HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 375,
"next": "https://unprotect.it/api/techniques/?format=api&page=4",
"previous": "https://unprotect.it/api/techniques/?format=api&page=2",
"results": [
{
"id": 294,
"key": "obfuscated-files-or-information-indicator-removal-from-tools",
"unprotect_id": "T1027.005",
"name": "Obfuscated Files or Information: Indicator Removal from Tools",
"description": "Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\r\n\r\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1027/005/",
"creation_date": "2023-02-15T23:07:19.194000Z",
"tags": "Defense Evasion,\r\nmalicious file modification,\r\npayload modification,\r\nsignature evasion,\r\nunique hash,\r\nAPT3,",
"modification_date": "2023-10-04T10:42:26.127000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 293,
"key": "obfuscated-files-or-information-compile-after-delivery",
"unprotect_id": "T1027.004",
"name": "Obfuscated Files or Information: Compile After Delivery",
"description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.\r\n\r\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1027/004/",
"creation_date": "2023-02-15T23:04:18.334000Z",
"tags": "Defense Evasion,\r\nuncompiled code,\r\ncompile malicious code,\r\nexecute malicious code,\r\nencrypted malicious code,",
"modification_date": "2023-10-04T10:44:13.657000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 292,
"key": "obfuscated-files-or-information-steganography",
"unprotect_id": "T1027.003",
"name": "Obfuscated Files or Information: Steganography",
"description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.\r\n\r\nDuqu was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.\r\n\r\nBy the end of 2017, a threat group used Invoke-PSImage to hide PowerShell commands in an image file (.png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1027/003/",
"creation_date": "2023-02-15T23:01:45.898000Z",
"tags": "Defense Evasion,\r\nconceal information,\r\nconceal payloads,\r\nInvoke-PSImage,\r\nAPT37,\r\nhidden malicious portable executable,\r\nembedded image files,\r\nobfuscated files,",
"modification_date": "2023-10-04T10:44:14.469000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 291,
"key": "obfuscated-files-or-information-software-packing",
"unprotect_id": "T1027.002",
"name": "Obfuscated Files or Information: Software Packing",
"description": "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.\r\n\r\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1027/002/",
"creation_date": "2023-02-15T22:57:33.440000Z",
"tags": "Defense Evasion,\r\ncompressing executables,\r\nencrypting executables,\r\navoiding signature-based detection,\r\npacked payloads,\r\nobfuscating malicious payloads,\r\nMPRESS,\r\nUPX,\r\nVirtual machine software protection,\r\nAPT29,\r\nAPT3,\r\nAPT38,\r\nAPT39,",
"modification_date": "2023-10-04T10:44:14.775000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 290,
"key": "obfuscated-files-or-information-binary-padding",
"unprotect_id": "T1027.001",
"name": "Obfuscated Files or Information: Binary Padding",
"description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.\r\n\r\nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures. The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware. Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1027/001/",
"creation_date": "2023-02-15T22:53:34.910000Z",
"tags": "Defense Evasion,\r\nchecksum manipulation,\r\navoid hash-based blocklists, \r\navoid static anti-virus signatures,\r\nappend junk data,\r\nappend random binary data,\r\nmaximum file size,\r\nAPT29,\r\nAPT32,\r\nmaximum file size,",
"modification_date": "2023-10-04T10:44:11.581000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 289,
"key": "modify-registry",
"unprotect_id": "T1112",
"name": "Modify Registry",
"description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\r\n\r\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.\r\n\r\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. \r\n\r\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1112/",
"creation_date": "2023-02-10T03:43:23.404000Z",
"tags": "Defense Evasion,\r\nAPT19,\r\nAPT32,\r\nAPT38,\r\nAPT41,\r\nWindows Registry,\r\nRegistry keys,\r\nRegistry modifications,\r\npseudo-hidden keys,\r\nremote Registry service,\r\nUAC bypass,",
"modification_date": "2023-10-04T10:44:14.208000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 288,
"key": "modify-authentication-process-hybrid-identity",
"unprotect_id": "T1556.007",
"name": "Modify Authentication Process: Hybrid Identity",
"description": "Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.\r\n\r\nMany organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Azure AD includes three options for synchronizing identities between Active Directory and Azure AD:\r\n\r\nPassword Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Azure AD, allowing authentication to Azure AD to take place entirely in the cloud\r\nPass Through Authentication (PTA), in which Azure AD authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory\r\nActive Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Azure AD\r\nAD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges.\r\n\r\nBy modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the AzureADConnectAuthenticationAgentService process that authorizes all attempts to authenticate to Azure AD, as well as records user credentials. In environments using AD FS, an adversary may edit the Microsoft.IdentityServer.Servicehost configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.\r\n\r\nIn some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Azure AD tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Azure AD environment as any user.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1556/007/",
"creation_date": "2023-02-10T03:35:30.421000Z",
