12:21:00 | 2019-06-11 13:25:33 | 58e9d2d4 | Execution | User Execution | T1204 | Information |
| 2019-09-25 00:09:02 | 2019-09-25 00:09:04 | 2019-09-25 00:28:54 | 217ac347 | Execution | PowerShell | T1086 | Healthcare |
| 2019-05-24 11:19:05 | 2019-05-24 11:20:00 | 2019-05-24 11:35:27 | 22fa5e5a | Execution | Third-Party Software | T1072 | Finance |
| 2019-05-24 11:19:05 | 2019-05-24 11:20:00 | 2019-05-24 11:35:27 | 22fa5e5a | Execution | PowerShell | T1086 | Finance |
| 2019-09-05 13:05:01 | 2019-09-05 13:05:03 | 2019-09-05 13:29:58 | 0930b5b4 | Execution | Third-Party Software | T1072 | Administrative |
| 2019-09-05 13:05:01 | 2019-09-05 13:05:03 | 2019-09-05 13:29:58 | 0930b5b4 | Execution | Windows Management Instrumentation | T1047 | Administrative |
| 2019-05-29 12:51:03 | 2019-05-29 12:51:03 | 2019-05-29 13:09:03 | e0bd147e | Execution | Third-Party Software | T1072 | Professional |
| 2019-05-29 12:51:03 | 2019-05-29 12:51:03 | 2019-05-29 13:09:03 | e0bd147e | Defense Evasion | Obfuscated Files or Information | T1027 | Professional |
| 2019-05-29 12:51:03 | 2019-05-29 12:51:03 | 2019-05-29 13:09:03 | e0bd147e | Command and Control | Remote Access Tools | T1219 | Professional |
| 2019-07-10 03:49:04 | 2019-07-10 03:49:04 | 2019-07-10 21:07:21 | f6f06e0d | Execution | User Execution | T1204 | Information |
| 2019-07-10 03:49:04 | 2019-07-10 03:49:04 | 2019-07-10 21:07:21 | f6f06e0d | Execution | Scheduled Task | T1053 | Information |
| 2019-04-10 16:07:00 | 2019-04-10 16:08:00 | 2019-04-10 16:10:59 | 048c18b6 | Initial Access | Spearphishing Link | T1192 | Finance |
| 2019-06-07 10:45:03 | 2019-06-07 10:45:03 | 2019-06-07 16:08:40 | 6e3b5580 | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-05-10 21:18:02 | 2019-05-10 21:19:01 | 2019-05-13 13:49:15 | 3be8d3c9 | Initial Access | Spearphishing Link | T1192 | Professional |
| 2019-06-12 19:45:05 | 2019-06-12 19:47:00 | 2019-06-12 20:26:04 | 84d1d17a | Execution | Scripting | T1064 | Healthcare |
| 2019-04-02 19:25:02 | 2019-04-02 19:25:02 | 2019-04-03 16:23:41 | 6589fb64 | Initial Access | Spearphishing Link | T1192 | Manufacturing |
| 2019-09-19 13:00:02 | 2019-09-19 13:00:03 | 2019-09-19 13:06:30 | 4b8b9b94 | Execution | PowerShell | T1086 | Mining |
| 2019-09-19 13:00:02 | 2019-09-19 13:00:03 | 2019-09-19 13:06:30 | 4b8b9b94 | Execution | Third-Party Software | T1072 | Mining |
| 2019-09-30 19:44:05 | 2019-09-30 19:45:00 | 2019-09-30 19:57:52 | 407f2095 | Execution | PowerShell | T1086 | Construction |
| 2019-09-30 19:44:05 | 2019-09-30 19:45:00 | 2019-09-30 19:57:52 | 407f2095 | Execution | Third-Party Software | T1072 | Construction |
| 2019-06-23 21:24:03 | 2019-06-23 21:24:03 | 2019-06-24 11:16:19 | 74a0f9dc | Execution | User Execution | T1204 | Manufacturing |
| 2019-05-04 16:40:00 | 2019-05-04 16:40:00 | 2019-05-07 09:36:57 | 5aa2992c | Execution | User Execution | T1204 | Professional |
| 2019-08-29 20:38:13 | 2019-08-29 20:43:00 | 2019-08-29 20:48:53 | 03ae7598 | Initial Access | Spearphishing Link | T1192 | Healthcare |
| 2019-09-07 16:16:00 | 2019-09-07 16:16:01 | 2019-09-07 17:06:48 | b6000bd5 | Execution | PowerShell | T1086 | Professional |
| 2019-04-08 16:17:52 | 2019-04-08 16:18:29 | 2019-04-08 16:20:50 | 00275457 | Initial Access | Spearphishing Link | T1192 | Trade |
| 2019-06-29 00:31:04 | 2019-06-29 00:31:04 | 2019-06-29 01:00:15 | b52887d2 | Execution | User Execution | T1204 | Retail |
| 2019-06-29 00:31:04 | 2019-06-29 00:31:04 | 2019-06-29 01:00:15 | b52887d2 | Execution | Scripting | T1064 | Retail |
| 2019-04-30 13:12:01 | 2019-04-30 13:12:01 | 2019-04-30 13:20:31 | 16258713 | Initial Access | Spearphishing Link | T1192 | Information |
| 2019-01-09 13:06:03 | 2019-01-09 13:06:03 | 2019-04-04 15:32:36 | bf1e56e4 | Initial Access | Valid Accounts | T1078 | Administrative |
| 2019-06-20 15:18:04 | 2019-06-20 15:18:05 | 2019-06-20 15:24:39 | 4b8b9b94 | Execution | Third-Party Software | T1072 | Mining |
| 2019-09-05 16:18:03 | 2019-09-05 16:19:00 | 2019-09-09 03:44:46 | 01aa9757 | Execution | User Execution | T1204 | Retail |
| 2019-08-29 01:56:03 | 2019-08-29 01:56:04 | 2019-08-29 05:55:48 | 130308f2 | Initial Access | Spearphishing Link | T1192 | Trade |
| 2019-05-09 15:59:01 | 2019-05-09 15:59:01 | 2019-05-09 17:14:28 | 79fbecf3 | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-07-09 19:22:01 | 2019-07-09 19:22:01 | 2019-07-09 19:49:29 | db348605 | Execution | PowerShell | T1086 | Manufacturing |
| 2019-07-09 19:22:01 | 2019-07-09 19:22:01 | 2019-07-09 19:49:29 | db348605 | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-09-12 14:36:45 | 2019-09-12 14:38:05 | 2019-09-12 15:05:00 | 3f0c361f | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-09-12 14:36:45 | 2019-09-12 14:38:05 | 2019-09-12 15:05:00 | 3f0c361f | Execution | PowerShell | T1086 | Manufacturing |
| 2019-04-07 16:07:01 | 2019-04-07 16:07:01 | 2019-04-08 15:42:18 | 6ad60c84 | Execution | PowerShell | T1086 | Transportation |
| 2019-04-26 23:49:01 | 2019-04-26 23:50:00 | 2019-04-27 05:17:35 | 9039e40e | Execution | User Execution | T1204 | Entertainment |
| 2019-04-26 23:49:01 | 2019-04-26 23:50:00 | 2019-04-27 05:17:35 | 9039e40e | Execution | PowerShell | T1086 | Entertainment |
| 2019-09-17 13:20:03 | 2019-09-17 13:21:00 | 2019-09-17 13:25:30 | 3ccabee7 | Execution | PowerShell | T1086 | Retail |
| 2019-09-17 13:20:03 | 2019-09-17 13:21:00 | 2019-09-17 13:25:30 | 3ccabee7 | Execution | Third-Party Software | T1072 | Retail |
| 2019-06-11 14:05:53 | 2019-06-11 14:05:53 | 2019-06-11 14:35:00 | ac33b693 | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-06-11 14:05:53 | 2019-06-11 14:05:53 | 2019-06-11 14:35:00 | ac33b693 | Execution | PowerShell | T1086 | Manufacturing |
| 2019-07-31 14:00:32 | 2019-07-31 14:01:03 | 2019-07-31 14:09:38 | 3f0c361f | Execution | User Execution | T1204 | Manufacturing |
| 2019-08-29 13:17:05 | 2019-08-29 13:19:01 | 2019-08-29 14:43:28 | e33435b1 | Execution | Scripting | T1064 | Finance |
| 2019-08-29 13:17:05 | 2019-08-29 13:19:01 | 2019-08-29 14:43:28 | e33435b1 | Execution | Third-Party Software | T1072 | Finance |
| 2019-04-11 17:48:05 | 2019-04-11 17:48:05 | 2019-04-11 17:48:05 | 09deb14b | Initial Access | Valid Accounts | T1078 | Professional |
| 2019-07-29 13:56:00 | 2019-07-29 13:57:33 | 2019-07-29 14:02:27 | 689d477c | Execution | Third-Party Software | T1072 | Finance |
| 2019-07-29 13:56:00 | 2019-07-29 13:57:33 | 2019-07-29 14:02:27 | 689d477c | Execution | PowerShell | T1086 | Finance |
| 2019-05-10 12:39:05 | 2019-05-10 12:40:00 | 2019-05-10 13:10:31 | 5e4fc028 | Execution | Scripting | T1064 | Healthcare |
| 2019-06-24 15:53:05 | 2019-06-24 15:54:00 | 2019-06-24 16:33:53 | 39aa24e3 | Execution | Third-Party Software | T1072 | Retail |
| 2019-08-19 11:54:03 | 2019-08-19 11:55:03 | 2019-08-19 12:04:54 | ccf43f76 | Execution | Third-Party Software | T1072 | Manufacturing |
| 2019-06-17 11:35:03 | 2019-06-17 11:35:03 | 2019-06-17 22:58:15 | 5aa2992c | Execution | Scripting | T1064 | Professional |
| 2019-08-13 18:02:01 | 2019-08-13 18:02:05 | 2019-08-13 18:15:18 | 98ec6fda | Persistence | Registry Run Key | T1060 | Trade |
| 2019-05-21 10:14:00 | 2019-05-21 10:14:00 | 2019-05-21 14:45:16 | fd42c0e9 | Initial Access | Spearphishing Link | T1192 | Trade |
(dataframe incidents obtenido)
Ahora, podemos proceder a hacer una primera visión de cuanta información y de qué tipo se trata:
incidents
8 Variables 489 Observations
8 Variables 489 Observations
first_event_ts
n missing distinct Info
489 0 376 1
Mean Gmd .05 .10
2019-06-30 07:56:59 5689019 2019-04-10 09:54:42 2019-04-15 07:06:40
.25 .50 .75 .90
2019-05-10 21:18:02 2019-06-25 11:31:05 2019-08-29 13:17:05 2019-09-14 14:38:01
.95
2019-09-19 19:45:05
| lowest : | 2019-01-09 13:06:03 | 2019-01-26 13:11:04 | 2019-03-28 14:01:01 | 2019-03-30 07:59:55 | 2019-03-30 17:26:01 |
| highest: | 2019-09-27 09:22:00 | 2019-09-27 18:13:02 | 2019-09-30 09:23:17 | 2019-09-30 19:44:05 | 2019-09-30 20:44:00 |
first_alert_ts
n missing distinct Info
489 0 378 1
Mean Gmd .05 .10
2019-06-30 10:19:31 5692247 2019-04-10 09:55:18 2019-04-15 07:07:03
.25 .50 .75 .90
2019-05-10 21:19:01 2019-06-25 19:58:03 2019-08-29 13:34:05 2019-09-14 14:39:14
.95
2019-09-19 19:46:00
| lowest : | 2019-01-09 13:06:03 | 2019-01-26 13:11:04 | 2019-03-28 14:01:01 | 2019-03-30 07:59:55 | 2019-03-30 17:26:01 |
| highest: | 2019-09-27 09:22:01 | 2019-09-27 18:14:05 | 2019-09-30 09:25:17 | 2019-09-30 19:45:00 | 2019-09-30 20:44:01 |
containment_ts
n missing distinct Info
489 0 381 1
Mean Gmd .05 .10
2019-07-02 09:49:40 5634342 2019-04-10 16:03:26 2019-04-16 05:06:50
.25 .50 .75 .90
2019-05-13 20:04:59 2019-06-28 07:40:14 2019-08-29 14:43:28 2019-09-17 17:58:19
.95
2019-09-22 23:23:15
| lowest : | 2019-04-01 12:19:24 | 2019-04-01 19:23:33 | 2019-04-02 10:10:42 | 2019-04-02 13:30:49 | 2019-04-02 18:30:05 |
| highest: | 2019-09-27 18:16:44 | 2019-09-28 08:52:37 | 2019-09-30 09:32:18 | 2019-09-30 19:57:52 | 2019-09-30 21:13:48 |
org
| n | missing | distinct |
|---|---|---|
| 489 | 0 | 167 |
| lowest : | 00275457 | 0086f99f | 01aa9757 | 03ae7598 | 048c18b6 |
| highest: | fa2f04f0 | fac8bcdd | fb0ad6ea | fd42c0e9 | fe25e5d9 |
tactic
| n | missing | distinct |
|---|---|---|
| 489 | 0 | 9 |
| lowest : | Collection | Command and Control | Credential Access | Defense Evasion | Execution |
| highest: | Execution | Impact | Initial Access | Lateral Movement | Persistence |
technique
| n | missing | distinct |
|---|---|---|
| 489 | 0 | 28 |
| lowest : | BITS Jobs | Brute Force | Data Staged | Disabling Security Tools | Drive-by Compromise |
| highest: | Third-Party Software | User Execution | Valid Accounts | Windows Admin Shares | Windows Management Instrumentation |
id
| n | missing | distinct |
|---|---|---|
| 489 | 0 | 28 |
industry
| n | missing | distinct |
|---|---|---|
| 489 | 0 | 19 |
| lowest : | Accomodation | Administrative | Construction | Educational | Entertainment |
| highest: | Real Estate | Retail | Trade | Transportation | Utilities |
2.1 Estudio de las variables cualitativas
2.1.1 By first_event & first_alert
Para poder estudiar estas variables temporales, se ha decidido tratarlas como variables cuantitativas para su estudio. De ese modo, se ha optado por realizar, primeramente, un bubbleplot para ver qué meses o qué días del mes han sido más afectados.
2.1.1.1 By first_event
Podemos oberservar que entre los gráficos de first_event y first_alert, a simple vista, no hay diferencia alguna. Aun así, en el siguiente apartado se calculará la diferencia entre los dos.
2.1.1.2 By first_alert
Podemos oberservar que entre los gráficos de first_event y first_alert, a simple vista, no hay diferencia alguna. Aun así, en el siguiente apartado se calculará la diferencia entre los dos.
2.1.2 Inferencia estadística
Para ver si hay diferencias significativas entre estas dos variables presentadas, se realiza el siguiente contraste de hipótesis:
Así, en la hipótesis nula supondremos que estas variables no presentan diferencias significativas y, si es refutada, entonces sí presentarán suficientes diferencias y las deberemos estudiar por separado de aquí en adelante.
De ese modo, procedemos a ver si podemos realizar este estadístico de contraste bilateral con \(\alpha = 0.05\). Para comprobarlo debemos verificar la normalidad de nuestros datos de modo que realizamos un histograma en forma de puntos:
Podemos observar de manera muy clara que los datos no siguen una distribución normal de modo que no podremos realizar la inferencia estadística presentada. Aun así, podemos concluir que el los valores aislados no son favorables, es decir, ha habido un gran delay entre el día en el que se produjo el incidente y el día en el que se detectó. Veamos estos casos:
| org | tactic | id | industry | delay |
|---|---|---|---|---|
| 3c8cab02 | Initial Access | T1192 | Construction | 23 days |
| ac33b693 | Execution | T1072 | Manufacturing | 19 days |
| ac33b693 | Persistence | T1197 | Manufacturing | 3 days |
| ccf43f76 | Execution | T1204 | Manufacturing | 1 days |
| ccf43f76 | Execution | T1072 | Manufacturing | 1 days |
Podemos observar que la industria de Manufacturing es la que más tarda en comparación a las otras en detectar estos incidentes. Concretamente vemos que es la empresa ac33b693 la que no detecta a tiempo las incidencias.
Por otro lado, la empresa 3c8cab02 debería mejorar su detección puesto que llega a tardar 23 días en detectar una incidencia.
Finalmente, la empresa ccf43f76 es la única otra que tarda más que unas horas en detectarlas a tiempo.
Menospreciando estos casos recién presentados, podemos considerar que estas dos columnas son iguales (en todos los otros casos la diferencia nos da 0). Se debe considerar así porque no se ha podido realizar el test presentado anteriormente. De haber sido los datos normales se hubiese ejecutado lo siguiente:
t.test( diffechas$diffechas,
mu = 0,
alternative = "two.sided" ) # contraste bilateral2.1.3 By containtment
Finalmente, se estudia la ultima columna, la cual también se trata de una variable temporal. Por sí sola no tiene mucho sentido estudiarla de modo que se relacionará con first_event. De ese modo, podremos ver la duración de las incidencias.
