Invalid JSON was received
krsecurity opened this issue · 3 comments
krsecurity commented
This is the error I get when trying to run 'python dettect.py generic -ds'
Traceback (most recent call last):
File "dettect.py", line 353, in <module>
_menu(_init_menu())
File "dettect.py", line 315, in _menu
get_statistics_data_sources(args.datasources, platform)
File "/home/krsecurity/DeTTECT/generic_mode.py", line 41, in get_statistics_data_sources
techniques = load_attack_data(stix_type)
File "/home/krsecurity/DeTTECT/generic.py", line 143, in load_attack_data
stix_attack_data = mitre.get_enterprise_techniques()
File "/usr/local/lib/python3.8/dist-packages/attackcti/attack_api.py", line 356, in get_enterprise_techniques
enterprise_techniques = self.TC_ENTERPRISE_SOURCE.query(Filter("type", "=", "attack-pattern"))
File "/usr/local/lib/python3.8/dist-packages/stix2/datastore/taxii.py", line 301, in query
for resource in paged_request(self.collection.get_objects, per_request=self.items_per_page, **taxii_filters_dict):
File "/usr/local/lib/python3.8/dist-packages/taxii2client/v20/__init__.py", line 36, in as_pages
yield _to_json(resp)
File "/usr/local/lib/python3.8/dist-packages/taxii2client/common.py", line 127, in _to_json
six.raise_from(InvalidJSONError(
File "<string>", line 3, in raise_from
taxii2client.exceptions.InvalidJSONError: Invalid JSON was received from https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match%5Btype%5D=attack-pattern
Can anyone help with this? All my versions of requirements are correct.
krsecurity commented
Interestingly I attempted the same thing from a fresh install on a VM and got the same issue:
(venv) ┌─[root@parrot]─[~/DeTTECT]
└──╼ #python dettect.py generic -ds
Traceback (most recent call last):
File "/root/DeTTECT/venv/lib/python3.9/site-packages/requests/models.py", line 910, in json
return complexjson.loads(self.text, **kwargs)
File "/root/DeTTECT/venv/lib/python3.9/site-packages/simplejson/__init__.py", line 525, in loads
return _default_decoder.decode(s)
File "/root/DeTTECT/venv/lib/python3.9/site-packages/simplejson/decoder.py", line 370, in decode
obj, end = self.raw_decode(s)
File "/root/DeTTECT/venv/lib/python3.9/site-packages/simplejson/decoder.py", line 400, in raw_decode
return self.scan_once(s, idx=_w(s, idx).end())
simplejson.errors.JSONDecodeError: Unterminated string starting at: line 1 column 64468 (char 64467)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/DeTTECT/venv/lib/python3.9/site-packages/taxii2client/common.py", line 124, in _to_json
return resp.json()
File "/root/DeTTECT/venv/lib/python3.9/site-packages/requests/models.py", line 917, in json
raise RequestsJSONDecodeError(e.msg, e.doc, e.pos)
requests.exceptions.JSONDecodeError: [Errno Unterminated string starting at] {"type":"bundle","id":"bundle--9eca7af5-b6e0-49f7-ba60-d9f5ce1b4102","spec_version":"2.0","objects":[{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","name":"Resource Forking","modified":"2021-10-16T01:50:40.276Z","created":"2021-10-12T20:02:31.866Z","kill_chain_phases":[{"kill_chain_name":"mitre-attack","phase_name":"defense-evasion"}],"id":"attack-pattern--b22e5153-ac28-4cc6-865c-2054e36285cb","description":"Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)\n\nAdversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://attack.mitre.org/techniques/T1564/009","external_id":"T1564.009","source_name":"mitre-attack"},{"url":"http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553","description":"Tenon. (n.d.). Retrieved October 12, 2021.","source_name":"macOS Hierarchical File System Overview"},{"url":"https://flylib.com/books/en/4.395.1.192/1/","description":"Flylib. (n.d.). Identifying Resource and Data Forks. Retrieved October 12, 2021.","source_name":"Resource and Data Forks"},{"url":"https://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/","description":"Howard Oakley. (2020, October 24). There's more to files than data: Extended Attributes. Retrieved October 12, 2021.","source_name":"ELC Extended Attributes"},{"url":"https://www.sentinelone.com/labs/resourceful-macos-malware-hides-in-named-fork/","description":"Phil Stokes. (2020, November 5). Resourceful macOS