"tags": "Credential Access, \r\nDefense Evasion, \r\nPersistence,\r\nbackdoor cloud authentication processes,\r\nbypass authentication mechanisms, \r\nmodifying authentication processes,\r\naccess credentials, \r\nenable persistent access,\r\nActive Directory, \r\nAzure AD,\r\nPassword Hash Synchronization (PHS),\r\nPass Through Authentication (PTA),\r\nActive Directory Federation Services (ADFS),\r\nAzureADConnectAuthenticationAgentService,\r\nMicrosoft.IdentityServer.Servicehost configuration file,\r\nhybrid identity authentication process,\r\ncredentia harvesting,\r\nAPT29,\r\ninject malicious DLL,",
"modification_date": "2023-10-04T10:42:27.062000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 287,
"key": "modify-authentication-process-multi-factor-authentication",
"unprotect_id": "T1556.006",
"name": "Modify Authentication Process: Multi-Factor Authentication",
"description": "Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.\r\n\r\nOnce adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as Multi-Factor Authentication Request Generation, adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.\r\n\r\nFor example, modifying the Windows hosts file (C:\\windows\\system32\\drivers\\etc\\hosts) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a \"fail open\" policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA. \r\n\r\nDepending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim's network environment.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1556/006/",
"creation_date": "2023-02-10T03:28:56.884000Z",
"tags": "Credential Access, \r\nDefense Evasion, \r\nPersistence,\r\ndisable multi-factor authentication (MFA),\r\nAzure AD Conditional Access Policies,\r\npatching MFA programs,\r\npatching MFA configurations,",
"modification_date": "2023-10-04T10:44:13.951000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 286,
"key": "modify-authentication-process-reversible-encryption",
"unprotect_id": "T1556.005",
"name": "Modify Authentication Process: Reversible Encryption",
"description": "An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.\r\n\r\nIf the property is enabled and/or a user changes their password after it is enabled, an adversary may be able to obtain the plaintext of passwords created/changed after the property was enabled. To decrypt the passwords, an adversary needs four components:\r\n\r\nEncrypted password (G$RADIUSCHAP) from the Active Directory user-structure userParameters\r\n16 byte randomly-generated value (G$RADIUSCHAPKEY) also from userParameters\r\nGlobal LSA secret (G$MSRADIUSCHAPKEY)\r\nStatic key hardcoded in the Remote Access Subauthentication DLL (RASSFM.DLL)\r\nWith this information, an adversary may be able to reproduce the encryption key and subsequently decrypt the encrypted password value.\r\n\r\nAn adversary may set this property at various scopes through Local Group Policy Editor, user properties, Fine-Grained Password Policy (FGPP), or via the ActiveDirectory PowerShell module. For example, an adversary may implement and apply a FGPP to users or groups if the Domain Functional Level is set to \"Windows Server 2008\" or higher. In PowerShell, an adversary may make associated changes to user settings using commands similar to Set-ADUser -AllowReversiblePasswordEncryption $true.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1556/005/",
"creation_date": "2023-02-10T03:25:12.537000Z",
"tags": "Credential Access, \r\nDefense Evasion, \r\nPersistence,\r\nActive Directory authentication encryption properties,\r\nAllowReversiblePasswordEncryption,\r\nG$RADIUSCHAP,\r\nG$RADIUSCHAPKEY,\r\nG$MSRADIUSCHAPKEY,\r\nRemote Access Subauthentication DLL (RASSFM.DLL),\r\nreproduce encryption key,\r\npassword decryption,\r\nLocal Group Policy Editor,\r\nFine-Grained Password Policy (FGPP),",
"modification_date": "2023-10-04T10:44:13.801000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 285,
"key": "modify-authentication-process-password-filter-dll",
"unprotect_id": "T1556.002",
"name": "Modify Authentication Process: Password Filter DLL",
"description": "Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.\r\n\r\nWindows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation.\r\n\r\nAdversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1556/002/",
"creation_date": "2023-02-10T03:20:31.344000Z",
"tags": "Credential Access, \r\nDefense Evasion, \r\nPersistence,\r\npassword filter dynamic link libraries (DLLs),\r\ncredential harvesting,\r\nplain-text credentials,\r\nLocal Security Authority (LSA),\r\nSecurity Accounts Manager (SAM),",
"modification_date": "2023-10-04T10:44:13.502000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 284,
"key": "modify-authentication-process-domain-controller-authentication",
"unprotect_id": "T1556.001",
"name": "Modify Authentication Process: Domain Controller Authentication",
"description": "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.\r\n\r\nMalware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: Skeleton Key). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1556/001/",
"creation_date": "2023-02-10T03:10:04.658000Z",
"tags": "Credential Access, \r\nDefense Evasion, \r\nPersistence,\r\nbypass authentication mechanisms,\r\ninject false credentials,\r\nSkeleton key,\r\nLSASS,\r\ndomain authentication,\r\nNTLM authentication,\r\nenterprise domain controller authentication,",
"modification_date": "2023-10-04T10:44:13.353000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 283,
"key": "modify-authentication-process",
"unprotect_id": "T1556",
"name": "Modify Authentication Process",
"description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.\r\n\r\nAdversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1556/",
"creation_date": "2023-02-10T01:46:27.392000Z",