Se puede observar que los ataques realizados a inicios de año (mes de enero) son con diferencia los que más han durado y que a partir del mes de abril los ataques ya han sido más cortos durando todos menos de 20 días. Para poder ver mejor que sucede entre los meses de abril a octubre, repetimos el gráfico anterior eliminando los casos de los dos primeros meses con duraciones desmesuradas:
Podemos ver que en los meses de julio y agosto también tenemos un despunte de la duración de estas incidencias. Se supone que es debido a la coincidencia temporal con las vacaciones de muchos de los trabajadores.
A la vez, analizamos estas incidencias de alta duración (más de 20 días):
| org | tactic | id | industry | duration |
|---|---|---|---|---|
| 3c8cab02 | Initial Access | T1192 | Construction | 81.92594 |
| ac33b693 | Execution | T1072 | Manufacturing | 65.21700 |
La empresa 3c8cab02 nos aparece de nuevo con casi 82 días de duración de una incidencia, la misma por la que tarda 23 días en detectarla, por lo tanto en realidad el tiempo de trabajo para esta incidencia T1192 es de 59 días (muchos días de todas formas).
Por otro lado, de nuevo, vemos que la empresa ac33b693 es la segunda que más ha tardado en resolver las incidencias.
Anteriormente se ha visto que, como ya se ha mencionado, estas empresas eran la que más tardaban en detectarlas así que deberían mejorar sus equipos de detección y management de riesgos.
2.2 Estudio de las variables cuantitativas
2.2.1 By industries
Primeramente, se estudian las distintas industrias afectadas con un bar plot para poder ver cual de ellas es la más afectada.
Se puede observar que las que más ataques han sufrido son Retail, Professional y Manufacturing.
2.2.2 By organisations
A continuación se realiza un treemap para ver las distintas empresas según su respectiva industria.
2.2.3 By tactics
Procedemos a estudiar las diferentes tácticas usadas con un bar plot circular:
Con clara diferencia, como se puede observar, la más recurrente es Execution.
2.2.4 By techniques
Por otro lado, realizamos un gráfico del tipo circular packing para representar qué técnicas son las más recurrentes:
Podemos observar que la técnica más usada es la T1072 que corresponde a Third-party Software con count de 136. Por lo tanto, representa un 27,9% de los incidentes del estudio.
2.3 Relaciones entre variables y visión global
En este apartado se estudiarán las posibles relaciones entre nuestras variables. Cabe decir que las técnicas, tácticas y ids ya están relacionados entre ellos por razones lógicas y que, por otro lado, la relación entre empresas y industrias es impuesta de modo que tampoco se revisará.
2.3.1 Relación Industria - First_event
Podemos ver que entre los meses de abril y septiembre es cuando se producen más incidentes.
2.3.2 Relación Industria - Duración
Como hemos visto anteriormente, tenemos dos outliers cuya duración es extremadamente elevada así que se han realizado dos gráficos, uno con todas las duraciones y el otro eliminando los outliers.
2.3.2.1 Completo
Todos los incidentes en cuenta: 
2.3.2.2 Excluyendo Outliers
Solo en cuenta los incidentes con duración inferior a 20 días: 
2.3.3 Estudio de posible correlación entre id y industria
A continuación se estudia la posibilidad de que un tipo de ataque sea más predominante en algun tipo de industria con un nivel de significación de 0,1.
Podemos observar que la técnica más común, la T1072 es la que presenta los cuadrados más claros puesto que, al ser la más usada, es la que más se repite entre industrias.
Por lo que respecta a otras relaciones, podemos observar que, por ejemplo, en las industrias Information y Professional una técnica recurrente es T1078.
3 Relación con los estándares
3.1 Extracción de técnicas
Primero de todo, extraemos todas las técnicas que encontramos en el fichero incidents y procedemos a investigar cuáles de estas técnicas se encuentran en ATT&CK y en CAR (estándar que hace referencia a técnicas de ATT&CK).
#ids: 28 técnicas que se han usado durante los ataques
ids <- as.character(unique(incidents$id))
#Técnicas encontradas en CAR
tecCar <- ids[which(ids %in% raw_car$carnet$edges$to)] 
Vemos que detecta 5 técnicas entre las cuales se encuentra la segunda más común entre los ataques que estamos estudiando, la técnica T1078.
#Técnicas encontradas en ATT&CK
tecAttack <- ids[which(ids %in% raw_attck$techniques$mitreid)] 
Observamos que, de las 28 diferentes técnicas que hay en el fichero de incidents, 16 se encuentran en Attack como no deprecadas. Ahora sí observamos la técnica más común, T1072.
A continuación estudiaremos si es correcto seguir este estudio con las 16 halladas en ATT&CK no considerando las técnicas deprecadas. Para hacerlo, estudiaremos la relevancia de las 12 técnicas que no detectamos en nuestros ataques de estudio.
inc <- incidents
inc[] <- lapply(inc, as.character)
inc$id[inc$id %in% tecAttack]<-"TATT&CK"Vemos que con el estudio sin las técnicas deprecadas cubrimos un 66.7% de los ataques de modo que se considera correcto seguir únicamente con estos. Cabe decir que, en caso de querer mejor la exactitud se podrían estudiar las técnicas T1086 y T1192 cubriendo, así, el 92% de los incidentes del estudio.
En conclusión, para la realización de esta práctica se trabajará con estos dos estándares (Att&ck y CAR) para poder sacar conclusiones de nuestros ataques.
3.2 Extracción de información de las técnicas
3.2.1 ATT&CK
A partir de las técnicas con las que trabajaremos (las no deprecadas) sacamos la información que nos ofrece el standard de ATT&CK.
rowsInterFromAttack <- which(mitre.data$mitrenet$edges$from %in% tecAttack)
rowsInterToAttack <- which(mitre.data$mitrenet$edges$to %in% tecAttack)
dfFromAttack <- mitre.data$mitrenet$edges[rowsInterFromAttack,]
dfToAttack <- mitre.data$mitrenet$edges[rowsInterToAttack,]
#Parámetros para el caso simplificado: solo técnicas T1072 y T1078
tecAttackSimpl <- as.data.frame(table(temp$id)[which(table(temp$id) > 70)])
tecAttackSimpl <- tecAttackSimpl$Var1
rowsInterFromAttackSimpli <- which(mitre.data$mitrenet$edges$from %in% tecAttackSimpl)
rowsInterToAttackSimpli <- which(mitre.data$mitrenet$edges$to %in% tecAttackSimpl)
dfFromAttackSimpli <- mitre.data$mitrenet$edges[rowsInterFromAttackSimpli,]
dfToAttackSimpli <- mitre.data$mitrenet$edges[rowsInterToAttackSimpli,]3.2.2 CAR
Por otro lado, sacamos la información que nos ofrece CAR:
incidentsCar <- incidents[which(incidents$id %in% tecCar),]
incidentsCar <- dplyr::select(incidentsCar, id, technique, tactic, org, industry)4 ¿Quién estaba detras de los ataques?
4.1 Grupos detrás de los ataques
Para poder ver quién ha realizado estos ataques estudiaremos los grupos que están relacionados con las técnicas no deprecadas.
#Empezamos por Groups
groupsAttack <- filter(dfToAttack, startsWith(as.character(dfToAttack$from), "G"))
groupsAttack <- as.data.frame(table(groupsAttack$from))
#Estudio de esos grupos con más presencia
groupsAttackDf <- groupsAttack[which(groupsAttack$Freq > 3),]
Observamos que el grupo prioritario es G0096. Todos estos grupos son los principales grupos que están detrás de los ataques de modo que, a continuación, se muestra una tabla con más información acerca de estos:
| mitreid | name | description | |
|---|---|---|---|
| 10176 | G0050 | APT32 | APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based.(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: ESET OceanLotus) |
| 10182 | G0096 | APT41 | APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity. APT41 has been active since as early as 2012. The group has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries.(Citation: FireEye APT41 Aug 2019) |
| 10190 | G0114 | Chimera | Chimera is a suspected China-based threat group, targeting the semiconductor industry in Taiwan since at least 2018.(Citation: Cycraft Chimera April 2020) |
| 10201 | G0074 | Dragonfly 2.0 | Dragonfly 2.0 is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least March 2016. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY ) |
| 10210 | G0061 | FIN8 | FIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Fin8 May 2016) |
| 10222 | G0032 | Lazarus Group |
Lazarus Group is a threat group that has been attributed to the North Korean government.(Citation: US-CERT HIDDEN COBRA June 2017) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster) In late 2017, Lazarus Group used KillDisk, a disk-wiping tool, in an attack against an online casino based in Central America. (Citation: Lazarus KillDisk) North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.(Citation: US-CERT HIDDEN COBRA June 2017) Some organizations track North Korean clusters or groups such as Bluenoroff,(Citation: Kaspersky Lazarus Under The Hood Blog 2017) APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group. |
| 10224 | G0065 | Leviathan | Leviathan is a cyber espionage group that has been active since at least 2013. The group generally targets defense and government organizations, but has also targeted a range of industries including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities in the United States, Western Europe, and along the South China Sea. (Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018) |
| 10236 | G0049 | OilRig | OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity. |
| 10240 | G0040 | Patchwork | Patchwork is a cyberespionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018. (Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork) (Citation: TrendMicro Patchwork Dec 2017) (Citation: Volexity Patchwork June 2018) |
| 10247 | G0034 | Sandworm Team | Sandworm Team is a destructive Russian threat group that has been attributed to Russian GRU Unit 74455 by the U.S. Department of Justice and U.K. National Cyber Security Centre. Sandworm Team’s most notable attacks include the 2015 and 2016 targeting of Ukrainian electrical companies and 2017’s NotPetya attacks. Sandworm Team has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020) |
| 10250 | G0091 | Silence | Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank’s Automated Workstation Client, ATMs, and card processing.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017) |
| 10252 | G0093 | Soft Cell | Operation Soft Cell is a group that is reportedly affiliated with China and is likely state-sponsored. The group has operated since at least 2012 and has compromised high-profile telecommunications networks.(Citation: Cybereason Soft Cell June 2019) |
| 10264 | G0027 | Threat Group-3390 | Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. (Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors. (Citation: SecureWorks BRONZE UNION June 2017) (Citation: Securelist LuckyMouse June 2018) |
| 10267 | G0010 | Turla | Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. Turla is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. Turla’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018) |
| 10272 | G0102 | Wizard Spider | Wizard Spider is a financially motivated criminal group that has been conducting ransomware campaigns since at least August 2018 against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) |
| 10274 | G0045 | menuPass | menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university. (Citation: Palo Alto menuPass Feb 2017) (Citation: Crowdstrike CrowdCast Oct 2013) (Citation: FireEye Poison Ivy) (Citation: PWC Cloud Hopper April 2017) (Citation: FireEye APT10 April 2017) (Citation: DOJ APT10 Dec 2018) |
4.1.1 Procedencia de los ataques
Una vez vistos los grupos que realizan los ataques estudiamos su procedencia para ver desde trabajan estos grupos.
#Origen de los grupos extraídos de la tabla/internet
groups_orig <- c("Russia", "China", "Northkorea", "Russia", "India", "China", "Iran","Vietnam", "Thailand", "China", "Russia", "Russia", "China", "China", "Russia", "China")4.1.1.1 World Map
Podemos ver que la mayoría de ataques se realizan desde China y Rusia.
4.1.1.2 Values
| Var1 | Freq |
|---|---|
| China | 30 |
| India | 4 |
| Iran | 6 |
| North Korea | 6 |
| Russia | 20 |
| Thailand | 4 |
| Vietnam | 6 |
Podemos ver que la mayoría de ataques se realizan desde China y Rusia.
4.1.2 Asociación técnicas - grupos
Ya vistos los grupos que han realizado los ataques, vamos a estudiar con qué técnicas están relacionados cada uno de ellos. Cabe mencionar que hay técnicas que no tienen grupos asociados de modo que, en estos casos, se ha optado por no asociar ningún grupo directamente a esas técnicas. La justificación de esta decisión radica en el hecho de que la representación gráfica de esta asociación ya es de por sí suficientemente engorrosa. Por lo tanto, si añadiésemos las subtécnicas también sería imposible observar ningún tipo de relación.
Como se puede observar, queda un grafo caótico. Es por ese motivo que, por un lado, se pueden ir modificando los valores de los nodos para ver mejor las relaciones y, por otro, se ha decidio repetir el grafo solamente teniendo en cuenta las dos técnicas principales: T1072 y T1078.
De aquí en adelante, cuando se haga referencia al caso simplificado implicará que el estudio será teniendo en cuenta únicamente T1072 y T1078.
4.1.2.1 Caso simplificado
5 ¿Cuál fue el objetivo?
A partir de las técnicas encontradas en CAR, en la siguiente tabla se puede apreciar los objetivos y una breve descripción de cada uno de los casos.
| id | techniques | objectives | description |
|---|---|---|---|
| CAR-2013-01-002 | T1053 | Registry |
The Sysinternals tool Autoruns checks the registry and file system for known identify persistence mechanisms. It will output any tools identified, including built-in or added-on Microsoft functionality and third party software. Many of these locations are known by adversaries and used to obtain Persistence. Running Autoruns periodically in an environment makes it possible to collect and monitor its output for differences, which may include the removal or addition of persistent tools. Depending on the persistence mechanism and location, legitimate software may be more likely to make changes than an adversary tool. Thus, this analytic may result in significant noise in a highly dynamic environment. While Autoruns is a convenient method to scan for programs using persistence mechanisms its scanning nature does not conform well to streaming based analytics. This analytic could be replaced with one that draws from sensors that collect registry and file information if streaming analytics are desired. Utilizes the Sysinternals autoruns tool (ignoring validated Microsoft entries). Primarily not a detection analytic by itself but through analysis of results by an analyst can be used for such. Building another analytic on top of this one identifying unusual entries would likely be a beneficial alternative. |
| CAR-2013-02-008 | T1078 | Login |
Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft’s Audit Logon Events page. |
| CAR-2013-02-012 | T1078 | Login |
Most users use only one or two machines during the normal course of business. User accounts that log in to multiple machines, especially over a short period of time, may be compromised. Remote logins among multiple machines may be an indicator of Lateral Movement. Certain users will likely appear as being logged into several machines and may need to be “whitelisted.” Such users would include network admins or user names that are common to many hosts. Output Description User Name, Machines logged into, the earliest and latest times in which users were logged into the host, the type of logon, and logon ID. |
| CAR-2013-04-002 | T1053 | Process |
Certain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing. Commands of interest:
Output Description The host on which the commands were executed, the time of execution, and what commands were executed |
| CAR-2013-05-002 | T1036 | Process |
In Windows, files should never execute out of certain directory locations. Any of these locations may exist for a variety of reasons, and executables may be present in the directory but should not execute. As a result, some defenders make the mistake of ignoring these directories and assuming that a process will never run from one. There are known TTPs that have taken advantage of this fact to go undetected. This fact should inform defenders to monitor these directories more closely, knowing that they should never contain running processes. Monitors the directories
|
| CAR-2013-05-003 | T1078 | Network,Netflow,PCAP | As described in CAR-2013-01-003, SMB provides a means of remotely managing a file system. Adversaries often use SMB to move laterally to a host. SMB is commonly used to upload files. It may be used for staging in Exfiltration or as a Lateral Movement technique. Unlike SMB Reads, SMB Write requests typically require an additional level of access, resulting in less activity. Focusing on SMB Write activity narrows the field to find techniques that actively change remote hosts, instead of passively reading files. |
| CAR-2013-05-004 | T1053 | Process | In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows built-in command AT (at.exe) to schedule a command to be run at a specified time, date, and even host. This method has been used by adversaries and administrators alike. Its use may lead to detection of compromised hosts and compromised users if it is used to move laterally. The built-in Windows tool schtasks.exe (CAR-2013-08-001) offers greater flexibility when creating, modifying, and enumerating tasks. For these reasons, schtasks.exe is more commonly used by administrators, tools/scripts, and power users. |
| CAR-2013-05-005 | T1078 | Network Process File,PCAP |
An adversary needs to gain access to other hosts to move throughout an environment. In many cases, this is a twofold process. First, a file is remotely written to a host via an SMB share (detected by CAR-2013-05-003). Then, a variety of Execution techniques can be used to remotely establish execution of the file or script. To detect this behavior, look for files that are written to a host over SMB and then later run directly as a process or in the command line arguments. SMB File Writes and Remote Execution may happen normally in an environment, but the combination of the two behaviors is less frequent and more likely to indicate adversarial activity.
This can possibly extend to more copy protocols in order to widen its reach, or it could be tuned more finely to focus on specific program run locations (e.g. %SYSTEMROOT%\system32) to gain a higher detection rate.
|
| CAR-2013-05-009 | T1036 | Process |
Executables are generally not renamed, thus a given hash of an executable should only have ever one name. Identifying instances where multiple process names share the same hash may find cases where tools are copied by attackers to different folders or hosts to avoid detection. Although this analytic was initially based on MD5 hashes, it is equally applicable to any hashing convention. Output Description A list of hashes and the different executables associated with each one |
| CAR-2013-07-001 | T1105 | Process |
Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters. Any tool of interest with commonly known command line usage can be detecting by command line analysis. Known substrings of command lines include
|
| CAR-2013-08-001 | T1053 | Process |
The Windows built-in tool schtasks.exe provides the creation, modification, and running of scheduled tasks on a local or remote computer. It is provided as a more flexible alternative to at.exe, described in CAR-2013-05-004. Although used by adversaries, the tool is also legitimately used by administrators, scripts, and software configurations. The scheduled tasks tool can be used to gain Persistence and can be used in combination with a Lateral Movement technique to remotely gain execution. Additionally, the command has parameters to specify the user and password responsible for creating the task, as well as the user and password combination that the task will run as. The /s flag specifies the remote system on which the task should be scheduled, usually indicating Lateral Movement.
|
| CAR-2013-10-001 | T1078 | Login,Netflow |
Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere.