Malware Hides in Named Fork. Retrieved October 12, 2021.","source_name":"sentinellabs resource named fork 2020"},{"url":"https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html","description":"Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021.","source_name":"tau bundlore erika noerenberg 2020"}],"x_mitre_data_sources":["File: File Creation","Process: Process Creation","File: File Metadata","Command: Command Execution"],"x_mitre_version":"1.0","x_mitre_permissions_required":["User"],"x_mitre_defense_bypassed":["Notarization; Gatekeeper"],"x_mitre_platforms":["macOS"],"x_mitre_is_subtechnique":true,"x_mitre_contributors":["Jaron Bradley @jbradley89","Ivan Sinyakov"],"x_mitre_detection":"Identify files with the <code>com.apple.ResourceFork</code> extended attribute and large data amounts stored in resource forks. \n\nMonitor command-line activity leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections. "},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","name":"Downgrade Attack","modified":"2021-10-15T00:48:06.723Z","created":"2021-10-08T14:06:28.212Z","id":"attack-pattern--824add00-99a1-4b15-9a2d-6c5683b7b497","description":"Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)\n\nAdversaries may downgrade and use less-secure versions of various features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014)","kill_chain_phases":[{"kill_chain_name":"mitre-attack","phase_name":"defense-evasion"}],"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://attack.mitre.org/techniques/T1562/010","external_id":"T1562.010","source_name":"mitre-attack"},{"url":"https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/","description":"Falcon Complete Team. (2021, May 11). Response When Minutes Matter: Rising Up Against Ransomware. Retrieved October 8, 2021.","source_name":"CrowdStrike BGH Ransomware 2021"},{"url":"https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique","description":"Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 8, 2021.","source_name":"Mandiant BYOL 2018"},{"url":"https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/","description":"Praetorian. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved October 8, 2021.","source_name":"Praetorian TLS Downgrade Attack 2014"}],"x_mitre_data_sources":["Command: Command Execution","Process: Process Metadata","Process: Process Creation"],"x_mitre_version":"1.0","x_mitre_permissions_required":["User"],"x_mitre_platforms":["Windows","Linux","macOS"],"x_mitre_is_subtechnique":true,"x_mitre_detection":"Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: <code>powershell –v 2</code>). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment."},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","name":"Login Items","modified":"2021-10-18T16:36:37.042Z","created":"2021-10-05T21:26:15.081Z","id":"attack-pattern--84601337-6a55-4ad7-9c35-79e0d1ea2ab3","description":"Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.\n\nLogin items installed using the Service Management Framework leverage <code>launchd</code>, are not visible in the System Preferences, and can only be removed by the application that created them.(Citation: Adding Login Items)(Citation: SMLoginItemSetEnabled Schroeder 2013) Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.(Citation: Launch Services Apple Developer) Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications.\n\nAdversaries can utilize [AppleScript](https://attack.mitre.org/techniques/T1059/002) and [Native API](https://attack.mitre.org/techniques/T1106) calls to create a login item to spawn malicious executables.(Citation: ELC Running at startup) Prior to version 10.5 on macOS, adversaries can add login items by using [AppleScript](https://attack.mitre.org/techniques/T1059/002) to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.(Citation: Login Items AE) Adversaries can use a command such as <code>tell application “System Events” to make login item at end with properties /path/to/executable</code>.(Citation: Startup Items Eclectic)(Citation: hexed osx.dok analysis 2019)(Citation: Add List Remove Login Items Apple Script) This command adds the path of the malicious executable to the login item file list located in <code>~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm</code>.