"tags": "Credential Access, \r\nDefense Evasion, \r\nPersistence,\r\nmodify authentication mechanisms,\r\nLocal Security Authentication Server (LSASS),\r\nSecurity Accounts Manager (SAM),\r\nbypass authentication mechanisms\r\ncredential reveal,\r\nbypass access controls,\r\nintercept private keys,",
"modification_date": "2023-10-04T10:44:13.207000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 282,
"key": "masquerading-double-file-extension",
"unprotect_id": "T1036.007",
"name": "Masquerading: Double File Extension",
"description": "Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.\r\n\r\nAdversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access into a user’s system via Spearphishing Attachment then User Execution. For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.\r\n\r\nCommon file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1036/007/",
"creation_date": "2023-02-10T01:32:55.344000Z",
"tags": "Defense Evasion,\r\nhidden file types,\r\nhide file types,\r\nsecondary file extension,\r\nconceal malicious file types,\r\nuser execution,\r\nhidden malware,\r\ndual-extension,",
"modification_date": "2023-10-04T10:44:00.071000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 281,
"key": "masquerading-match-legitimate-name-or-location",
"unprotect_id": "T1036.005",
"name": "Masquerading: Match Legitimate Name or Location",
"description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.\r\n\r\nAdversaries may also use the same icon of the file they are trying to mimic.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1036/005/",
"creation_date": "2023-02-10T01:26:42.267000Z",
"tags": "Defense Evasion,\r\ncommonly trusted directory,\r\nmimic legitimate trusted program,\r\ntrusted namespaces,\r\ntrusted filenames,\r\nmimic icon,\r\nhidden payloads,\r\nmalicious shortcuts,\r\nAPT1,\r\nAPT28,\r\nAPT29,\r\nAPT32,\r\nAPT39,\r\nAPT41,",
"modification_date": "2023-10-04T10:42:21.011000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 280,
"key": "masquerading-masquerade-task-or-service",
"unprotect_id": "T1036.004",
"name": "Masquerading: Masquerade Task or Service",
"description": "Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description. Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.\r\n\r\nTasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1036/004/",
"creation_date": "2023-02-10T01:14:05.681000Z",
"tags": "Defense Evasion,\r\nscheduled tasks,\r\nscheduled tasks,\r\nmimic legitimate task,\r\nmimic legitimate service,\r\nAPT-C-36,\r\nAPT29,\r\nAPT32,\r\nAPT41,",
"modification_date": "2023-10-04T10:42:15.739000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 279,
"key": "masquerading-rename-system-utilities",
"unprotect_id": "T1036.003",
"name": "Masquerading: Rename System Utilities",
"description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1036/003/",
"creation_date": "2023-02-10T01:10:22.955000Z",
"tags": "Defense Evasion,\r\nrename legitimate file,\r\nAPT32,\r\nreplace legitimate system file,",
"modification_date": "2023-10-04T10:44:10.569000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 278,
"key": "masquerading-right-to-left-override",
"unprotect_id": "T1036.002",
"name": "Masquerading: Right-to-Left Override",
"description": "Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\u202Egnp.js will be displayed as photo_high_resj.png.\r\n\r\nAdversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with Spearphishing Attachment/Malicious File since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity. RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1036/002/",
"creation_date": "2023-02-10T01:05:54.520000Z",
"tags": "Defense Evasion,\r\nRTLO, \r\nRLO,\r\nobfuscate filenames,\r\nreverse executable names,",
"modification_date": "2023-10-04T10:42:29.587000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 277,
"key": "masquerading-invalid-code-signature",
"unprotect_id": "T1036.001",
"name": "Masquerading: Invalid Code Signature",
"description": "Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.\r\n\r\nUnlike Code Signing, this activity will not result in a valid signature.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1036/001/",
"creation_date": "2023-02-10T00:56:50.010000Z",
"tags": "Defense Evasion,\r\nImpersonating valid code signatures,\r\nAPT37,\r\ninvalid code signatures ,\r\ninvalid digital certificates,\r\nunverified signatures,\r\nfake certificates,\r\nrevoked certificates,",
"modification_date": "2023-10-04T10:44:06.718000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 275,
"key": "indirect-command-execution",
"unprotect_id": "T1202",
"name": "Indirect Command Execution",
"description": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. \r\n\r\nAdversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1202/",
"creation_date": "2023-02-07T05:39:23.235000Z",
"tags": "Defense Evasion,\r\nCommand execution concealment,\r\nperform arbitrary execution,\r\nExploit CLIs,",
"modification_date": "2023-10-04T10:44:06.576000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 274,
"key": "indicator-removal-clear-persistence",
"unprotect_id": "T1070.009",
"name": "Indicator Removal: Clear Persistence",
"description": "Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.\r\n\r\nIn some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1070/009/",
"creation_date": "2023-02-07T05:35:59.751000Z",
"tags": "Defense Evasion,\r\nevidence removal,\r\nevidence clean-up,\r\nartifacts of persistence removal,\r\nregistry key removal,",
"modification_date": "2023-10-04T10:44:05.889000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 273,
"key": "indicator-removal-clear-mailbox-data",
"unprotect_id": "T1070.008",
"name": "Indicator Removal: Clear Mailbox Data",