Could be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Output Description The time of login events for distinct users on individual systems |
| CAR-2014-11-007 | T1047 | API RPC,PCAP,Hostflow |
As described in ATT&CK, an adversary can use Windows Management Instrumentation (WMI) to view or manipulate objects on a remote host. It can be used to remotely edit configuration, start services, query files, and anything that can be done with a WMI class. When remote WMI requests are over RPC (CAR-2014-05-001), it connects to a DCOM interface within the RPC group netsvcs. To detect this activity, a sensor is needed at the network level that can decode RPC traffic or on the host where the communication can be detected more natively, such as Event Tracing for Windows. Using wireshark/tshark decoders, the WMI interfaces can be extracted so that WMI activity over RPC can be detected. Although the description details how to detect remote WMI precisely, a decent estimate has been to look for the string RPCSS within the initial RPC connection on 135/tcp. It returns a superset of this activity, and will trigger on all DCOM-related services running within RPC, which is likely to also be activity that should be detected between hosts. More about RPCSS at : rpcss_dcom_interfaces.html Output Description Identifies the connection in which WMI traffic is seen, as well as the process(es) responsible for owning the connection. |
| CAR-2014-12-001 | T1047 | PCAP |
Adversaries can use Windows Management Instrumentation (WMI) to move laterally by launching executables remotely. For adversaries to achieve this, they must open a WMI connection to a remote host. This RPC activity is currently detected by CAR-2014-11-007. After the WMI connection has been initialized, a process can be remotely launched using the command: This leaves artifacts at both a network (RPC) and process (command line) level. When wmic.exe (or the schtasks API) is used to remotely create processes, Windows uses RPC (135/tcp) to communicate with the the remote machine. After RPC authenticates, the RPC endpoint mapper opens a high port connection, through which the schtasks Remote Procedure Call is actually implemented. With the right packet decoders, or by looking for certain byte streams in raw data, these functions can be identified. When the command line is executed, it has the parent process of Certain strings can be identifiers of the WMI by looking up the interface UUID for IRemUnknown2 in different formats
This identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement this analytic. The transfer syntax is
Thus, a great ASCII based signature is
Output Description Identifies the process that initiated the RPC request (such as wmic.exe or powershell.exe), as well as the source and destination information of the network connection that triggered the alert. |
| CAR-2015-04-001 | T1053 | File API,PCAP |
When AT.exe is used to remotely schedule tasks, Windows uses named pipes over SMB to communicate with the API on the remote machine. After authentication over SMB, the Named Pipe “ATSVC” is opened, over which the JobAdd function is called. On the remote host, the job files are created by the Task Scheduler and follow the convention C:\Windows\System32\AT\<job_id\>.
|
| CAR-2015-04-002 | T1053 | Network API RPC,PCAP |
An adversary can move laterally using the Certain strings can be identifiers of the schtasks, by looking up the interface UUID of ITaskSchedulerService in different formats
|
| CAR-2016-03-002 | T1047 | Process |
Adversaries may use Windows Management Instrumentation (WMI) to move laterally, by launching executables remotely.The analytic CAR-2014-12-001 describes how to detect these processes with network traffic monitoring and process monitoring on the target host. However, if the command line utility |
| CAR-2020-09-001 | T1053 | File | In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:(legacy) or C:32. Accordingly, this analytic looks for the creation of task files in these two locations. |
6 ¿Cómo se realizaron los ataques?
Para estudiar cómo se realizaron estos ataques se estudiarán las tácticas que fueron llevadas a cabo, los softwares y las plataformas desde donde se hicieron.
6.1 Tácticas usadas
Para poder estudiar las tácticas usadas extraemos la información de ATT&CK.
#Extraemos las tácticas
tactAttack <- as.data.frame(table(dfFromAttack$to))
rowsTactAttack <- mitre.data$standards$attck$tactics[which(mitre.data$standards$attck$tactics$mitreid %in% tactAttack$Var1),]
En la siguiente tabla podemos ver en qué consisten estas tácticas:
| mitreid | name | description | |
|---|---|---|---|
| 10713 | TA0009 | Collection |
The adversary is trying to gather data of interest to their goal. Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input. |
| 10714 | TA0011 | Command and Control |
The adversary is trying to communicate with compromised systems to control them. Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses. |
| 10715 | TA0006 | Credential Access |
The adversary is trying to steal account names and passwords. Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals. |
| 10716 | TA0005 | Defense Evasion |
The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses. |
| 10718 | TA0002 | Execution |
The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery. |
| 10720 | TA0040 | Impact |
The adversary is trying to manipulate, interrupt, or destroy your systems and data. Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach. |
| 10721 | TA0001 | Initial Access |
The adversary is trying to get into your network. Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords. |
| 10722 | TA0008 | Lateral Movement |
The adversary is trying to move through your environment. Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier. |
| 10723 | TA0003 | Persistence |
The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. |
| 10724 | TA0004 | Privilege Escalation |
The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: • SYSTEM/root level • local administrator • user account with admin-like access • user accounts with access to specific system or perform specific function These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. |
A continuación se representará la relación entre las técnicas y las tácticas usadas.
6.1.1 General
6.1.2 Simplificado
6.2 Softwares usados
De nuevo, obtenemos la información del estándar ATT&CK.
En la siguiente tabla podemos ver en detalle los softwares usados:
| mitreid | name | description |
|---|---|---|
| S0182 | FinFisher | FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018) |
| S0469 | ABK | ABK is a downloader that has been used by BRONZE BUTLER since at least 2019.(Citation: Trend Micro Tick November 2019) |
| S0045 | ADVSTORESHELL | ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 2) |
| S0331 | Agent Tesla | Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.(Citation: Fortinet Agent Tesla April 2018)(Citation: Bitdefender Agent Tesla April 2020)(Citation: Malwarebytes Agent Tesla April 2020) |
| S0092 | Agent.btz | Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. (Citation: Securelist Agent.btz) |
| S0504 | Anchor | Anchor is one of a family of backdoor malware that has been used in conjunction with TrickBot on selected high profile targets since at least 2018.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020) |
| S0456 | Aria-body | Aria-body is a custom backdoor that has been used by Naikon.(Citation: CheckPoint Naikon May 2020) |
| S0373 | Astaroth | Astaroth is a Trojan and information stealer known to affect companies in Europe and Brazil. It has been known publicly since at least late 2017. (Citation: Cybereason Astaroth Feb 2019) (Citation: Cofense Astaroth Sept 2018) |
| S0438 | Attor | Attor is a Windows-based espionage platform that has been seen in use since 2013. Attor has a loadable plugin architecture to customize functionality for specific targets.(Citation: ESET Attor Oct 2019) |
| S0347 | AuditCred | AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.(Citation: TrendMicro Lazarus Nov 2018) |
| S0473 | Avenger | Avenger is a downloader that has been used by BRONZE BUTLER since at least 2019.(Citation: Trend Micro Tick November 2019) |
| S0344 | Azorult | Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft. (Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018) |
| S0128 | BADNEWS | BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. (Citation: Forcepoint Monsoon) (Citation: TrendMicro Patchwork Dec 2017) |
| S0470 | BBK | BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.(Citation: Trend Micro Tick November 2019) |
| S0017 | BISCUIT | BISCUIT is a backdoor that has been used by APT1 since as early as 2007. (Citation: Mandiant APT1) |
| S0360 | BONDUPDATER | BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig Sep 2018) |
| S0415 | BOOSTWRITE | BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.(Citation: FireEye FIN7 Oct 2019) |
| S0414 | BabyShark | BabyShark is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. (Citation: Unit42 BabyShark Feb 2019) |
| S0475 | BackConfig | BackConfig is a custom Trojan with a flexible plugin architecture that has been used by Patchwork.(Citation: Unit 42 BackConfig May 2020) |
| S0337 | BadPatch | BadPatch is a Windows Trojan that was used in a Gaza Hackers-linked campaign.(Citation: Unit 42 BadPatch Oct 2017) |
| S0239 | Bankshot | Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. (Citation: McAfee Bankshot) |
| S0268 | Bisonal | Bisonal is malware that has been used in attacks against targets in Russia, South Korea, and Japan. It has been observed in the wild since 2014. (Citation: Unit 42 Bisonal July 2018) |
| S0089 | BlackEnergy | BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014) |
| S0486 | Bonadan | Bonadan is a malicious version of OpenSSH which acts as a custom backdoor. Bonadan has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.(Citation: ESET ForSSHe December 2018) |
| S0204 | Briba | Briba is a trojan used by Elderwood to open a backdoor and download files on to compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Briba May 2012) |
| S0482 | Bundlore | Bundlore is adware written for macOS that has been in use since at least 2015. Though categorized as adware, Bundlore has many features associated with more traditional backdoors.(Citation: MacKeeper Bundlore Apr 2019) |
| S0462 | CARROTBAT | CARROTBAT is a customized dropper that has been in use since at least 2017. CARROTBAT has been used to install SYSCON and has infrastructure overlap with KONNI.(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020) |
| S0023 | CHOPSTICK | CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. (Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) (Citation: DOJ GRU Indictment Jul 2018) It is tracked separately from the X-Agent for Android. |
| S0137 | CORESHELL | CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017) |
| S0274 | Calisto | Calisto is a macOS Trojan that opens a backdoor on the compromised machine. Calisto is believed to have first been developed in 2016. (Citation: Securelist Calisto July 2018) (Citation: Symantec Calisto July 2018) |
| S0077 | CallMe | CallMe is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell. (Citation: Scarlet Mimic Jan 2016) |
| S0351 | Cannon | Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. (Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018) |
| S0030 | Carbanak | Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. (Citation: Kaspersky Carbanak) (Citation: FireEye CARBANAK June 2017) |
| S0484 | Carberp | Carberp is a credential and information stealing malware that has been active since at least 2009. Carberp’s source code was leaked online in 2013, and subsequently used as the foundation for the Carbanak backdoor.(Citation: Trend Micro Carberp February 2014)(Citation: KasperskyCarbanak)(Citation: RSA Carbanak November 2017) |
| S0335 | Carbon | Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. Carbon has been selectively used by Turla to target government and foreign affairs-related organizations in Central Asia.(Citation: ESET Carbon Mar 2017)(Citation: Securelist Turla Oct 2018) |
| S0348 | Cardinal RAT | Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.(Citation: PaloAlto CardinalRat Apr 2017) |
| S0144 | ChChes | ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. (Citation: Palo Alto menuPass Feb 2017) (Citation: JPCERT ChChes Feb 2017) (Citation: PWC Cloud Hopper Technical Annex April 2017) |
| S0220 | Chaos | Chaos is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. (Citation: Chaos Stolen Backdoor) |
| S0020 | China Chopper | China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. (Citation: Lee 2013) It has been used by several threat groups. (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018) |
| S0054 | CloudDuke | CloudDuke is malware that was used by APT29 in 2015. (Citation: F-Secure The Dukes) (Citation: Securelist Minidionis July 2015) |
| S0369 | CoinTicker | CoinTicker is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019) |
| S0126 | ComRAT | ComRAT is a second stage implant suspected of being a descendant of Agent.btz and used by Turla. The first version of ComRAT was identified in 2007, but the tool has undergone substantial development for many years since.(Citation: Symantec Waterbug)(Citation: NorthSec 2015 GData Uroburos Tools)(Citation: ESET ComRAT May 2020) |
| S0244 | Comnie | Comnie is a remote backdoor which has been used in attacks in East Asia. (Citation: Palo Alto Comnie) |
| S0492 | CookieMiner | CookieMiner is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.(Citation: Unit42 CookieMiner Jan 2019) |
| S0046 | CozyCar | CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. (Citation: F-Secure The Dukes) |
| S0115 | Crimson | Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims. (Citation: Proofpoint Operation Transparent Tribe March 2016) |
| S0498 | Cryptoistic | Cryptoistic is a backdoor, written in Swift, that has been used by Lazarus Group.(Citation: SentinelOne Lazarus macOS July 2020) |
| S0255 | DDKONG | DDKONG is a malware sample that was part of a campaign by Rancor. DDKONG was first seen used in February 2017. (Citation: Rancor Unit42 June 2018) |
| S0213 | DOGCALL | DOGCALL is a backdoor used by APT37 that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. (Citation: FireEye APT37 Feb 2018) |
| S0497 | Dacls | Dacls is a multi-platform remote access tool used by Lazarus Group since at least December 2019.(Citation: TrendMicro macOS Dacls May 2020)(Citation: SentinelOne Lazarus macOS July 2020) |
| S0334 | DarkComet | DarkComet is a Windows remote administration tool and backdoor.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018) |
| S0187 | Daserf | Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. (Citation: Trend Micro Daserf Nov 2017) (Citation: Secureworks BRONZE BUTLER Oct 2017) |
| S0354 | Denis | Denis is a Windows backdoor and Trojan used by APT32. Denis shares several similarities to the SOUNDBITE backdoor and has been used in conjunction with the Goopy backdoor.(Citation: Cybereason Oceanlotus May 2017) |
| S0021 | Derusbi | Derusbi is malware used by multiple Chinese APT groups. (Citation: Novetta-Axiom) (Citation: ThreatConnect Anthem) Both Windows and Linux variants have been observed. (Citation: Fidelis Turbo) |
| S0200 | Dipsind | Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM. (Citation: Microsoft PLATINUM April 2016) |
| S0134 | Downdelph | Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015. (Citation: ESET Sednit Part 3) |
| S0384 | Dridex | Dridex is a banking Trojan that has been used for financial gain. Dridex was created from the source code of the Bugat banking trojan (also known as Cridex).(Citation: Dell Dridex Oct 2015)(Citation: Kaspersky Dridex May 2017) |
| S0502 | Drovorub | Drovorub is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by APT28.(Citation: NSA/FBI Drovorub August 2020) |
| S0038 | Duqu | Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu) |
| S0062 | DustySky | DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015. (Citation: DustySky) (Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019) |
| S0024 | Dyre | Dyre is a banking Trojan that has been used for financial gain. (Citation: Symantec Dyre June 2015)(Citation: Malwarebytes Dyreza November 2015) |
| S0377 | Ebury | Ebury is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).(Citation: ESET Ebury Feb 2014)(Citation: BleepingComputer Ebury March 2017) |
| S0081 | Elise | Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU. (Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018) |
| S0082 | Emissary | Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio. (Citation: Lotus Blossom Dec 2015) |
| S0367 | Emotet | Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019) |
| S0091 | Epic | Epic is a backdoor that has been used by Turla. (Citation: Kaspersky Turla) |
| S0396 | EvilBunny | EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.(Citation: Cyphort EvilBunny Dec 2014) |
| S0401 | Exaramel for Linux | Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.(Citation: ESET TeleBots Oct 2018) |
| S0267 | FELIXROOT | FELIXROOT is a backdoor that has been used to target Ukrainian victims. (Citation: FireEye FELIXROOT July 2018) |
| S0512 | FatDuke | FatDuke is a backdoor used by APT29 since at least 2016.(Citation: ESET Dukes October 2019) |
| S0171 | Felismus | Felismus is a modular backdoor that has been used by Sowbug. (Citation: Symantec Sowbug Nov 2017) (Citation: Forcepoint Felismus Mar 2017) |
| S0182 | FinFisher | FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018) |
| S0355 | Final1stspy | Final1stspy is a dropper family that has been used to deliver DOGCALL.(Citation: Unit 42 Nokki Oct 2018) |
| S0381 | FlawedAmmyy | FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software.(Citation: Proofpoint TA505 Mar 2018) |
| S0383 | FlawedGrace | FlawedGrace is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.(Citation: Proofpoint TA505 Jan 2019) |
| S0277 | FruitFly | FruitFly is designed to spy on mac users (Citation: objsee mac malware 2017). |
| S0410 | Fysbis | Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.(Citation: Fysbis Palo Alto Analysis) |
| S0168 | Gazer | Gazer is a backdoor used by Turla since at least 2016. (Citation: ESET Gazer Aug 2017) |
| S0249 | Gold Dragon | Gold Dragon is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. Gold Dragon was used along with Brave Prince and RunningRAT in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon) |
| S0493 | GoldenSpy | GoldenSpy is a backdoor malware which has been packaged with legitimate tax preparation software. GoldenSpy was discovered targeting organizations in China, being delivered with the “Intelligent Tax” software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.(Citation: Trustwave GoldenSpy June 2020) |