"description": "Adversaries may modify mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails or logs generated by the application or operating system, such as export requests.\r\n\r\nAdversaries may manipulate email mailbox data to remove logs and artifacts, such as evidence of Phishing/Internal Spearphishing, Email Collection, Mail Protocols for command and control, or email-based exfiltration such as Exfiltration Over Alternative Protocol. For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell PowerShell module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2023-02-07T05:33:13.414000Z",
"tags": "Defense Evasion,\r\nexport mailbox data,\r\ndelete mailbox data,\r\nExfiltration Over Alternative Protocol,\r\nRemove-MailboxExportRequest,",
"modification_date": "2023-10-04T10:40:14.313000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 272,
"key": "indicator-removal-clear-network-connection-history-and-configurations",
"unprotect_id": "T1070.007",
"name": "Indicator Removal: Clear Network Connection History and Configurations",
"description": "Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system from behaviors that require network connections, such as Remote Services or External Remote Services. Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\r\n\r\nNetwork connection history may be stored in various locations on a system. For example, RDP connection history may be stored in Windows Registry values under:\r\n\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\r\nWindows may also store information about recent RDP connections in files such as C:\\Users\\%username%\\Documents\\Default.rdp and C:\\Users\\%username%\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache\\. \r\n\r\nMalicious network connections may also require changes to network configuration settings, such as Disable or Modify System Firewall or tampering to enable Proxy. Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1070/007/",
"creation_date": "2023-02-07T03:00:35.870000Z",
"tags": "Defense Evasion,\r\nNetwork history deletion,\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default,\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers,\r\nC:\\Users\\%username%\\Documents\\Default.rdp,\r\nC:\\Users\\%username%\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache,\r\ndisable firewall rule,\r\nmodify firewall,\r\nadd firewall rule,\r\nmodify network configuration,\r\nbypass firewall rule,\r\nenable Proxy,",
"modification_date": "2023-10-04T10:44:29.265000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 271,
"key": "indicator-removal-network-share-connection-removal",
"unprotect_id": "T1070.005",
"name": "Indicator Removal: Network Share Connection Removal",
"description": "Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \\system\\share /delete command.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1070/005/",
"creation_date": "2023-02-07T01:10:50.149000Z",
"tags": "Defense Evasion,\r\nnet use \\system\\share /delete,\r\nSMB share,\r\ndisconnect network shares,",
"modification_date": "2023-10-04T10:43:54.694000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 270,
"key": "indicator-removal-file-deletion",
"unprotect_id": "T1070.004",
"name": "Indicator Removal: File Deletion",
"description": "Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\r\n\r\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. An example of built-in Command and Scripting Interpreter functions is del on Windows.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1070/004/",
"creation_date": "2023-02-07T01:08:44.043000Z",
"tags": "Defense Evasion,\r\ninfection clean-up,\r\ndel,\r\nevidence removal,",
"modification_date": "2023-10-04T10:43:35.632000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 269,
"key": "indicator-removal-clear-command-history",
"unprotect_id": "T1070.003",
"name": "Indicator Removal: Clear Command History",
"description": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\r\n\r\nOn Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.\r\n\r\nThe PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.\r\n\r\nAdversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1070/003/",
"creation_date": "2023-02-07T00:42:27.729000Z",
"tags": "Defense Evasion,\r\nclear CLI history,\r\nPSReadLine,\r\n$env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt,\r\nClear-History,\r\nConsoleHost_history.txt,\r\nAPT41,\r\nlog file deletion,",
"modification_date": "2023-10-04T10:42:29.451000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 268,
"key": "impair-defenses-downgrade-attack",
"unprotect_id": "T1562.010",
"name": "Impair Defenses: Downgrade Attack",
"description": "Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, PowerShell versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to Impair Defenses while running malicious scripts that may have otherwise been detected.\r\n\r\nAdversaries may downgrade and use less-secure versions of various features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1562/010/",
"creation_date": "2023-02-07T00:35:20.611000Z",
"tags": "Defense Evasion,\r\ndowngrading Windows,\r\nScript Block Logging (SBL),\r\nremoving features,\r\nexecute malicious scripts,\r\nAdversary-in-the-Middle.",
"modification_date": "2023-10-04T10:44:10.420000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 267,
"key": "impair-defenses-safe-mode-boot",
"unprotect_id": "T1562.009",
"name": "Impair Defenses: Safe Mode Boot",
"description": "Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.\r\n\r\nAdversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.\r\n\r\nAdversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. Modify Registry). Malicious Component Object Model (COM) objects may also be registered and loaded in safe mode.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1562/009/",
"creation_date": "2023-02-07T00:32:08.111000Z",
"tags": "Defense Evasion,\r\ndisable endpoint defenses,\r\nWindows safe mode,\r\nBoot Configuration Data (BCD),\r\nregistry modification,\r\nmalicious Component Object Model (COM) objects,\r\nbypass EDR,\r\ndisable endpoint defences,",
"modification_date": "2023-10-04T10:42:27.206000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 266,
"key": "impair-defenses-indicator-blocking",
"unprotect_id": "T1562.006",
"name": "Impair Defenses: Indicator Blocking",
"description": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting or even disabling host-based sensors, such as Event Tracing for Windows (ETW), by tampering settings that control the collection and flow of event telemetry. These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation.\r\n\r\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.\r\n\r\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1562/006/",
"creation_date": "2023-02-07T00:28:37.250000Z",
"tags": "Defense Evasion,\r\ndisabling host-based sensors,\r\nevent telemetry tampering,\r\nEvent Tracing for Windows (ETW),\r\nbypass ETW,\r\nblocking reporting traffic,\r\nPowerShell Set-EtwTraceProvider,\r\nregistry tampering,\r\nbypassing SIEM alerts,",
"modification_date": "2023-10-04T10:44:07.778000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 265,
"key": "impair-defenses-disable-or-modify-system-firewall",
"unprotect_id": "T1562.004",
"name": "Impair Defenses: Disable or Modify System Firewall",
"description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.\r\n\r\nModifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1562/004/",
"creation_date": "2023-02-07T00:21:03.440000Z",
"tags": "Defense Evasion,\r\nbypass firewall, \r\ndisable firewall,\r\nmodify firewall rules,\r\nAPT29,\r\nAPT38,\r\nenable adversary C2 communications,\r\nlateral movement, \r\ndata exfiltration,",
"modification_date": "2023-10-04T10:44:05.085000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 264,
"key": "impair-defenses-impair-command-history-logging",
"unprotect_id": "T1562.003",
"name": "Impair Defenses: Impair Command History Logging",
"description": "Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.",
"windows": "The `PSReadLine` module tracks commands used in all PowerShell sessions and writes them to a file `($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt` by default). \r\n\r\nAdversaries may change where these logs are saved using `Set-PSReadLineOption -HistorySavePath {File Path}`. \r\n\r\nThis will cause `ConsoleHost_history.txt` to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command `Set-PSReadlineOption -HistorySaveStyle SaveNothing`.\r\n\r\nAdversaries may also leverage a **Network Device CLI** on network devices to disable historical command logging (e.g. no logging).",
"linux": "An adversary can manipulate command history logging in Bash on a Linux system by exploiting the `HISTCONTROL` environment variable, which determines how commands are recorded in the history file. By setting this variable to specific values, such as `ignoreboth` or `ignorespace`, any command that starts with a space will not be logged in the history file. This technique allows the adversary to conceal potentially malicious commands from future review:\r\n\r\n```\r\nexport HISTCONTROL=ignorespace\r\nwhoami\r\nid\r\ncat /etc/passwd\r\n```",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1562/003/",
"creation_date": "2023-02-07T00:17:23.193000Z",
"tags": "Defense Evasion,\r\nPSReadLine,\r\nConsoleHost_history.txt,\r\n$env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\,\r\nSet-PSReadLineOption -HistorySavePath {File Path},\r\nSet-PSReadlineOption -HistorySaveStyle SaveNothing,\r\nNetwork Device CLI,\r\nAPT38,\r\ndisable logging,\r\ndisable historical command logging,",
"modification_date": "2024-09-26T07:24:38.581983Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
4,
41
]
},
{
"id": 263,
"key": "impair-defenses-disable-windows-event-logging",
"unprotect_id": "T1562.002",
"name": "Impair Defenses: Disable Windows Event Logging",
"description": "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more. This data is used by security tools and analysts to generate detections.\r\n\r\nThe EventLog service maintains event logs from various system components and applications. By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\\Local Policies\\Audit Policy for basic audit policy settings or Security Settings\\Advanced Audit Policy Configuration for advanced audit policy settings. auditpol.exe may also be used to set audit policies.\r\n\r\nAdversaries may target system-wide logging or just that of a particular application. For example, the EventLog service may be disabled using the following PowerShell line: Stop-Service -Name EventLog. Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:\"Account Logon\" /success:disable /failure:disable turns off auditing for the Account Logon category. To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1562/002/\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nhttps://www.microsoft.com/en-us/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
"creation_date": "2023-02-07T00:12:57.052000Z",
"tags": "Defense Evasion,\r\nevent disabling,\r\nEventLog service,\r\nLocal Security Policy (secpol.msc),\r\nauditpol.exe,\r\n/success parameters,\r\n/failure parameters,\r\nStop-Service -Name EventLog,\r\nauditpol /clear /y,\r\nauditpol /remove /allusers,\r\nSecurity Settings\\Local Policies\\Audit Policy,\r\nSecurity Settings\\Advanced Audit Policy Configuration,\r\nAPT29,",
"modification_date": "2024-08-17T16:17:02.697023Z",
"category": [
10
],
"rules": [
159
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 262,
"key": "impair-defenses-disable-or-modify-tools",
"unprotect_id": "T1562.001",
"name": "Impair Defenses: Disable or Modify Tools",