| S0477 | Goopy | Goopy is a Windows backdoor and Trojan used by APT32 and shares several similarities to another backdoor used by the group (Denis). Goopy is named for its impersonation of the legitimate Google Updater executable.(Citation: Cybereason Cobalt Kitty 2017) |
| S0237 | GravityRAT | GravityRAT is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are “TheMartian” and “The Invincible.” According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. (Citation: Talos GravityRAT) |
| S0342 | GreyEnergy | GreyEnergy is a backdoor written in C and compiled in Visual Studio. GreyEnergy shares similarities with the BlackEnergy malware and is thought to be the successor of it.(Citation: ESET GreyEnergy Oct 2018) |
| S0132 | H1N1 | H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. (Citation: Cisco H1N1 Part 1) |
| S0151 | HALFBAKED | HALFBAKED is a malware family consisting of multiple components intended to establish persistence in victim networks. (Citation: FireEye FIN7 April 2017) |
| S0214 | HAPPYWORK | HAPPYWORK is a downloader used by APT37 to target South Korean government and financial victims in November 2016. (Citation: FireEye APT37 Feb 2018) |
| S0391 | HAWKBALL | HAWKBALL is a backdoor that was observed in targeting of the government sector in Central Asia.(Citation: FireEye HAWKBALL Jun 2019) |
| S0232 | HOMEFRY | HOMEFRY is a 64-bit Windows password dumper/cracker that has previously been used in conjunction with other Leviathan backdoors. (Citation: FireEye Periscope March 2018) |
| S0376 | HOPLIGHT | HOPLIGHT is a backdoor Trojan that has reportedly been used by the North Korean government.(Citation: US-CERT HOPLIGHT Apr 2019) |
| S0070 | HTTPBrowser | HTTPBrowser is malware that has been used by several threat groups. (Citation: ThreatStream Evasion Analysis) (Citation: Dell TG-3390) It is believed to be of Chinese origin. (Citation: ThreatConnect Anthem) |
| S0499 | Hancitor | Hancitor is a downloader that has been used by Pony and other information stealing malware.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor) |
| S0170 | Helminth | Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. (Citation: Palo Alto OilRig May 2016) |
| S0087 | Hi-Zor | Hi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a campaign named INOCNATION. (Citation: Fidelis Hi-Zor) |
| S0394 | HiddenWasp | HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019) |
| S0431 | HotCroissant | HotCroissant is a remote access trojan (RAT) attributed by U.S. government entities to malicious North Korean government cyber activity, tracked collectively as HIDDEN COBRA.(Citation: US-CERT HOTCROISSANT February 2020) HotCroissant shares numerous code similarities with Rifdoor.(Citation: Carbon Black HotCroissant April 2020) |
| S0203 | Hydraq | Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17. (Citation: MicroFocus 9002 Aug 2016) (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Trojan.Hydraq Jan 2010) (Citation: ASERT Seven Pointed Dagger Aug 2015) (Citation: FireEye DeputyDog 9002 November 2013) (Citation: ProofPoint GoT 9002 Aug 2017) (Citation: FireEye Sunshop Campaign May 2013) (Citation: PaloAlto 3102 Sept 2015) |
| S0398 | HyperBro | HyperBro is a custom in-memory backdoor used by Threat Group-3390.(Citation: Unit42 Emissary Panda May 2019)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018) |
| S0189 | ISMInjector | ISMInjector is a Trojan used to install another OilRig backdoor, ISMAgent. (Citation: OilRig New Delivery Oct 2017) |
| S0483 | IcedID | IcedID is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. IcedID has been downloaded by Emotet in multiple campaigns.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020) |
| S0259 | InnaputRAT | InnaputRAT is a remote access tool that can exfiltrate files from a victim’s machine. InnaputRAT has been seen out in the wild since 2016. (Citation: ASERT InnaputRAT April 2018) |
| S0260 | InvisiMole | InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. Gamaredon Group infrastructure has been used to download and execute InvisiMole against a small number of victims.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
| S0015 | Ixeshe | Ixeshe is a malware family that has been used since at least 2009 against targets in East Asia. (Citation: Moran 2013) |
| S0044 | JHUHUGIT | JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware. (Citation: Kaspersky Sofacy) (Citation: F-Secure Sofacy 2015) (Citation: ESET Sednit Part 1) (Citation: FireEye APT28 January 2017) |
| S0201 | JPIN | JPIN is a custom-built backdoor family used by PLATINUM. Evidence suggests developers of JPIN and Dipsind code bases were related in some way. (Citation: Microsoft PLATINUM April 2016) |
| S0215 | KARAE | KARAE is a backdoor typically used by APT37 as first-stage malware. (Citation: FireEye APT37 Feb 2018) |
| S0271 | KEYMARBLE | KEYMARBLE is a Trojan that has reportedly been used by the North Korean government. (Citation: US-CERT KEYMARBLE Aug 2018) |
| S0156 | KOMPROGO | KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management. (Citation: FireEye APT32 May 2017) |
| S0356 | KONNI | KONNI is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. KONNI has been linked to several campaigns involving North Korean themes.(Citation: Talos Konni May 2017) KONNI has significant code overlap with the NOKKI malware family. There is some evidence potentially linking KONNI to APT37.(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)(Citation: Medium KONNI Jan 2020) |
| S0088 | Kasidet | Kasidet is a backdoor that has been dropped by using malicious VBA macros. (Citation: Zscaler Kasidet) |
| S0265 | Kazuar | Kazuar is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. (Citation: Unit 42 Kazuar May 2017) |
| S0487 | Kessel | Kessel is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. Kessel has been active since its C2 domain began resolving in August 2018.(Citation: ESET ForSSHe December 2018) |
| S0387 | KeyBoy | KeyBoy is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.(Citation: CitizenLab KeyBoy Nov 2016)(Citation: PWC KeyBoys Feb 2017) |
| S0437 | Kivars | Kivars is a modular remote access tool (RAT), derived from the Bifrost RAT, that was used by BlackTech in a 2010 campaign.(Citation: TrendMicro BlackTech June 2017) |
| S0236 | Kwampirs | Kwampirs is a backdoor Trojan used by Orangeworm. It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. (Citation: Symantec Orangeworm April 2018) |
| S0042 | LOWBALL | LOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Kong-based media organizations. (Citation: FireEye admin@338) |
| S0395 | LightNeuron | LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of LightNeuron exists.(Citation: ESET LightNeuron May 2019) |
| S0211 | Linfo | Linfo is a rootkit trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Linfo May 2012) |
| S0362 | Linux Rabbit | Linux Rabbit is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.(Citation: Anomali Linux Rabbit 2018) |
| S0447 | Lokibot | Lokibot is a malware designed to collect credentials and security tokens from an infected machine. Lokibot has also been used to establish backdoors in enterprise environments.(Citation: Infoblox Lokibot January 2019)(Citation: Morphisec Lokibot April 2020) |
| S0451 | LoudMiner | LoudMiner is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.(Citation: ESET LoudMiner June 2019) |
| S0409 | Machete | Machete is a cyber espionage toolset developed by a Spanish-speaking group known as El Machete. It is a Python-based backdoor targeting Windows machines, and it was first observed in 2010.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014) |
| S0167 | Matroyshka | Matroyshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015) |
| S0449 | Maze | Maze ransomware, previously known as “ChaCha”, was discovered in May 2019. In addition to encrypting files on victim machines for impact, Maze operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.(Citation: FireEye Maze May 2020)(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020) |
| S0459 | MechaFlounder | MechaFlounder is a python-based remote access tool (RAT) that has been used by APT39. The payload uses a combination of actor developed code and code snippets freely available online in development communities.(Citation: Unit 42 MechaFlounder March 2019) |
| S0455 | Metamorfo | Metamorfo is a banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting mostly Brazilian users.(Citation: Medium Metamorfo Apr 2020) |
| S0339 | Micropsia | Micropsia is a remote access tool written in Delphi.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018) |
| S0051 | MiniDuke | MiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with other MiniDuke components as well as in conjunction with CosmicDuke and PinchDuke. (Citation: F-Secure The Dukes) |
| S0084 | Mis-Type | Mis-Type is a backdoor hybrid that was used by Dust Storm in 2012. (Citation: Cylance Dust Storm) |
| S0083 | Misdat | Misdat is a backdoor that was used by Dust Storm from 2010 to 2011. (Citation: Cylance Dust Storm) |
| S0080 | Mivast | Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach. (Citation: Symantec Black Vine) |
| S0079 | MobileOrder | MobileOrder is a Trojan intended to compromise Android mobile devices. It has been used by Scarlet Mimic. (Citation: Scarlet Mimic Jan 2016) |
| S0284 | More_eggs | More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the variable “More_eggs” being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. (Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019) |
| S0256 | Mosquito | Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. (Citation: ESET Turla Mosquito Jan 2018) |
| S0272 | NDiskMonitor | NDiskMonitor is a custom backdoor written in .NET that appears to be unique to Patchwork. (Citation: TrendMicro Patchwork Dec 2017) |
| S0034 | NETEAGLE | NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” (Citation: FireEye APT30) |
| S0353 | NOKKI | NOKKI is a modular remote access tool. The earliest observed attack using NOKKI was in January 2018. NOKKI has significant code overlap with the KONNI malware family. There is some evidence potentially linking NOKKI to APT37.(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018) |
| S0228 | NanHaiShu | NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute. (Citation: Proofpoint Leviathan Oct 2017) (Citation: fsecure NanHaiShu July 2016) |
| S0336 | NanoCore | NanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.(Citation: DigiTrust NanoCore Jan 2017)(Citation: Cofense NanoCore Mar 2018)(Citation: PaloAlto NanoCore Feb 2016)(Citation: Unit 42 Gorgon Group Aug 2018) |
| S0247 | NavRAT | NavRAT is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. (Citation: Talos NavRAT May 2018) |
| S0210 | Nerex | Nerex is a Trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Nerex May 2012) |
| S0457 | Netwalker | Netwalker is fileless ransomware written in PowerShell and executed directly in memory.(Citation: TrendMicro Netwalker May 2020) |
| S0118 | Nidiran | Nidiran is a custom backdoor developed and used by Suckfly. It has been delivered via strategic web compromise. (Citation: Symantec Suckfly March 2016) |
| S0368 | NotPetya | NotPetya is malware that was first seen in a worldwide attack starting on June 27, 2017. The main purpose of the malware appeared to be to effectively destroy data and disk structures on compromised systems. Though NotPetya presents itself as a form of ransomware, it appears likely that the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: ESET Telebots June 2017) |
| S0138 | OLDBAIT | OLDBAIT is a credential harvester used by APT28. (Citation: FireEye APT28) (Citation: FireEye APT28 January 2017) |
| S0352 | OSX_OCEANLOTUS.D | OSX_OCEANLOTUS.D is a MacOS backdoor that has been used by APT32.(Citation: TrendMicro MacOS April 2018) |
| S0340 | Octopus | Octopus is a Windows Trojan.(Citation: Securelist Octopus Oct 2018) |
| S0439 | Okrum | Okrum is a Windows backdoor that has been seen in use since December 2016 with strong links to Ke3chang.(Citation: ESET Okrum July 2019) |
| S0365 | Olympic Destroyer | Olympic Destroyer is malware that was first seen infecting computer systems at the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware appears to be to cause destructive impact to the affected systems. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. The malware has worm-like features to spread itself across a computer network in order to maximize its destructive impact.(Citation: Talos Olympic Destroyer 2018) |
| S0264 | OopsIE | OopsIE is a Trojan used by OilRig to remotely execute commands as well as upload/download files to/from victims. (Citation: Unit 42 OopsIE! Feb 2018) |
| S0229 | Orz | Orz is a custom JavaScript backdoor used by Leviathan. It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. (Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018) |
| S0254 | PLAINTEE | PLAINTEE is a malware sample that has been used by Rancor in targeted attacks in Singapore and Cambodia. (Citation: Rancor Unit42 June 2018) |
| S0435 | PLEAD | PLEAD is a remote access tool (RAT) and downloader used by BlackTech in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.(Citation: TrendMicro BlackTech June 2017)(Citation: JPCert PLEAD Downloader June 2018) PLEAD has also been referred to as TSCookie, though more recent reporting indicates likely separation between the two.(Citation: JPCert TSCookie March 2018)(Citation: JPCert PLEAD Downloader June 2018) |
| S0216 | POORAIM | POORAIM is a backdoor used by APT37 in campaigns since at least 2014. (Citation: FireEye APT37 Feb 2018) |
| S0150 | POSHSPY | POSHSPY is a backdoor that has been used by APT29 since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. (Citation: FireEye POSHSPY April 2017) |
| S0145 | POWERSOURCE | POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. (Citation: FireEye FIN7 March 2017) (Citation: Cisco DNSMessenger March 2017) |
| S0223 | POWERSTATS | POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater. (Citation: Unit 42 MuddyWater Nov 2017) |
| S0184 | POWRUNER | POWRUNER is a PowerShell script that sends and receives commands to and from the C2 server. (Citation: FireEye APT34 Dec 2017) |
| S0196 | PUNCHBUGGY | PUNCHBUGGY is a backdoor malware used by FIN8 that has been observed targeting POS networks in the hospitality industry. (Citation: Morphisec ShellTea June 2019)(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
| S0197 | PUNCHTRACK | PUNCHTRACK is non-persistent point of sale (POS) system malware utilized by FIN8 to scrape payment card data. (Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
| S0208 | Pasam | Pasam is a trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Pasam May 2012) |
| S0517 | Pillowmint | Pillowmint is a point-of-sale malware used by FIN7 designed to capture credit card information.(Citation: Trustwave Pillowmint June 2020) |
| S0501 | PipeMon | PipeMon is a multi-stage modular backdoor used by Winnti Group.(Citation: ESET PipeMon May 2020) |
| S0124 | Pisloader | Pisloader is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by APT18 and is similar to another malware family, HTTPBrowser, that has been used by the group. (Citation: Palo Alto DNS Requests) |
| S0013 | PlugX | PlugX is a remote access tool (RAT) that uses modular plugins. It has been used by multiple threat groups. (Citation: Lastline PlugX Analysis) (Citation: FireEye Clandestine Fox Part 2) (Citation: New DragonOK) (Citation: Dell TG-3390) |
| S0428 | PoetRAT | PoetRAT is a Python-based remote access trojan (RAT) used in multiple campaigns against the private and public sectors in Azerbaijan, specifically ICS and SCADA systems in the energy sector. PoetRAT derived its name from references in the code to poet William Shakespeare.(Citation: Talos PoetRAT April 2020) |
| S0012 | PoisonIvy | PoisonIvy is a popular remote access tool (RAT) that has been used by many groups. (Citation: FireEye Poison Ivy) (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Darkmoon Aug 2005) |
| S0518 | PolyglotDuke | PolyglotDuke is a downloader that has been used by APT29 since at least 2013. PolyglotDuke has been used to drop MiniDuke.(Citation: ESET Dukes October 2019) |
| S0453 | Pony | Pony is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.(Citation: Malwarebytes Pony April 2016) |
| S0139 | PowerDuke | PowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. (Citation: Volexity PowerDuke November 2016) |
| S0393 | PowerStallion | PowerStallion is a lightweight PowerShell backdoor used by Turla, possibly as a recovery access tool to install other backdoors.(Citation: ESET Turla PowerShell May 2019) |
| S0113 | Prikormka | Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. (Citation: ESET Operation Groundbait) |
| S0078 | Psylo | Psylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics as FakeM. (Citation: Scarlet Mimic Jan 2016) |
| S0147 | Pteranodon | Pteranodon is a custom backdoor used by Gamaredon Group. (Citation: Palo Alto Gamaredon Feb 2017) |
| S0269 | QUADAGENT | QUADAGENT is a PowerShell backdoor used by OilRig. (Citation: Unit 42 QUADAGENT July 2018) |
| S0055 | RARSTONE | RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX. (Citation: Aquino RARSTONE) |
| S0241 | RATANKBA | RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. RATANKBA has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. (Citation: Lazarus RATANKBA) (Citation: RATANKBA) |
| S0495 | RDAT | RDAT is a backdoor used by the suspected Iranian threat group OilRig. RDAT was originally identified in 2017 and targeted companies in the telecommunications sector.(Citation: Unit42 RDAT July 2020) |
| S0496 | REvil | REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020) |
| S0258 | RGDoor | RGDoor is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. RGDoor has been seen deployed on webservers belonging to the Middle East government organizations. RGDoor provides backdoor access to compromised IIS servers. (Citation: Unit 42 RGDoor Jan 2018) |
| S0240 | ROKRAT | ROKRAT is a cloud-based remote access tool (RAT) used by APT37. This software has been used to target victims in South Korea. APT37 used ROKRAT during several campaigns in 2016 through 2018. (Citation: Talos ROKRAT) (Citation: Talos Group123) |
| S0148 | RTM | RTM is custom malware written in Delphi. It is used by the group of the same name (RTM). Newer versions of the malware have been reported publicly as Redaman.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019) |
| S0458 | Ramsay | Ramsay is an information stealing malware framework designed to collect and exfiltrate sensitive documents, potentially from air-gapped systems. Researchers have identified overlaps between Ramsay and the Darkhotel-associated Retro malware.(Citation: Eset Ramsay May 2020) |
| S0172 | Reaver | Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the “Five Poisons,” which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of Control Panel Items. (Citation: Palo Alto Reaver Nov 2017) |