"description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.\r\n\r\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.\r\n\r\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools. For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.\r\n\r\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. Exploitation for Privilege Escalation), which may lead to bypassing anti-tampering features.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1562/001/",
"creation_date": "2023-02-07T00:02:20.725000Z",
"tags": "Defense Evasion,\r\nbypass event aggregation,\r\nbypass analysis mechanisms,\r\nbypass security tools,\r\nbypass anti-tampering,\r\ndisable updates,\r\nAPT29,\r\nartifact tampering,\r\nGMER,\r\ndriver exploitation,",
"modification_date": "2023-10-04T10:44:59.222000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 261,
"key": "exploitation-for-defense-evasion",
"unprotect_id": "T1211",
"name": "Exploitation for Defense Evasion",
"description": "Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\r\n\r\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1211/",
"creation_date": "2023-01-31T04:53:59.414000Z",
"tags": "Defense Evasion,\r\nbypass security features,\r\nSecurity Software Discovery,\r\nAPT28,\r\nvulnerability exploitation",
"modification_date": "2023-10-04T10:42:38.649000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 260,
"key": "direct-volume-access",
"unprotect_id": "T1006",
"name": "Direct Volume Access",
"description": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. \r\n\r\nUtilities, such as NinjaCopy, exist to perform these actions in PowerShell.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1006/",
"creation_date": "2023-01-31T04:51:45.101000Z",
"tags": "Defense Evasion,\r\nbypass file action control,\r\nbypass file system monitoring,\r\ndirect access to logical volumes,\r\nNinjaCopy,",
"modification_date": "2023-10-04T10:42:07.369000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 259,
"key": "deobfuscatedecode-files-or-information",
"unprotect_id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"description": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\r\n\r\nOne such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. \r\n\r\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1140/",
"creation_date": "2023-01-31T04:49:40.484000Z",
"tags": "Defense Evasion,\r\ncertutil,\r\nWindows copy /b command,\r\nAPT19,\r\nAPT28,\r\nAPT29,\r\nAPT39,\r\ndecryption,",
"modification_date": "2023-10-04T10:44:06.332000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 258,
"key": "debugger-evasion",
"unprotect_id": "T1622",
"name": "Debugger Evasion",
"description": "Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.\r\n\r\nDebugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to Virtualization/Sandbox Evasion, if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.\r\n\r\nSpecific checks will vary based on the target and/or adversary, but may involve Native API function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would \"swallow\" or handle the potential error).\r\n\r\nAdversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping Native API function calls such as OutputDebugStringW().",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1622/",
"creation_date": "2023-01-31T04:46:31.665000Z",
"tags": "Defense Evasion, \r\nDiscovery,\r\ncheck for debugged environment,\r\nIsDebuggerPresent(),\r\nNtQueryInformationProcess(),\r\nBeingDebugged flag,\r\nProcess Environment Block (PEB),\r\nOutputDebugStringW(),\r\ndebugging prevention,",
"modification_date": "2023-10-04T10:44:14.923000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 257,
"key": "bits-jobs",
"unprotect_id": "T1197",
"name": "BITS Jobs",
"description": "Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.\r\n\r\nThe interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.\r\n\r\nAdversaries may abuse BITS to download (e.g. Ingress Tool Transfer), execute, and even clean up after running malicious code (e.g. Indicator Removal). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).\r\n\r\nBITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1197/",
"creation_date": "2023-01-31T04:43:48.619000Z",
"tags": "Defense Evasion, \r\nPersistence,\r\nWindows Background Intelligent Transfer Service (BITS),\r\nBITSAdmin tool,\r\nComponent Object Model (COM),\r\nexecute mailicious code,\r\nperform background tasks,\r\njob creation,\r\nExfiltration Over Alternative Protocol,\r\nAPT39,\r\nAPT41,\r\npayload download,\r\nIndicator Removal,",
"modification_date": "2023-10-04T10:44:11.847000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 256,
"key": "hijack-execution-flow-kernelcallbacktable",
"unprotect_id": "T1574.013",
"name": "Hijack Execution Flow: KernelCallbackTable",
"description": "Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads. The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.\r\n\r\nAn adversary may hijack the execution flow of a process using the KernelCallbackTable by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as Reflective Code Loading or Process Injection into another process.\r\n\r\nA pointer to the memory address of the KernelCallbackTable can be obtained by locating the PEB (ex: via a call to the NtQueryInformationProcess() Native API function). Once the pointer is located, the KernelCallbackTable can be duplicated, and a function in the table (e.g., fnCOPYDATA) set to the address of a malicious payload (ex: via WriteProcessMemory()). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.\r\n\r\nThe tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the KernelCallbackTable may also be restored to its original state by the rest of the malicious payload. Use of the KernelCallbackTable to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1574/013/",
"creation_date": "2023-01-31T04:40:08.137000Z",
"tags": "Persistence, \r\nPrivilege Escalation,\r\nDefense Evasion,\r\nduplicate KernelCallbackTable,\r\nProcess Environment Block (PEB),\r\nuser32.dll,\r\nReflective Code Loading,\r\nProcess Injection,\r\nhijack execution flow,\r\nhijack process control flow,\r\nmemory tampering,\r\nmalicious memory address,\r\nWindows message,",
"modification_date": "2023-10-04T10:44:58.916000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 255,
"key": "hijack-execution-flow-cor_profiler",
"unprotect_id": "T1574.012",
"name": "Hijack Execution Flow: COR_PROFILER",
"description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\r\n\r\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a Component Object Model (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.\r\n\r\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: Bypass User Account Control) if the victim .NET process executes at a higher permission level, as well as to hook and Impair Defenses provided by .NET processes.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1574/012/",
"creation_date": "2023-01-31T04:36:31.132000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\n.NET CLR,\r\nCommon Language Runtime (CLR),\r\nComponent Object Model (COM),\r\nCOR_PROFILER_PATH,\r\nCOR_PROFILER,\r\nBypass User Account Control,\r\nImpair Defenses,\r\nmalicious DLL,\r\nsystem environment variables,\r\n.NET Framework 4,",
"modification_date": "2023-10-04T10:44:10.824000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 254,
"key": "hijack-execution-flow-services-registry-permissions-weakness",
"unprotect_id": "T1574.011",
"name": "Hijack Execution Flow: Services Registry Permissions Weakness",
"description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through access control lists and user permissions. \r\n\r\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\r\n\r\nAdversaries may also alter other Registry keys in the service’s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.\r\n\r\nThe Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.[5] If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service’s Registry tree to point to a malicious DLL.\r\n\r\nAdversaries may also add the Parameters key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities. Additionally, If adversaries launch their malicious services using svchost.exe, the service’s file may be identified using HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicename\\Parameters\\ServiceDll.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1574/011/",
"creation_date": "2023-01-31T04:33:41.271000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nregistry key manipulation,\r\nservice hijack,\r\nFailureCommand,\r\nPerformance key,\r\nCreate Subkey permission,\r\nParameters key,\r\nmalicious DLL,\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicename\\Parameters\\ServiceDll,",
"modification_date": "2023-10-04T10:43:59.801000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 253,
"key": "hijack-execution-flow-services-file-permissions-weakness",
"unprotect_id": "T1574.010",
"name": "Hijack Execution Flow: Services File Permissions Weakness",
"description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\r\n\r\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1574/010/",
"creation_date": "2023-01-31T04:30:16.669000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nWindows services,\r\nbinary permissions,\r\nservice hijack,\r\nbinary hijack,",
"modification_date": "2023-10-04T10:44:10.124000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 252,
"key": "hijack-execution-flow-path-interception-by-unquoted-path",
"unprotect_id": "T1574.009",
"name": "Hijack Execution Flow: Path Interception by Unquoted Path",
"description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\r\n\r\nService paths and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\\unsafe path with space\\program.exe vs. \"C:\\safe path with space\\program.exe\"). (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\\program files\\myapp.exe, an adversary may create a program at C:\\program.exe that will be run instead of the intended program.\r\n\r\nThis technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1574/009/",
"creation_date": "2023-01-31T02:32:19.133000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nprivilege escalation,\r\nunquoted path,\r\npath interception,\r\nhigher level directory,",
"modification_date": "2023-10-04T10:44:09.862000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 251,
"key": "hijack-execution-flow-path-interception-by-search-order-hijacking",
"unprotect_id": "T1574.008",
"name": "Hijack Execution Flow: Path Interception by Search Order Hijacking",
"description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.\r\n\r\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike DLL Search Order Hijacking, the search order differs depending on the method that is used to execute the program. However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\r\n\r\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument net user. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then cmd.exe /C net user will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. \r\n\r\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in DLL Search Order Hijacking.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1574/008/",
"creation_date": "2023-01-31T02:26:31.828000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nsearch order hijacking,\r\npath interception,\r\nhijacking DLL loads,\r\nPATHEXT,",
"modification_date": "2023-10-04T10:43:56.166000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 250,
"key": "hijack-execution-flow-path-interception-by-path-environment-variable",
"unprotect_id": "T1574.007",