| S0153 | RedLeaves | RedLeaves is a malware family used by menuPass. The code overlaps with PlugX and may be based upon the open source tool Trochilus. (Citation: PWC Cloud Hopper Technical Annex April 2017) (Citation: FireEye APT10 April 2017) |
| S0511 | RegDuke | RegDuke is a first stage implant written in .NET and used by APT29 since at least 2017. RegDuke has been used to control a compromised machine when control of other implants on the machine was lost.(Citation: ESET Dukes October 2019) |
| S0375 | Remexi | Remexi is a Windows-based Trojan that was developed in the C programming language.(Citation: Securelist Remexi Jan 2019) |
| S0166 | RemoteCMD | RemoteCMD is a custom tool used by APT3 to execute commands on a remote system similar to SysInternal’s PSEXEC functionality. (Citation: Symantec Buckeye) |
| S0125 | Remsec | Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. (Citation: Symantec Strider Blog) |
| S0379 | Revenge RAT | Revenge RAT is a freely available remote access tool written in .NET (C#).(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT Feb 2019) |
| S0433 | Rifdoor | Rifdoor is a remote access trojan (RAT) that shares numerous code similarities with HotCroissant.(Citation: Carbon Black HotCroissant April 2020) |
| S0448 | Rising Sun | Rising Sun is a modular backdoor malware used extensively in Operation Sharpshooter. The malware has been observed targeting nuclear, defense, energy, and financial services companies across the world. Rising Sun uses source code from Lazarus Group’s Trojan Duuzer.(Citation: McAfee Sharpshooter December 2018) |
| S0270 | RogueRobin | RogueRobin is a payload used by DarkHydrus that has been developed in PowerShell and C#. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019) |
| S0085 | S-Type | S-Type is a backdoor that was used by Dust Storm from 2013 to 2014. (Citation: Cylance Dust Storm) |
| S0461 | SDBot | SDBot is a backdoor with installer and loader components that has been used by TA505 since at least 2019.(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020) |
| S0185 | SEASHARPEE | SEASHARPEE is a Web shell that has been used by APT34. (Citation: FireEye APT34 Webinar Dec 2017) |
| S0450 | SHARPSTATS | SHARPSTATS is a .NET backdoor used by MuddyWater since at least 2019.(Citation: TrendMicro POWERSTATS V3 June 2019) |
| S0063 | SHOTPUT | SHOTPUT is a custom backdoor used by APT3. (Citation: FireEye Clandestine Wolf) |
| S0217 | SHUTTERSPEED | SHUTTERSPEED is a backdoor used by APT37. (Citation: FireEye APT37 Feb 2018) |
| S0218 | SLOWDRIFT | SLOWDRIFT is a backdoor used by APT37 against academic and strategic victims in South Korea. (Citation: FireEye APT37 Feb 2018) |
| S0390 | SQLRat | SQLRat is malware that executes SQL scripts to avoid leaving traditional host artifacts. FIN7 has been observed using it.(Citation: Flashpoint FIN 7 March 2019) |
| S0074 | Sakula | Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. (Citation: Dell Sakula) |
| S0370 | SamSam | SamSam is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.(Citation: US-CERT SamSam 2018)(Citation: Talos SamSam Jan 2018)(Citation: Sophos SamSam Apr 2018)(Citation: Symantec SamSam Oct 2018) |
| S0053 | SeaDuke | SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar. (Citation: F-Secure The Dukes) |
| S0345 | Seasalt | Seasalt is malware that has been linked to APT1’s 2010 operations. It shares some code similarities with OceanSalt.(Citation: Mandiant APT1 Appendix)(Citation: McAfee Oceansalt Oct 2018) |
| S0382 | ServHelper | ServHelper is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.(Citation: Proofpoint TA505 Jan 2019) |
| S0140 | Shamoon | Shamoon is wiper malware that was first used by an Iranian group known as the “Cutting Sword of Justice” in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk and Filerase to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016) |
| S0444 | ShimRat | ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name “ShimRat” comes from the malware’s extensive use of Windows Application Shimming to maintain persistence. (Citation: FOX-IT May 2016 Mofang) |
| S0468 | Skidmap | Skidmap is a kernel-mode rootkit used for cryptocurrency mining.(Citation: Trend Micro Skidmap) |
| S0226 | Smoke Loader | Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. (Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018) |
| S0516 | SoreFang | SoreFang is first stage downloader used by APT29 for exfiltration and to load other malware.(Citation: NCSC APT29 July 2020)(Citation: CISA SoreFang July 2016) |
| S0374 | SpeakUp | SpeakUp is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. (Citation: CheckPoint SpeakUp Feb 2019) |
| S0058 | SslMM | SslMM is a full-featured backdoor used by Naikon that has multiple variants. (Citation: Baumgartner Naikon 2015) |
| S0380 | StoneDrill | StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.(Citation: FireEye APT33 Sept 2017)(Citation: Kaspersky StoneDrill 2017) |
| S0142 | StreamEx | StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. (Citation: Cylance Shell Crew Feb 2017) |
| S0491 | StrongPity | StrongPity is an information stealing malware used by PROMETHIUM.(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020) |
| S0242 | SynAck | SynAck is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. (Citation: SecureList SynAck Doppelgänging May 2018) (Citation: Kaspersky Lab SynAck May 2018) |
| S0164 | TDTESS | TDTESS is a 64-bit .NET binary backdoor used by CopyKittens. (Citation: ClearSky Wilted Tulip July 2017) |
| S0131 | TINYTYPHON | TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. (Citation: Forcepoint Monsoon) |
| S0436 | TSCookie | TSCookie is a remote access tool (RAT) that has been used by BlackTech in campaigns against Japanese targets.(Citation: JPCert TSCookie March 2018)(Citation: JPCert BlackTech Malware September 2019). TSCookie has been referred to as PLEAD though more recent reporting indicates a separation between the two.(Citation: JPCert PLEAD Downloader June 2018)(Citation: JPCert BlackTech Malware September 2019) |
| S0199 | TURNEDUP | TURNEDUP is a non-public backdoor. It has been dropped by APT33’s StoneDrill malware. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017) |
| S0263 | TYPEFRAME | TYPEFRAME is a remote access tool that has been used by Lazarus Group. (Citation: US-CERT TYPEFRAME June 2018) |
| S0467 | TajMahal | TajMahal is a multifunctional spying framework that has been in use since at least 2014. TajMahal is comprised of two separate packages, named Tokyo and Yokohama, and can deploy up to 80 plugins.(Citation: Kaspersky TajMahal April 2019) |
| S0266 | TrickBot | TrickBot is a Trojan spyware program that has mainly been used for targeting banking sites in United States, Canada, UK, Germany, Australia, Austria, Ireland, London, Switzerland, and Scotland. TrickBot first emerged in the wild in September 2016 and appears to be a successor to Dyre. TrickBot is developed in the C++ programming language. (Citation: S2 Grupo TrickBot June 2017) (Citation: Fidelis TrickBot Oct 2016) (Citation: IBM TrickBot Nov 2016) |
| S0094 | Trojan.Karagany | Trojan.Karagany is a modular remote access tool used for recon and linked to Dragonfly and Dragonfly 2.0. The source code for Trojan.Karagany originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. (Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)(Citation: Dragos DYMALLOY ) |
| S0333 | UBoatRAT | UBoatRAT is a remote access tool that was identified in May 2017.(Citation: PaloAlto UBoatRAT Nov 2017) |
| S0275 | UPPERCUT | UPPERCUT is a backdoor that has been used by menuPass. (Citation: FireEye APT10 Sept 2018) |
| S0136 | USBStealer | USBStealer is malware that has used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. (Citation: ESET Sednit USBStealer 2014) (Citation: Kaspersky Sofacy) |
| S0130 | Unknown Logger | Unknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. (Citation: Forcepoint Monsoon) |
| S0386 | Ursnif | Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.(Citation: TrendMicro Ursnif Mar 2015) |
| S0442 | VBShower | VBShower is a backdoor that has been used by Inception since at least 2019. VBShower has been used as a downloader for second stage payloads, including PowerShower.(Citation: Kaspersky Cloud Atlas August 2019) |
| S0257 | VERMIN | VERMIN is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original code, but also has some open source code. (Citation: Unit 42 VERMIN Jan 2018) |
| S0476 | Valak | Valak is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020) |
| S0207 | Vasport | Vasport is a trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Vasport May 2012) |
| S0180 | Volgmer | Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. (Citation: US-CERT Volgmer Nov 2017) |
| S0109 | WEBC2 | WEBC2 is a family of backdoor malware used by APT1 as early as July 2006. WEBC2 backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1) |
| S0366 | WannaCry | WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017) |
| S0515 | WellMail | WellMail is a lightweight malware written in Golang used by APT29, similar in design and structure to WellMess.(Citation: CISA WellMail July 2020)(Citation: NCSC APT29 July 2020) |
| S0514 | WellMess | WellMess is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by APT29.(Citation: CISA WellMess July 2020)(Citation: PWC WellMess July 2020)(Citation: NCSC APT29 July 2020) |
| S0206 | Wiarp | Wiarp is a trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Wiarp May 2012) |
| S0059 | WinMM | WinMM is a full-featured, simple backdoor used by Naikon. (Citation: Baumgartner Naikon 2015) |
| S0466 | WindTail | WindTail is a macOS surveillance implant used by Windshift. WindTail shares code similarities with Hack Back aka KitM OSX.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019) |
| S0430 | Winnti for Linux | Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including Winnti Group. The Windows variant is tracked separately under Winnti for Windows.(Citation: Chronicle Winnti for Linux May 2019) |
| S0041 | Wiper | Wiper is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. (Citation: Dell Wiper) |
| S0117 | XTunnel | XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee. (Citation: Crowdstrike DNC June 2016) (Citation: Invincea XTunnel) (Citation: ESET Sednit Part 2) |
| S0341 | Xbash | Xbash is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.(Citation: Unit42 Xbash Sept 2018) |
| S0388 | YAHOYAH | YAHOYAH is a Trojan used by Tropic Trooper as a second-stage backdoor.(Citation: TrendMicro TropicTrooper 2015) |
| S0086 | ZLib | ZLib is a full-featured backdoor that was used as a second-stage implant by Dust Storm from 2014 to 2015. It is malware and should not be confused with the compression library from which its name is derived. (Citation: Cylance Dust Storm) |
| S0251 | Zebrocy | Zebrocy is a Trojan that has been used by APT28 since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, and VB.NET. (Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018) |
| S0230 | ZeroT | ZeroT is a Trojan used by TA459, often in conjunction with PlugX. (Citation: Proofpoint TA459 April 2017) (Citation: Proofpoint ZeroT Feb 2017) |
| S0330 | Zeus Panda | Zeus Panda is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. Zeus Panda’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017) |
| S0412 | ZxShell | ZxShell is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014 ) |
| S0471 | build_downer | build_downer is a downloader that has been used by BRONZE BUTLER since at least 2019.(Citation: Trend Micro Tick November 2019) |
| S0472 | down_new | down_new is a downloader that has been used by BRONZE BUTLER since at least 2019.(Citation: Trend Micro Tick November 2019) |
| S0032 | gh0st RAT | gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups. (Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018) |
| S0283 | jRAT | jRAT is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of jRAT have been distributed via a software-as-a-service platform, similar to an online subscription model.(Citation: Kaspersky Adwind Feb 2016) (Citation: jRAT Symantec Aug 2018) |
| S0385 | njRAT | njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013) |
| S0190 | BITSAdmin | BITSAdmin is a command line tool used to create and manage BITS Jobs. (Citation: Microsoft BITSAdmin) |
| S0465 | CARROTBALL | CARROTBALL is an FTP downloader utility that has been in use since at least 2019. CARROTBALL has been used as a downloader to install SYSCON.(Citation: Unit 42 CARROTBAT January 2020) |
| S0154 | Cobalt Strike |
Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual) In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. (Citation: cobaltstrike manual) |
| S0488 | CrackMapExec | CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.(Citation: CME Github September 2018) |
| S0363 | Empire | Empire is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire) |
| S0434 | Imminent Monitor | Imminent Monitor was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.(Citation: Imminent Unit42 Dec2019) |
| S0357 | Impacket | Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.(Citation: Impacket Tools) |
| S0231 | Invoke-PSImage | Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. (Citation: GitHub Invoke-PSImage) |
| S0250 | Koadic | Koadic is a Windows post-exploitation framework and penetration testing tool. Koadic is publicly available on GitHub and the tool is executed via the command-line. Koadic has several options for staging payloads and creating implants. Koadic performs most of its operations using Windows Script Host. (Citation: Github Koadic) (Citation: Palo Alto Sofacy 06-2018) |
| S0500 | MCMD | MCMD is a remote access tool that provides remote command shell capability used by Dragonfly 2.0.(Citation: Secureworks MCMD July 2019) |
| S0378 | PoshC2 | PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.(Citation: GitHub PoshC2) |
| S0194 | PowerSploit | PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation) |
| S0192 | Pupy | Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). (Citation: GitHub Pupy) Pupy is publicly available on GitHub. (Citation: GitHub Pupy) |
| S0262 | QuasarRAT | QuasarRAT is an open-source, remote access tool that is publicly available on GitHub. QuasarRAT is developed in the C# language. (Citation: GitHub QuasarRAT) (Citation: Volexity Patchwork June 2018) |
| S0332 | Remcos | Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. Remcos has been observed being used in malware campaigns.(Citation: Riskiq Remcos Jan 2018)(Citation: Talos Remcos Aug 2018) |
| S0445 | ShimRatReporter | ShimRatReporter is a tool used by suspected Chinese adversary Mofang to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as ShimRat) as well as set up faux infrastructure which mimics the adversary’s targets. ShimRatReporter has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.(Citation: FOX-IT May 2016 Mofang) |
| S0160 | certutil | certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil) |
| S0106 | cmd |
cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd) Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code> (Citation: TechNet Dir)), deleting files (e.g., <code>del</code> (Citation: TechNet Del)), and copying files (e.g., <code>copy</code> (Citation: TechNet Copy)). |
| S0404 | esentutl | esentutl is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.(Citation: Microsoft Esentutl) |
A continuación se representará la relación entre las técnicas y los softwares usados.
6.2.1 General
6.2.2 Simplificado
6.3 Plataformas
Para obtener desde qué plataformas se han realizado los ataques se ha recurrido del estándar CAR.
Podemos ver que principalmente es Windows.
7 ¿Qué podemos hacer para prevenir futuros ataques?
7.1 Mitigaciones
#Extraemos Mitigations
mitigationsAttack <- filter(dfToAttack, startsWith(as.character(dfToAttack$from), "M"))
mitigationsAttackList <- mitigationsAttack$from
mitigationsAttack <- filter(mitre.data$standards$attck$mitigation, mitre.data$standards$attck$mitigation$mitreid %in% mitigationsAttackList)
mitigationsAttack <- select(mitigationsAttack, mitreid, name, description)
En la siguiente tabla podemos ver en detalle qué mitigaciones encontramos y en qué consisten:
| mitreid | name | description |
|---|---|---|
| M1013 | Application Developer Guidance | This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of. |
| M1036 | Account Use Policies | Configure features related to account use like login attempt lockouts, specific login times, etc. |
| M1015 | Active Directory Configuration | Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc. |
| M1049 | Antivirus/Antimalware | Use signatures or heuristics to detect malicious software. |
| M1013 | Application Developer Guidance | This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of. |
| M1048 | Application Isolation and Sandboxing | Restrict execution of code to a virtual environment on or in transit to an endpoint system. |
| M1047 | Audit | Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
| M1045 | Code Signing | Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing. |
| M1041 | Encrypt Sensitive Information | Protect sensitive information with strong encryption. |
| M1038 | Execution Prevention | Block execution of code on a system through application control, and/or script blocking. |
| M1050 | Exploit Protection | Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. |
| M1037 | Filter Network Traffic | Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. |
| M1032 | Multi-factor Authentication | Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. |
| M1031 | Network Intrusion Prevention | Use intrusion detection signatures to block traffic at network boundaries. |
| M1030 | Network Segmentation | Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. |
| M1028 | Operating System Configuration | Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques. |
| M1027 | Password Policies | Set and enforce secure password policies for accounts. |
| M1026 | Privileged Account Management | Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
| M1029 | Remote Data Storage | Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information. |
| M1022 | Restrict File and Directory Permissions | Restrict access by setting directory and file permissions that are not specific to users or privileged accounts. |
| M1021 | Restrict Web-Based Content | Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. |
| M1051 | Update Software | Perform regular software updates to mitigate exploitation risk. |
| M1018 | User Account Management | Manage the creation, modification, use, and permissions associated to user accounts. |
| M1017 | User Training | Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction. |
Veamos la relación entre las técnicas de estudio y sus respectivas mitigaciones:
7.1.1 General
7.1.2 Simplificado
8 ¿Cómo podemos protegernos?
Para este punto nos hemos decantado por usar el estándard de Shield para hacer frente a los ataques.
A partir de las técnicas usadas (TE), buscamos qué técnica defensiva existe (DTE) para poder hacer frente al ataque.
8.1 Todas las relaciones con Shield
Una vez tenemos todas las técnicas defensivas (DTE) relacionadas con las técnicas que se han usado durante los ataques procedemos a extrarer las relaciones de estas DTEs con:
- DTA: Tácticas defensivas
- DOS: Oportunidades defensivas
- DPR: Procedimientos defensivos
- DUC: Casos de uso
Para cada uno de éstos, se ha representado la relación global (teniendo en cuenta todas las técnicas de estudio) y la relación simplificada (recordemos que es el caso en el que solo se tienen en cuenta las dos técnicas más comunes: T1072 y T1078)
8.1.1 DTE
#Encontramos relación con técnicas de Shield desde las tácticas de Attack
dteExtractFromTactAttack <- mitre.data$mitrenet$edges[which(mitre.data$mitrenet$edges$to %in% tactAttack$Var1),]
dteExtractFromTactAttack <- filter(dteExtractFromTactAttack, startsWith(as.character(dteExtractFromTactAttack$from), "DTE"))
dteAttack <- filter(dfToAttack, startsWith(as.character(dfToAttack$from), "DTE"))
dteAttack <- as.data.frame(table(dteAttack$from))
rowsDTEShield <- mitre.data$standards$shield$techniques[which(mitre.data$standards$shield$techniques$id %in% dteAttack$Var1),]
En la siguiente tabla podemos ver en detalle las técnicas defensivas que se han encontrado y una breve descripción sobre como actuar que se complementa con las tacticas (DTA), oportunidades (DOS), casos de uso (DUC) y como proceder (DPR) que veremos en los siguientes puntos.
| id | name | description | |
|---|---|---|---|
| 1 | DTE0001 | Admin Access | Modify a user’s administrative privileges. |
| 6 | DTE0007 | Behavioral Analytics | Deploy tools that detect unusual system or user behavior. |
| 7 | DTE0008 | Burn-In | Exercise a target system in a manner where it will generate desirable system artifacts. |
| 8 | DTE0010 | Decoy Account | Create an account that is used for active defense purposes. |
| 9 | DTE0011 | Decoy Content | Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc. |
| 10 | DTE0012 | Decoy Credentials | Create user credentials that are used for active defense purposes. |
| 11 | DTE0013 | Decoy Diversity | Deploy a set of decoy systems with different OS and software configurations. |
| 12 | DTE0014 | Decoy Network | Create a target network with a set of target systems, for the purpose of active defense. |
| 15 | DTE0017 | Decoy System | Configure a computing system to serve as an attack target or experimental environment. |
| 16 | DTE0018 | Detonate Malware | Execute malware under controlled conditions to analyze its functionality. |
| 23 | DTE0026 | Network Manipulation | Make changes to network properties and functions to achieve a desired effect. |
| 25 | DTE0028 | PCAP Collection | Collect full network traffic for future research and analysis. |
| 27 | DTE0030 | Pocket Litter | Place data on a system to reinforce the legitimacy of the system or user. |
| 29 | DTE0032 | Security Controls | Alter security controls to make the system more or less vulnerable to attack. |
| 31 | DTE0034 | System Activity Monitoring | Collect system activity logs which can reveal adversary activity. |
A continuación podemos ver la relación entre las técnicas defensivas y las técnicas usadas durante los incidentes:
8.1.1.1 General
8.1.1.2 Simplificado
8.1.2 DTA
#Procedemos a extraer DTA
extracShield2 <- mitre.data$standards$shield$shieldnet$edges[which(mitre.data$standards$shield$shieldnet$edges$to %in% rowsDTEShield$id),]
extracShieldDTA <- filter(extracShield2, startsWith(as.character(extracShield2$from), "DTA"))
extracShieldDTAList <- extracShieldDTA$from
extracShieldDTA <- filter(mitre.data$standards$shield$tactics, mitre.data$standards$shield$tactics$id %in% extracShieldDTAList)
extracShieldDTA <- select(extracShieldDTA, id, name, description)
Una vez encontradas las tecnicas defensivas procedemos a relacionarlas con las tacticas defensivas para cada uno de los casos y se clasifican en la siguiente tabla.
| id | name | description |
|---|---|---|
| DTA0001 | Channel | Guide an adversary down a specific path or in a specific direction. |
| DTA0002 | Collect | Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary’s activity. |
| DTA0003 | Contain | Prevent an adversary from moving outside specific bounds or constraints. |
| DTA0004 | Detect | Establish or maintain awareness into what an adversary is doing. |
| DTA0005 | Disrupt | Prevent an adversary from conducting part or all of their mission. |
| DTA0006 | Facilitate | Enable an adversary to conduct part or all of their mission. |
| DTA0007 | Legitimize | Add authenticity to deceptive components to convince an adversary that something is real. |
| DTA0008 | Test | Determine the interests, capabilities, or behaviors of an adversary. |
Procedemos a obverar la relación entre las DETs encontradas y las tacticas a seguir (DTAs):
8.1.2.1 General
8.1.2.2 Simplificado
8.1.3 DOS
##DOS
extracShieldDOS <- filter(extracShield, startsWith(as.character(extracShield$to), "DOS"))
extracShieldDOSList <- extracShieldDOS$to
extracShieldDOS <- filter(mitre.data$standards$shield$opportunities, mitre.data$standards$shield$opportunities$id %in% extracShieldDOSList)
A partir de las DTEs encontradas podemos obtener las oportunidades defensivas para cada uno de los casos y en la siguiente tabla las podemos ver con una breve descripción de la oportunidad.
| id | description |
|---|---|
| DOS0001 | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. |
| DOS0002 | There is an opportunity to discover who or what is being targeting by an adversary. |
| DOS0003 | There is an opportunity to use a compromised drive-by site to start long term engagement with the adversary and observe the adversary’s post-exploit TTPs. |
| DOS0004 | There is an opportunity to introduce user accounts that are used to make a system look more realistic. |
| DOS0005 | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. |
| DOS0006 | There is an opportunity to prepare user accounts so they look used and authentic. |
| DOS0008 | There is an opportunity to present several public-facing application options to see what application(s) the adversary targets. |
| DOS0009 | There is an opportunity to determine if an adversary already has valid account credentials for your network and if they are trying to use them access your network via remote services. |
| DOS0016 | There is an opportunity to use security controls to stop or allow an adversary’s activity. |
| DOS0020 | Hardware and/or software additions can be tested and verified in controlled environments prior to deployment. |
| DOS0021 | When authorized behavior is defined and limited for trusted partners, adversaries exploiting trust relationships are easier to detect. |
| DOS0024 | There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. |
| DOS0027 | There is an opportunity to create a detection with a moderately high probability of success. |
| DOS0028 | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. |
| DOS0029 | There is an opportunity to block an adversary’s intended action and force them to reveal additional TTPs. |
| DOS0074 | There is an opportunity to influence an adversary to move toward systems you want them to engage with. |
| DOS0076 | In an adversary engagement situation, there is an opportunity to add legitimacy by ensuring decoy systems are fully populated with information an adversary would expect to see during this recon process. |
| DOS0082 | There is an opportunity to introduce data to an adversary to influence their future behaviors. |
| DOS0084 | In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use. |
| DOS0087 | In an adversary engagement scenario, there is an opportunity to test whether an adversary has the capability to steal or forge Kerberos tickets. |
| DOS0093 | There is an opportunity to seed systems with decoy cookies that will lead adversaries to decoy targets. |
| DOS0098 | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary’s behaviors, test their interest in specific topics, or add legitimacy to a system or environment. |
| DOS0099 | In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. |
| DOS0112 | In an adversary engagement scenario, there is an opportunity to prepare a user’s browser data (sessions, cookies, etc.) so it looks authentic and fully populated. |
| DOS0116 | There is an opportunity to detect adversary activity that uses obfuscated communication. |
| DOS0123 | There is an opportunity to detect an adversary who modifies website content (internally or externally) by monitoring for unauthorized changes to websites. |
| DOS0130 | There is an opportunity to alter the network configuration in order to disrupt an adversary who is trying to saturate the network or a system via denial of service. |
| DOS0131 | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. |
| DOS0133 | In an adversary engagement scenario, there is an opportunity to observe how an adversary might manipulate data on a system. |
| DOS0137 | There is an opportunity to implement security controls which will prevent an adversary from using Windows Management Instrumentation (WMI), in order to entice them to reveal new TTPs. |
| DOS0140 | There is an opportunity to use security controls on systems in order to affect the success of an adversary. |
| DOS0141 | There is an opportunity to monitor logs on a system for common ways adversaries behave and detect on that activity. |
| DOS0146 | In an adversary engagement scenario, there is an opportunity to implement security controls to support your defensive objectives over a prolonged engagement. |
| DOS0147 | In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives. |
| DOS0148 | In an adversary engagement scenario, there is an opportunity to implement security controls to allow an adversary to accomplish a task and extend an engagement. |
| DOS0159 | There is an opportunity to manipulate the network to allow/deny certain types of traffic, to degrade network traffic, or otherwise impact an adversary’s activity. |
| DOS0164 | There is an opportunity to block an adversary that is seeking to use a proxied connection. |
| DOS0165 | In an adversary engagement scenario, there is an opportunity to add legitimacy by ensuring the local system is with fully populated with content. |
| DOS0169 | There is an opportunity to deploy virtual decoy systems and see if an adversary discovers or reacts to the virtualization. |
| DOS0170 | There is an opportunity to collect network data and analyze the adversary activity it contains. |
| DOS0174 | There is an opportunity to disrupt or enable and adversary’s exfiltration activities by blocking/unblocking the traffic to their Command and Control (C2) location. |
| DOS0187 | In an adversary engagement operation, there is an opportunity to present decoy accounts to the adversary during the enumeration process. |
| DOS0188 | There is an opportunity to use decoy accounts of varying types to see what an adversary is most interested in. |
| DOS0190 | In an adversary engagement scenario, there is an opportunity to introduce decoy content to entice additional engagement activity. |
| DOS0191 | There is an opportunity to supply a variety of different decoy network shares to an adversary to see what they are drawn to look at and use. |
| DOS0199 | In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary’s behavior or allow you to observe how they perform a specific task. |
| DOS0210 | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. |
| DOS0231 | There is an opportunity to extend an adversary’s engagement period by creating a decoy network that systems can discover when performing trust discovery. |
| DOS0234 | There is an opportunity to seed decoy content to make non-virtual systems look like virtual systems to see how an adversary reacts. |
| DOS0246 | An adversary may attempt to dynamically determine the C2 address to communicate with. This gives a defender an opportunity to discover additional infrastructure. |
| DOS0251 | There is an opportunity to introduce services in a decoy network to determine if an adversary notices and tries to learn more about them. |
| DOS0253 | There is an opportunity to introduce decoy information, users, systems, etc. to influence an adversary’s future actions. |
A continaución podemos apreciar la relación de cada oportunidad defensiva con su tecnica defensiva.
8.1.3.1 General
8.1.3.2 Simplificado
8.1.4 DPR
##DPR
extracShieldDPR <- filter(extracShield, startsWith(as.character(extracShield$to), "DPR"))
extracShieldDPRList <- extracShieldDPR$to
extracShieldDPR <- filter(mitre.data$standards$shield$procedures, mitre.data$standards$shield$procedures$id %in% extracShieldDPRList)
Los procedimientos a seguir con cada DTE encontrado se han agrupado en la siguiente tabla y son los siguientes:
| id | description |
|---|---|
| DPR0001 | Remove an account’s administrative access from a system or service to require an adversary to reveal techniques for elevating privileges in order to accomplish certain tasks. |
| DPR0002 | Grant an account administrative access to a system or service to enable an adversary to take advantage of those privileges if they compromise the system or service. |
| DPR0013 | Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file. |
| DPR0014 | Use behavioral analytics to identify a system running development tools, but is not used by someone who does development. |
| DPR0015 | Use behavioral analytics to identify abnormal system processes being used to launch a different process. |
| DPR0016 | Configure a decoy system and allow it to be used in an manner such that it collects activity logs and appears to be to be a legitimate system. |
| DPR0017 | Configure a system to generate internet browser traffic for a decoy user profile, creating artifacts such as cookies, history, temp files, etc. |
| DPR0020 | Create a user account with a specified job function. Populate the user account’s groups, description, logon hours, etc., with decoy data that looks normal in the environment. |
| DPR0021 | Create a user that has a valid email account. Use this account in such a way that the email address could be harvested by the adversary. This can be monitored to see if it is used in future attacks. |
| DPR0022 | Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data. |
| DPR0023 | Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary. |
| DPR0024 | Create user credentials for a decoy account, such as ‘User ABC’. Store those credentials in the browser and other places on the system to see if an adversary attempts to harvest them. |
| DPR0025 | Use a Windows Virtual Machine (VM) and a Mac VM to visit a malicious website and note any differences in how the site functions based on the client that was used. |
| DPR0026 | Deploy multiple decoy systems, each with a unique network fingerprint (ports, services, connections, etc.) in order to provide an adversary a wide range of targets. |
| DPR0027 | Create an isolated network populated with decoy systems that can be used to study an adversary’s tactics, techniques, and procedures (TTPs). |
| DPR0028 | Use a segregated network to visit a compromised site. If the machine becomes infected, allow the machine to remain on with internet access to see if an adversary engages and takes action on the system. |
| DPR0032 | Use an isolated system to visit a suspected compromised website. Collect any associated scripting code or files dropped onto the system. |
| DPR0033 | Setup a server which appears to be something that is commonly expected within a network, such as web server. |
| DPR0034 | Take malware received via spearphishing and detonate it on an isolated system in order to collect execution and network communication artifacts. |
| DPR0035 | Detonate a malware sample in a decoy network to engage with an adversary and study their TTPs. |
| DPR0045 | Add a kill switch to a decoy network that can be used to shutdown all network communication if an adversary takes an action that is out of the desired scope. |
| DPR0046 | Introduce intermittent network packet loss on a decoy network to interfere with an adversary’s activities. |
| DPR0049 | Collect PCAP on a decoy network to improve visibility into an adversary’s network activity. |
| DPR0052 | When staging a decoy system and user account, populate a user’s folders and web history to make it look realistic to an adversary. |
| DPR0053 | Stage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary. |
| DPR0055 | Weaken security controls on a system to allow for leaking of credentials via network connection poisoning. |
| DPR0056 | Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials. |
| DPR0059 | Ensure that systems capture and retain common system level activity artifacts that might be produced. |
| DPR0060 | Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc. |
Procedemos a ver de forma visual los diferentes procedimientos a seguir con cada DTE encontrado:
8.1.4.1 General
8.1.4.2 Simplificado
8.1.5 DUC
#Extraemos DUC
extracShieldDUC <- filter(extracShield, startsWith(as.character(extracShield$to), "DUC"))
extracShieldDUCList <- extracShieldDUC$to
extracShieldDUC <- filter(mitre.data$standards$shield$usecases, mitre.data$standards$shield$usecases$id %in% extracShieldDUCList)
A partir de los DTEs ecnontrados hemos generado esta tabla donde agrupamos todos los casos de uso para cada uno de los casos.