"name": "Hijack Execution Flow: Path Interception by PATH Environment Variable",
"description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\r\n\r\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\system32 (e.g., C:\\Windows\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\r\n\r\nFor example, if C:\\example path precedes C:\\Windows\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\example path will be called instead of the Windows system \"net\" when \"net\" is executed from the command-line.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1574/007/",
"creation_date": "2023-01-31T02:24:05.669000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nPATH environment variable,\r\npath interception,\r\nexecute malicious payloads,\r\n %SystemRoot%\\system32,",
"modification_date": "2023-10-04T10:44:09.595000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 249,
"key": "hijack-execution-flow-executable-installer-file-permissions-weakness",
"unprotect_id": "T1574.005",
"name": "Hijack Execution Flow: Executable Installer File Permissions Weakness",
"description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\r\n\r\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of DLL Search Order Hijacking.\r\n\r\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to Bypass User Account Control. Several examples of this weakness in existing common installers have been reported to software vendors. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1574/005/",
"creation_date": "2023-01-31T02:20:35.493000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nDLL Search Order Hijacking,\r\nwrite access,\r\nmalicious binaries,\r\nbinary hijack,\r\nprivilege escalation,\r\nBypass User Account Control,\r\n%TEMP%,",
"modification_date": "2023-10-04T10:44:09.321000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 248,
"key": "hijack-execution-flow-dll-side-loading",
"unprotect_id": "T1574.002",
"name": "Hijack Execution Flow: DLL Side-Loading",
"description": "Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).\r\n\r\nSide-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1574/002/",
"creation_date": "2023-01-31T02:14:22.259000Z",
"tags": "Persistence, \r\nPrivilege Escalation, \r\nDefense Evasion,\r\nDLL search order,\r\nAPT19,\r\nAPT3,\r\nAPT32,\r\nAPT41,\r\nsigned executables,\r\nmimic legitimate DLL,\r\nencrypted payload,\r\npacked payload,\r\nobfuscated payload,",
"modification_date": "2023-10-04T10:44:09.025000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 247,
"key": "hide-artifacts-process-argument-spoofing",
"unprotect_id": "T1564.010",
"name": "Hide Artifacts: Process Argument Spoofing",
"description": "Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.\r\n\r\nAdversaries may manipulate a process PEB to evade defenses. For example, Process Hollowing can be abused to spawn a process in a suspended state with benign arguments. After the process is spawned and the PEB is initialized (and process information is potentially logged by tools/sensors), adversaries may override the PEB to modify the command-line arguments (ex: using the Native API WriteProcessMemory() function) then resume process execution with malicious arguments.\r\n\r\nAdversaries may also execute a process with malicious command-line arguments then patch the memory with benign arguments that may bypass subsequent process memory analysis.\r\n\r\nThis behavior may also be combined with other tricks (such as Parent PID Spoofing) to manipulate or further evade process-based detections.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1564/010/",
"creation_date": "2023-01-31T02:10:02.144000Z",
"tags": "Defense Evasion,\r\nprocess environment block (PEB),\r\nProcess Hollowing,\r\nWriteProcessMemory(),\r\nParent PID Spoofing,\r\nmalicious cmd arguments,",
"modification_date": "2023-10-04T10:44:08.779000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 246,
"key": "hide-artifacts-email-hiding-rules",
"unprotect_id": "T1564.008",
"name": "Hide Artifacts: Email Hiding Rules",
"description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule PowerShell cmdlets on Windows systems.\r\n\r\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to Internal Spearphishing emails sent from the compromised account.\r\n\r\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1564/008/",
"creation_date": "2023-01-31T02:06:43.058000Z",
"tags": "Defense Evasion\r\nNew-InboxRule,\r\nSet-InboxRule,\r\nmailbox rules,\r\nmailbox folders,\r\ninbound emails,\r\nphishing,",
"modification_date": "2023-10-04T10:44:50.279000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 245,
"key": "hide-artifacts-vba-stomping",
"unprotect_id": "T1564.007",
"name": "Hide Artifacts: VBA Stomping",
"description": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.\r\n\r\nMS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.\r\n\r\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1564/007/",
"creation_date": "2023-01-31T02:03:17.102000Z",
"tags": "Defense Evasion,\r\nPerformanceCache,\r\n_VBA_PROJECT,\r\nMicrosoft Office,\r\nVisual Basic for Applications (VBA),\r\np-code,\r\nproject stream,\r\nmalicious code,",
"modification_date": "2023-10-04T10:44:36.443000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 244,
"key": "hide-artifacts-run-virtual-instance",
"unprotect_id": "T1564.006",
"name": "Hide Artifacts: Run Virtual Instance",
"description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.\r\n\r\nAdversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://attack.mitre.org/techniques/T1564/006/",
"creation_date": "2023-01-31T02:00:27.059000Z",
"tags": "Defense Evasion,\r\nvirtualization,\r\nVirtualBox,\r\nVMWare,\r\nHyperV,\r\ncompromise host,",
"modification_date": "2023-10-04T10:42:09.202000Z",
"category": [
10
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
}
]
}