| id | description |
|---|---|
| DUC0001 | A defender can use a decoy system to access a compromised website to see how it works (study the exploit sequence, collect relevant artifacts, etc.). |
| DUC0002 | A defender could use a decoy or set of decoys with different network addresses, operating systems, web browsers, language settings, and etc. to determine if every system that visits a compromised website receives its malicious payload or only specific systems receive it. |
| DUC0003 | A defender seeking to learn about post compromise adversary activity could visit the compromised website with a system in a decoy network that has been designed to sustain an adversary engagement past the initial compromise. |
| DUC0004 | A defender can create decoy user accounts which are used to make a decoy system or network look more realistic. |
| DUC0005 | A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them. |
| DUC0006 | A defender can prepare a Decoy System by logging in to the Decoy Account and using it in ways consistent with the deception story, creating artifacts in the system that make it look legitimate. |
| DUC0007 | A defender can use decoy system running a public-facing application to see if an adversary attempts to compromise the system and learn their TTPs. |
| DUC0008 | A defender can use a diverse set of decoy systems to study an adversary and determine which types of public-facing applications they choose to exploit. |
| DUC0009 | A defender can setup a decoy VPN server and see if an adversary attempts to use valid account to authenticate to it. |
| DUC0011 | A defender can monitor systems for the use of removeable media. |
| DUC0012 | A defender can disable Autorun to prevent malware from automatically executing when removeable media is plugged into a system. |
| DUC0020 | A defender can install any suspect hardware or software on an isolated system or network and monitor for non-standard behaviors. |
| DUC0021 | Defenders can monitor trusted partner access, detecting unauthorized activity. |
| DUC0025 | A defender can enable Admin Access on a system to see if the adversary utilizes that access to create scheduled tasks to launch their malware or tools. |
| DUC0026 | A defender can configure a decoy system with limited restrictions to see if the adversary creates or alters scheduled tasks to launch their malware. |
| DUC0027 | A defender can capture system activity logs and generate alerts if the adversary creates new scheduled tasks or alters existing tasks. |
| DUC0033 | A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system. |
| DUC0034 | A defender can use a decoy system to see if an adversary exploits vulnerable software in order to compromise the system. |
| DUC0037 | A defender can detonate malicious code leveraging a signed binary on a decoy system or within a decoy network to see how it behaves or for adversary engagement purposes. |
| DUC0039 | A defender can use process monitoring to look for command execution and command line parameters commonly used to inhibit system recovery. |
| DUC0040 | A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence. |
| DUC0042 | A defender can allow Admin access on a decoy system or network to allow an adversary to use event triggered execution. |
| DUC0043 | A defender can implement monitoring to alert if a user account is altered outside normal business hours, from remote locations, etc. |
| DUC0044 | A defender can use decoy accounts and monitor them for any activity that might reveal adversary manipulation. |
| DUC0045 | A defender can enforce strong authentication requirements such as password changes, two factor authentication, etc. to impact or disrupt an adversary’s activity. |
| DUC0048 | A defender can block execution of untrusted software. |
| DUC0049 | A defender can choose to harden or weaken security controls on a system to affect an adversaries ability to modify or create system processes. |
| DUC0052 | A defender can collect system process information and look for abnormal activity tied to Office processes. |
| DUC0055 | A defender can configure system users to not have admin access in order to ensure privilege escalation requires exploitation. |
| DUC0060 | A defender can monitor for signs that security tools and other controls are being tampered with by an adversary. |
| DUC0063 | A defender could monitor for known commands used to hide artifacts on a system and for activity associated with those hidden artifacts. |
| DUC0065 | A defender could monitor for directory service changes using Windows event logs. This can alert to the presence of an adversary in the network. |
| DUC0066 | In an adversary engagement scenario, a defender can implement weak security controls that an adversary could subvert in order to further their attack. |
| DUC0070 | A defender can monitor processes and command-line arguments which could be used by an adversary to change or delete information in the Windows registry. |
| DUC0072 | A defender can monitor for user login activity that may reveal an adversary leveraging brute force techniques. |
| DUC0073 | A defender can create decoy registry objects and monitor access to them using Windows Registry Auditing. |
| DUC0074 | A defender can create breadcrumbs or honeytokens to lure the attackers toward the decoy systems or network services. |
| DUC0076 | A defender can create entries in a decoy system’s ARP cache, hosts file, etc. to add to the legitimacy of the device. |
| DUC0078 | A defender can add decoy systems to the network so an adversary can have a variety of network services available to them. The defender can observe which network services the adversary attempts to use. |
| DUC0082 | A defender can feed decoy data to an adversary that is using a key-logger or other tool, so as to shape the encounter. |
| DUC0084 | A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them. |
| DUC0088 | A defender can secure Kerberos in order to prevent an adversary from leveraging the tickets to authenticate or move laterally. This may result in the adversary exposing additional TTPs. |
| DUC0092 | A defender can harden authentication mechanisms to ensure having just a session cookie is not enough to authenticate with another system. |
| DUC0093 | A defender can authenticate to a collection of decoy sites (as a decoy user) to give the adversary a set of session cookies to harvest and potentially use during adversary engagement. |
| DUC0094 | In an adversary engagement operation, a defender can intentionally increase the time window that a token is valid to see if the adversary is able to acquire and leverage the token. |
| DUC0097 | A defender can deploy a decoy software deployment tool within an adversary engagement environment to see how the adversary attempts to use the device during their activity. |
| DUC0098 | A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc. |
| DUC0099 | A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc. |
| DUC0102 | A defender can plant decoy emails containing deceptive content and breadcrumbs to lure the attacker toward deception systems. |
| DUC0103 | A defender can insert into a system’s clipboard decoy content for the adversary to find. |
| DUC0104 | A defender can stage a variety of pocket litter files to see if the adversary collect any of those files in an automated manner. |
| DUC0105 | A defender can introduce decoy audio content designed to make the adversary believe that their audio capture efforts are working. |
| DUC0111 | A defender can stage a variety of pocket litter files with known hashes around a system. Detections can be put in place if these hashes are seen moving around a system or out of the network. |
| DUC0112 | A defender can perform web browsing tasks on a decoy system over time to give the adversary a robust set of browser data that looks realistic and could potentially be used during adversary engagement. |
| DUC0113 | A defender can display decoy content on the screen which may be of interest to an adversary in an attempt to elicit further engagement. |
| DUC0114 | A defender can introduce video content designed to make the adversary believe that their capture efforts are working. |
| DUC0116 | A defender can capture network traffic for a compromised system and look for abnormal network traffic that may signal data obfuscation. |
| DUC0120 | A defender can use process monitoring to look for the execution of utilities commonly used for data destruction, such as SDelete. |
| DUC0121 | A defender can use process monitoring to look for the execution of utilities commonly used for ransomware and other data encryption. |
| DUC0123 | A defender can monitor websites for unplanned content changes and generate alerts when activity is detected. |
| DUC0126 | A defender can configure network devices to analyze network traffic, detect a potential DoS attack, and make appropriate adjustments to mitigate the situation. |
| DUC0127 | A defender can configure systems to block any system with a number of authentication failures in a certain window of time. |
| DUC0128 | A defender can collect system activity and detect commands that interact with firmware. This can speed up the recovery of a system. |
| DUC0129 | By looking for anomalies in host resource consumption and alerting on suspect activity, the defender can detect the use of system resources at odd times or at odd levels. |
| DUC0130 | By looking for anomalies in system service states and alerting on suspect situations, the defender can detect potential malicious activity and triage the system to re-enable the services that have been stopped. |
| DUC0131 | The defender can use behavioral analytics detect an XSL process doing something abnormal. |
| DUC0133 | A defender can deploy decoy content to see if an adversary attempts to manipulate data on the system or connected storage devices. |
| DUC0134 | A defender can deploy a decoy system to see if an adversary attempts to shutdown or reboot the device. |
| DUC0136 | A defender could develop behavioral analytics to detect the examination of commonly used guardrails such as inspection of VM artifacts, enumeration of connected storage and/or devices, domain information, etc. |
| DUC0137 | A defender can remove admin access from the local user to prevent an adversary from being able to utilize WMI. |
| DUC0138 | A defender can harden accounts which have admin access and also restrict any users from being able to connect remotely using WMI. |
| DUC0140 | A defender could use host-based tool to detect common persistence mechanisms and prevent the process from executing successfully. |
| DUC0141 | By collecting system logs, a defender can implement detections that identify abnormal BITS usage. |
| DUC0142 | A defender could use a host-based tool in order to have an effect on the success of an adversary abusing elevation control mechanisms. |
| DUC0143 | A defender can use Trusted Platform Module technology and a secure boot process to prevent system integrity from being compromised. |
| DUC0144 | A defender could implement security controls to have an effect on process injection techniques such as AppLocker or an Antivirus/EDR tool designed to watch for CreateRemoteThread events. |
| DUC0146 | A defender could implement security controls to force an adversary to modify the authentication process if they want to collect or utilize credentials on a system. |
| DUC0149 | A defender could use implement behavioral analytics that detects common access token manipulation techniques and allow or deny these actions. |
| DUC0151 | A defender can use adversary attempts at forced authentication exploits to seed adversary servers with decoy credentials. |
| DUC0152 | A defender could allow or deny outbound SMB requests from a network to affect the success of forced authentication. Alternative a defender could redirect outbound SMB requests to a decoy system to thwart attempted credential theft |
| DUC0153 | A defender can identify and block specific adversary Command and Control (C2) traffic to see how an adversary responds, possibly exposing additional C2 information. |
| DUC0158 | A defender can block certain adversary used protocols used between systems in order to prevent lateral tool transfer. |
| DUC0161 | A defender could implement a protocol aware IPS to limit systems communicating to unknown locations on the internet. |
| DUC0164 | A defender could block traffic to known anonymity networks and C2 infrastructure through the use of network allow and block lists. |
| DUC0165 | A defender can stage a variety of pocket litter files to bolster the legitimacy of the local system. |
| DUC0166 | A defender could monitor for anomalous behavior from client applications, such as atypical module loads, file reads/writes, or network connections. |
| DUC0168 | A defender can monitor user interactions with images and containers to identify ones that are added or altered anomalously. |
| DUC0169 | A defender can deploy a virtual decoy system to see if the adversary recognizes the virtualization and reacts. |
| DUC0170 | Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity. |
| DUC0174 | A defender can prevent or enable use of alternate protocols for exfiltration by blocking/unblocking unnecessary ports and protocols. |
| DUC0175 | A defender can restrict network traffic making adversary exfiltration slow or unreliable. |
| DUC0179 | A defender can prevent an adversary from enabling Wi-Fi or Bluetooth interfaces which could be connected to surrounding access points or devices and used for exfiltration. |
| DUC0184 | A defender can utilize decoy files and directories to provide content that could be used by the adversary. |
| DUC0187 | During an adversary engagement operation, a defender can utilize decoy accounts to provide content to an adversary and encourage additional activity. |
| DUC0188 | A defender can make a variety of decoy accounts and see if the adversary seems to be drawn to accounts of a specific type, with specific permissions, group access, etc. |
| DUC0190 | A defender can utilize decoy network shares to provide content that could be used by the adversary. |
| DUC0191 | A defender can make a variety of decoy network shares available to an adversary and see if the adversary seems to be drawn to shares with specific names, permissions, etc. |
| DUC0196 | A defender could remove admin access in an attempt to force an adversary to perform privilege escalation to install a rootkit. |
| DUC0197 | In an adversary engagement scenario, a defender could ensure security controls allow untrusted code to execute on a system. |
| DUC0199 | A defender could implement a decoy system running a remote service (such as telnet, SSH, and VNC) and see if the adversary attempts to login to the service. |
| DUC0200 | A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information. |
| DUC0207 | A defender can use decoy content to give the false impression about the system when an adversary performs system information discovery. |
| DUC0208 | A defender could seed decoy network shares within an adversary engagement network to see if an adversary uses them for payload delivery or lateral movement. |
| DUC0210 | A defender can use decoy content to give the false impression about the nature of the system in order to entice an adversary to continue engagement. |
| DUC0212 | A defender can detect the use of non-standard protocols. By implementing behavior analytics specific to a rise in protocol traffic to a system or set of systems, one might be able to detect malicious communications from an adversary. |
| DUC0213 | A defender can detect the use of external web services for communication relay. By implementing behavior analytics anomalies in what domains a system is communicating with, how frequently, and at what times, a defender can potentially identify malicious traffic. |
| DUC0217 | A defender can implement behavior analytics which would indicate activity on a system executing commands in non-standard ways. This could indicate malicious activity. |
| DUC0218 | A defender can implement behavioral analytics which would indicate activity on or against a domain controller. Activity which is out of sync with scheduled domain tasks, or results in an uptick in traffic with a particular system on the network could indicate malicious activity. |
| DUC0220 | A defender can look for known files in non-standard locations or files that are creating anomalous processes or connections. |
| DUC0221 | A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity. |
| DUC0223 | A defender can install remote access tools on decoy systems across the network to see if the adversary uses these tools for command and control. |
| DUC0225 | A defender can have decoy systems that are easy to gain access to and have Office installed. The decoy system can be monitored to see if an adversary attempts to inject anything malicious into Office templates. |
| DUC0226 | A defender can seed content interesting files to an adversary, but lock the permissions down. The goal would be to force the adversary to expose their TTPs for circumventing the restrictions. |
| DUC0231 | A defender can create a decoy network that contains systems which are easily discoverable and appealing to an adversary. |
| DUC0232 | A defender can restrict admin access to force an adversary to escalate privileges in order to delete logs and captured artifacts from a system. |
| DUC0234 | A defender can plant files, registry entries, software, processes, etc. to make a system look like a VM when it is not. |
| DUC0237 | A defender can detect adversaries leveraging unused cloud regions. By implementing behavioral analytics for cloud hosts interacting with the network from regions that are not normal, one can detect potential malicious activity. |
| DUC0238 | A defender could monitor logs off-system in order to detect adversary activities even when logs have been deleted on the system. |
| DUC0239 | Defenders can detect adversaries attempting to exfiltrate to a cloud account. This can detect a system connecting to these cloud providers that it might not normally connect to, not using an account that it normally does, or during a time when it normally doesn’t do so. |
| DUC0240 | Defenders can detect adversaries attempting to open a port by analyzing incoming network connections. By looking for anomalies in what network traffic comes in, as well as patterns that might indicate intentional sequences, one can potentially identify malicious traffic. One can also look at anomalies in services suddenly listening on ports that were not being used before. |
| DUC0241 | Defenders can look for anomalies in where an account is authenticating and what it is authenticating to in order to detect potentially malicious intent. |
| DUC0243 | A defender can look for anomalies in accounts being active with other services/systems during hours they are normally not active. This can indicate malicious activity. |
| DUC0244 | Defenders can detect adversaries attempting to exfiltrate over web services by implementing behavioral analytics. This can detect a system connecting to these web services that it might not normally connect to, or during a time when it normally doesn’t do so. |
| DUC0246 | A defender can block primary C2 domains and IPs to determine if the malware or adversary has the ability to reach out to additional infrastructure. |
| DUC0251 | A defender can use a decoy network and seed it with cloud services to see how an adversary might exploit those resources. |
| DUC0255 | A defender can deploy a diverse set of decoy systems to impact an adversary’s level of effort during recon activity. |
| DUC0257 | A defender can seed decoy content into network service configuration files which may be consumed during an adversary’s recon activity. |
| DUC0258 | A defender can expose decoy information about their organization to try and influence an adversary’s future activity. |
| DUC0260 | A defender can insert decoy content into external sources or resources that adversaries may leverage for intelligence gathering. |
| DUC0261 | A defender can deploy a decoy website to support a deception operation or piece of the organization’s deception strategy. |
A continuación podemos apreciar la relación entre las DTEs y sus respectivos casos de uso (DUCs):
8.1.5.1 General
8.1.5.2 Simplificado
8.2 Implementaciones a partir de CAR
Gracias a las técnicas encontradas en CAR encontramos implementaciones para actuar frente alguno de los ataques de estudio.
| id | techniques | type | name | dataModel | description | code |
|---|---|---|---|---|---|---|
| CAR-2013-02-008 | T1078 | pseudocode | /- | /- | users_list = search UserSession:Login users_grouped = group users_list by hostname users_grouped = from users_grouped select min(time) as earliest_time, max(time) as latest_time count(user) as user_count multiple_logins = filter users_grouped where (latest_time - earliest_time <= 1 hour and user_count > 1) output multiple_logins | |
| CAR-2013-04-002 | T1053 | pseudocode | /- | /- | processes = search Process:Create reg_processes = filter processes where (exe == “arp.exe” or exe == “at.exe” or exe == “attrib.exe” or exe == “cscript.exe” or exe == “dsquery.exe” or exe == “hostname.exe” or exe == “ipconfig.exe” or exe == “mimikatz.exe” or exe == “nbstat.exe” or exe == “net.exe” or exe == “netsh.exe” or exe == “nslookup.exe” or exe == “ping.exe” or exe == “quser.exe” or exe == “qwinsta.exe” or exe == “reg.exe” or exe == “runas.exe” or exe == “sc.exe” or exe == “schtasks.exe” or exe == “ssh.exe” or exe == “systeminfo.exe” or exe == “taskkill.exe” or exe == “telnet.exe” or exe == “tracert.exe” or exe == “wscript.exe” or exe == “xcopy.exe”) reg_grouped = group reg by hostname, ppid where(max time between two events is 30 minutes) output reg_grouped | |
| CAR-2013-04-002 | T1053 | Sigma | /- | Sigma version of the above pseudocode, with some modifications. | /- | |
| CAR-2013-04-002 | T1053 | DNIF | /- | Sysmon native | DNIF version of the above pseudocode. | _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=regex(arp.exe|at.exe|attrib.exe|cscript.exe|dsquery.exe|hostname.exe|ipconfig.exe|mimikatz.exe|nbstat.exe|net.exe|netsh.exe|nslookup.exe|ping.exe|quser.exe|qwinsta.exe|reg.exe|runas.exe|sc.exe|schtasks.exe|ssh.exe|systeminfo.exe|taskkill.exe|telnet.exe|tracert.exe|wscript.exe|xcopy.exe)i group count_unique $App limit 100 >>_agg count >>_checkif int_compare Count > 1 include |
| CAR-2013-05-002 | T1036 | pseudocode | /- | The RECYCLER and SystemVolumeInformation directories will be present on every drive. Replace %systemroot% and %windir% with the actual paths as configured by the endpoints. | processes = search Process:Create suspicious_locations = filter process where ( image_path == “:*" or image_path == ":*” or image_path == “%windir%*” or image_path == “%systemroot%*” ) output suspicious_locations | |
| CAR-2013-05-002 | T1036 | DNIF | /- | Sysmon native | DNIF version of the above pseudocode. | _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.(:\recycler\|:\systemvolumeinformation\|%windir%\tasks\|%systemroot%\debug\).)i group count_unique $App limit 100 |
| CAR-2013-05-002 | T1036 | Sigma | /- | Sigma version of the above pseudocode, with some modifications. | /- | |
| CAR-2013-05-003 | T1078 | pseudocode | /- | /- | flow = search Flow:Message smb_write = filter flow where (dest_port == “445” and protocol == “smb.write”) smb_write.file_name = smb_write.proto_info.file_name output smb_write | |
| CAR-2013-05-004 | T1053 | pseudocode | /- |
Instances of the process at.exe running imply the querying or creation of tasks. Although the command_line is not essential for the analytic to run, it is critical when identifying the command that was scheduled.
|
process = search Process:Create at = filter process where (exe == “at.exe”) output at | |
| CAR-2013-05-004 | T1053 | Splunk | /- | Sysmon native | Splunk version of the above pseudocode. | index=your_sysmon_index Image="C:\Windows\*\at.exe“|stats values(CommandLine) as”Command Lines" by ComputerName |
| CAR-2013-05-004 | T1053 | EQL | /- | EQL native | EQL version of the above pseudocode. | process where subtype.create and process_name == “at.exe” |
| CAR-2013-05-004 | T1053 | DNIF | /- | Sysmon native | DNIF version of the above pseudocode. | _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=at.exe limit 100 |
| CAR-2013-05-005 | T1078 | pseudocode | /- | /- | process = search Process:Create smb_write = run Analytic:CAR-2013-05-003 remote_start = join (smb_write, process) where ( smb_write.hostname == process.hostname and smb_write.file_path == process.image_path (smb_write.time < process.time) ) output remote_start | |
| CAR-2013-05-009 | T1036 | splunk | Basic Query | Sysmon native | This is a basic Splunk search that will output all of the sysmon-reported process images and their respective hashes, for cases where an image has more than one set of hashes. Thus, this will output a large amount of data and should be filtered by the analyst in order to make the results more useful. | index=your_sysmon_index EventCode=1|stats dc(Hashes) as Num_Hashes values(Hashes) as “Hashes” by Image|where Num_Hashes > 1 |
| CAR-2013-05-009 | T1036 | Sigma | Sigma/Sysmon | Sigma includes a Sysmon-specific rule for detecting this, using the OriginalFilename field. | /- | |
| CAR-2013-05-009 | T1036 | Sigma | Sigma (renamed powershell) | Sigma includes a rule specifically for detecting instances of Powershell being renamed. | /- | |
| CAR-2013-05-009 | T1036 | Sigma | Sigma (renamed paexec) | Sigma includes a rule specifically for detecting instances of paexec being renamed. | /- | |
| CAR-2013-05-009 | T1036 | DNIF | /- | Sysmon native | DNIF version of the above pseudocode. | _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 group count_unique $App, $HashMD5 limit 100 >>_agg count_unique $HashMD5 >>_checkif int_compare count_unique > 1 include |
| CAR-2013-07-001 | T1105 | pseudocode | /- | Identify process launches that contain substrings that belong to known tools and do not match the expected process names. These will help to indicate instances of tools that have been renamed. |
process = search Process:Create port_fwd = filter process where (command_line match “-R .* -pw”) scp = filter process where (command_line match “-pw .* .* .@.” mimikatz = filter process where (command_line match “sekurlsa”) rar = filter process where (command_line match " -hp “) archive = filter process where (command_line match”.* a .*") ip_addr = filter process where (command_line match ...) output port_fwd, scp, mimikatz, rar, archive, ip_addr |
|
| CAR-2013-07-001 | T1105 | splunk | /- | Sysmon native | Splunk version of the above pseudocode, excluding the IP address search. | index=your_sysmon_index EventCode=1 (CommandLine="* -R * -pw" OR CommandLine=" -pw * @*" OR CommandLine=“sekurlsa” OR CommandLine=" -hp " OR CommandLine=" a *") |
| CAR-2013-07-001 | T1105 | EQL | /- | EQL native | EQL version of the above pseudocode, excluding the IP address search. | process where subtype.create and (command_line == "* -R * -pw" or command_line == " -pw * @*" or command_line == “sekurlsa” or command_line == " -hp " or command_line == " a *") |
| CAR-2013-07-001 | T1105 | splunk | /- | Sysmon native | Splunk version of the above pseudocode, solely for the IP address search. Note that this will likely result in many false positives, since things like software version numbers can also be valid IPv4 addresses. | index=your_sysmon_index EventCode=1 |regex CommandLine=“.25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}” |
| CAR-2013-07-001 | T1105 | DNIF | /- | Sysmon native | DNIF version of the above pseudocode. | _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.(-r.-pw|-pw.@|sekurlsa|-hp| a |\d{1,3}\.\d{1,3}\.\d{1,3}).)i limit 100 |
| CAR-2013-08-001 | T1053 | pseudocode | /- |
Look for instances of schtasks.exe running as processes. The command_line field is necessary to disambiguate between types of schtasks commands. These include the flags /create, /run, /query, /delete, /change, and /end.
|
process = search Process:Create schtasks = filter process where (exe == “schtasks.exe”) output schtasks | |
| CAR-2013-08-001 | T1053 | DNIF | /- | Sysmon native | DNIF version of the above pseudocode. | _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=schtasks.exe AND $Process=regex(.(/create|/run|/query|/delete|/change|/end).)i limit 100 |
| CAR-2013-10-001 | T1078 | Pseudocode | Account Logon with Filtering | This base pseudocode looks for user logon events and filters out the top 30 account names to reduce the occurrence of noisy service accounts and the like. It is meant as a starting point for situational awareness around such events. | logon_events = search User_Session:Login filtered_logons = filter logon_events where ( user NOT IN TOP30(user)) output filtered_logons | |
| CAR-2013-10-001 | T1078 | Splunk | Account Logon with Filtering | Splunk version of the above pseudocode. NOTE - this is liable to be quite noisy and will need tweaking, especially in terms of the number of top users filtered out. | index=your_win_event_log_index EventCode=4624|search NOT [search index=your_win_event_log_index EventCode=4624|top 30 Account_Name|table Account_Name] | |
| CAR-2013-10-001 | T1078 | DNIF | Account Logon with Filtering | Sysmon native | DNIF version of the above pseudocode. | _fetch * from event where $LogName=WINDOWS-NXLOG-AUDIT AND $SubSystem=AUTHENTICATION AND $Action=LOGIN group count_unique $ScopeID, $User limit 30 >>_store in_disk david_test win_top_30 stack_replace >>_fetch * from event where $LogName=WINDOWS-NXLOG-AUDIT AND $SubSystem=AUTHENTICATION AND $Action=LOGIN limit 10000 >>_checkif lookup david_test win_top_30 join $ScopeID = $ScopeID str_compare $User eq $User exclude |
| CAR-2014-11-007 | T1047 | pseudocode | /- | To detect WMI over RPC (using DCOM), a sensor needs to exist that has the insight into individual connections and can actually decode and make sense of RPC traffic. Specifically, WMI can be detected by looking at RPC traffic where the target interface matches that of WMI, which is IRemUnknown2. | flows = search Flow:Message wmi_flow = filter flows where (dest_port == 135 and proto_info.rpc_interface == “IRemUnknown2”) output wmi_flow | |
| CAR-2014-12-001 | T1047 | pseudocode | /- |
Look for instances of the WMI querying in network traffic, and find the cases where a process is launched immediately after a connection is seen. This essentially merges the request to start a remote process via WMI with the process execution. If other processes are spawned from wmiprvse.exe in this time frame, it is possible for race conditions to occur, and the wrong process may be merged. If this is the case, it may be useful to look deeper into the network traffic to see if the desired command can be extracted.
|
processes = search Process:Create wmi_children = filter processes where (parent_exe == “wmiprvse.exe”) flows = search Flow:Message wmi_flow = filter flows where (src_port >= 49152 and dest_port >= 49152 and proto_info.rpc_interface == “IRemUnknown2”) remote_wmi_process = join wmi_children, wmi_flow where ( wmi_flow.time < wmi_children.time < wmi_flow.time + 1sec and wmi_flow.hostname == wmi_children.hostname ) output remote_wmi_process |
|
| CAR-2015-04-001 | T1053 | pseudocode | /- |
To detect AT via network traffic, a sensor is needed that has the ability to extract and decode PCAP information. Specifically, it needs to properly decode SMB and the functions that are implemented over it via NamedPipes. If a sensor meets these criteria, then the PCAP data needs to search for instances of the command JobAdd over the pipe ATSVC, which is all implemented over Windows SMB 445/tcp.
|
flows = search Flow:Message at_proto = filter flows where (dest_port == 445 and proto_info.pipe == “ATSVC”) at_create = filter flows where (proto_info.function == “JobAdd”) output at_create |
|
| CAR-2015-04-002 | T1053 | pseudocode | /- |
Look for RPC traffic after being mapped, which implies a destination port of at least 49152. If network inspection is available via packet captures or a NIDS, then traffic through the ITaskSchedulerService interface can be detected. Microsoft has a list of the possible methods that are implemented for the ITaskSchedulerService interface, which may be useful in differentiating read and query operations from creations and modifications.
|
flows = search Flow:Message schtasks_rpc = filter flows where ( src_port >= 49152 and dest_port >= 49152 and proto_info.rpc_interface == “ITaskSchedulerService” ) output schtasks_rpc |
|
| CAR-2016-03-002 | T1047 | pseudocode | /- |
Looks for instances of wmic.exe as well as the substrings in the command line: * process call create * /node:
|
processes = search Process:Create wmic = filter processes where (exe == “wmic.exe” and command_line == "* process call create " and command_line == " /node:*") output wmic | |
| CAR-2016-03-002 | T1047 | Splunk | /- | Sysmon native | Splunk version of the above pseudocode. | index=your_sysmon_index EventCode=1 Image="C:\Windows\\wmic.exe" CommandLine=" process call create “|search CommandLine=” /node:*" |
| CAR-2016-03-002 | T1047 | EQL | /- | EQL native | EQL version of the above pseudocode. | process where subtype.create and (process_name == “wmic.exe” and command_line == “* process call create”) |filter command_line == "* /node:*" |
| CAR-2016-03-002 | T1047 | LogPoint | /- | LogPoint native | LogPoint version of the above pseudocode. | norm_id=WindowsSysmon event_id=1 image="C:\Windows\\wmic.exe" command=" process call create " command=" /node:*" |
| CAR-2020-09-001 | T1053 | Pseudocode | Pseudocode - Windows task file creation | CAR native | This is a pseudocode representation of the below splunk search. | files = search File:Create task_files = filter files where ( (file_path = “C:32*” or file_path = “C:*”) and image_path != “C:32.exe”) output task_files |
| CAR-2020-09-001 | T1053 | Splunk | Splunk search - Windows task file creation | Sysmon native | This Splunk search looks for any files created under the Windows tasks directories. | index=your_sysmon_index EventCode=11 Image!=“C:\WINDOWS\system32\svchost.exe” (TargetFilename=“C:\Windows\System32\Tasks\ " OR TargetFilename="C:\Windows\Tasks\”) |
9 Análisis completo sobre la técnica más usada: T1072 y T1078
Finalmente, se ha realizado un resumen sobre las dos técnicas más usadas en los incidentes.
A continuación, se estudian las tácticas, mitigaciones, softwares y grupos relacionados con cada una de las técnicas, mediante un grafo y una tabla.
9.1 T1072: Third-party Software
Empezamos por la técnica más usada en los incidentes. En el siguiente grafo y tabla, se puede apreciar las relaciones que se han encontrado con esta técnica.
Se ha usado ATT&Ck para sacar esta información.
9.1.1 Grafo
9.1.2 Tabla
| mitreid | name | description |
|---|---|---|
| TA0002 | Execution |
The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery. |
| TA0008 | Lateral Movement |
The adversary is trying to move through your environment. Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier. |
| G0050 | APT32 | APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based.(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: ESET OceanLotus) |
| G0091 | Silence | Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank’s Automated Workstation Client, ATMs, and card processing.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017) |
| G0028 | Threat Group-1314 | Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim’s remote access infrastructure. (Citation: Dell TG-1314) |
| S0041 | Wiper | Wiper is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. (Citation: Dell Wiper) |
| M1015 | Active Directory Configuration | Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc. |
| M1032 | Multi-factor Authentication | Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. |
| M1030 | Network Segmentation | Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. |
| M1027 | Password Policies | Set and enforce secure password policies for accounts. |
| M1026 | Privileged Account Management | Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
| M1029 | Remote Data Storage | Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information. |
| M1051 | Update Software | Perform regular software updates to mitigate exploitation risk. |
| M1018 | User Account Management | Manage the creation, modification, use, and permissions associated to user accounts. |
| M1017 | User Training | Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction. |
9.2 T1078: Valid Accounts
Para acabar, obtenemos el grafo y la tabla de las relaciones que existen con la segunda técnica más usada.
Se ha usado CAR para sacar esta información.
9.2.1 Grafo
9.2.2 Tabla
| mitreid | name | description |
|---|---|---|
| TA0005 | Defense Evasion |
The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses. |
| TA0001 | Initial Access |
The adversary is trying to get into your network. Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords. |
| TA0003 | Persistence |
The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. |
| TA0004 | Privilege Escalation |
The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: • SYSTEM/root level • local administrator • user account with admin-like access • user accounts with access to specific system or perform specific function These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. |
| G0007 | APT28 |
APT28 is a threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019) APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team. |
| G0007 | APT28 |
APT28 is a threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019) APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team. |
| G0026 | APT18 | APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movement) |
| G0064 | APT33 | APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017) |
| G0087 | APT39 | APT39 is an Iranian cyber espionage group that has been active since at least 2014. They have targeted the telecommunication and travel industries to collect personal information that aligns with Iran’s national priorities. (Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015) |
| G0096 | APT41 | APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity. APT41 has been active since as early as 2012. The group has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries.(Citation: FireEye APT41 Aug 2019) |
| G0008 | Carbanak | Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak). It is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. (Citation: Kaspersky Carbanak) (Citation: FireEye FIN7 April 2017) |
| G0114 | Chimera | Chimera is a suspected China-based threat group, targeting the semiconductor industry in Taiwan since at least 2018.(Citation: Cycraft Chimera April 2020) |
| G0074 | Dragonfly 2.0 | Dragonfly 2.0 is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least March 2016. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY ) |
| G0051 | FIN10 | FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. (Citation: FireEye FIN10 June 2017) |
| G0085 | FIN4 | FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye FIN4 Stealing Insider NOV 2014) FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014) |
| G0053 | FIN5 | FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015) |
| G0037 | FIN6 | FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019) |
| G0061 | FIN8 | FIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Fin8 May 2016) |
| G0065 | Leviathan | Leviathan is a cyber espionage group that has been active since at least 2013. The group generally targets defense and government organizations, but has also targeted a range of industries including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities in the United States, Western Europe, and along the South China Sea. (Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018) |
| G0014 | Night Dragon | Night Dragon is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon) |
| G0049 | OilRig | OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity. |
| G0011 | PittyTiger | PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control. (Citation: Bizeul 2014) (Citation: Villeneuve 2014) |
| G0034 | Sandworm Team | Sandworm Team is a destructive Russian threat group that has been attributed to Russian GRU Unit 74455 by the U.S. Department of Justice and U.K. National Cyber Security Centre. Sandworm Team’s most notable attacks include the 2015 and 2016 targeting of Ukrainian electrical companies and 2017’s NotPetya attacks. Sandworm Team has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020) |
| G0091 | Silence | Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank’s Automated Workstation Client, ATMs, and card processing.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017) |
| G0093 | Soft Cell | Operation Soft Cell is a group that is reportedly affiliated with China and is likely state-sponsored. The group has operated since at least 2012 and has compromised high-profile telecommunications networks.(Citation: Cybereason Soft Cell June 2019) |
| G0039 | Suckfly | Suckfly is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016) |
| G0088 | TEMP.Veles | TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019) |
| G0027 | Threat Group-3390 | Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. (Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors. (Citation: SecureWorks BRONZE UNION June 2017) (Citation: Securelist LuckyMouse June 2018) |
| G0102 | Wizard Spider | Wizard Spider is a financially motivated criminal group that has been conducting ransomware campaigns since at least August 2018 against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) |
| G0045 | menuPass | menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university. (Citation: Palo Alto menuPass Feb 2017) (Citation: Crowdstrike CrowdCast Oct 2013) (Citation: FireEye Poison Ivy) (Citation: PWC Cloud Hopper April 2017) (Citation: FireEye APT10 April 2017) (Citation: DOJ APT10 Dec 2018) |
| S0038 | Duqu | Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu) |
| S0362 | Linux Rabbit | Linux Rabbit is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.(Citation: Anomali Linux Rabbit 2018) |
| S0053 | SeaDuke | SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar. (Citation: F-Secure The Dukes) |
| M1013 | Application Developer Guidance | This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of. |
| M1013 | Application Developer Guidance | This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of. |
| M1027 | Password Policies | Set and enforce secure password policies for accounts. |
| M1026 | Privileged Account Management | Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
10 Conclusiones
Para responder a las preguntas planteadas en esta práctica dado el dataframe incidents inicial hemos trabajado con: * ATT&CK * CAR * Shield aun así, se podrían estudiar los otros estándares para sacar aun más información sobre los ataques de estudio.
Finalmente, mencionar el hecho de que se ha comprobado la alta utilidad de estos estándares para poder informarse sobre qué tipo de incidente se está/se ha enfrentado tu organización.