(Citation: Startup Items Eclectic) Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.(Citation: objsee mac malware 2017)(Citation: CheckPoint Dok)(Citation: objsee netwire backdoor 2019)","kill_chain_phases":[{"kill_chain_name":"mitre-attack","phase_name":"persistence"},{"kill_chain_name":"mitre-attack","phase_name":"privilege-escalation"}],"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://attack.mitre.org/techniques/T1547/015","external_id":"T1547.015","source_name":"mitre-attack"},{"url":"https://support.apple.com/guide/mac-help/open-items-automatically-when-you-log-in-mh15189/mac","description":"Apple. (n.d.). Open items automatically when you log in on Mac. Retrieved October 1, 2021.","source_name":"Open Login Items Apple"},{"source_name":"Adding Login Items","description":"Apple. (2016, September 13). Adding Login Items. Retrieved July 11, 2017.","url":"https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html"},{"url":"https://blog.timschroeder.net/2013/04/21/smloginitemsetenabled-demystified/","description":"Tim Schroeder. (2013, April 21). SMLoginItemSetEnabled Demystified. Retrieved October 5, 2021.","source_name":"SMLoginItemSetEnabled Schroeder 2013"},{"url":"https://developer.apple.com/documentation/coreservices/launch_services","description":"Apple. (n.d.). Launch Services. Retrieved October 5, 2021.","source_name":"Launch Services Apple Developer"},{"url":"https://eclecticlight.co/2018/05/22/running-at-startup-when-to-use-a-login-item-or-a-launchagent-launchdaemon/","description":"hoakley. (2018, May 22). Running at startup: when to use a Login Item or a LaunchAgent/LaunchDaemon. Retrieved October 5, 2021.","source_name":"ELC Running at startup"},{"url":"https://developer.apple.com/library/archive/samplecode/LoginItemsAE/Introduction/Intro.html#//apple_ref/doc/uid/DTS10003788","description":"Apple. (n.d.). Login Items AE. Retrieved October 4, 2021.","source_name":"Login Items AE"},{"url":"https://eclecticlight.co/2021/09/16/how-to-run-an-app-or-tool-at-startup/","description":"hoakley. (2021, September 16). How to run an app or tool at startup. Retrieved October 5, 2021.","source_name":"Startup Items Eclectic"},{"url":"http://www.hexed.in/2019/07/osxdok-analysis.html","description":"fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved October 4, 2021.","source_name":"hexed osx.dok analysis 2019"},{"url":"https://gist.github.com/kaloprominat/6111584","description":"kaloprominat. (2013, July 30). macos: manage add list remove login items apple script. Retrieved October 5, 2021.","source_name":"Add List Remove Login Items Apple Script"},{"source_name":"objsee mac malware 2017","description":"Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.","url":"https://objective-see.com/blog/blog_0x25.html"},{"url":"https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/","description":"Ofer Caspi. (2017, May 4). OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic. Retrieved October 5, 2021.","source_name":"CheckPoint Dok"},{"url":"https://objective-see.com/blog/blog_0x44.html","description":"Patrick Wardle. (2019, June 20). Burned by Fire(fox). Retrieved October 1, 2021.","source_name":"objsee netwire backdoor 2019"},{"url":"https://objective-see.com/blog/blog_0x31.html","description":"Patrick Wardle. (2018, July 23). Block Blocking Login Items. Retrieved October 1, 2021.","source_name":"objsee block blocking login items"},{"url":"https://www.sentinelone.com/blog/how-malware-persists-on-macos/","description":"Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. Retrieved September 10, 2019.","source_name":"sentinelone macos persist Jun 2019"},{"url":"https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1","description":"Apple. (2018, June 4). Launch Services Keys. Retrieved October 5, 2021.","source_name":"Launch Service Keys Developer Apple"}],"x_mitre_data_sources":["Process: Process Creation","File: File Modification","File: File Creation"],"x_mitre_version":"1.0","x_mitre_permissions_required":["User"],"x_mitre_platforms":["macOS"],"x_mitre_is_subtechnique":true,"x_mitre_detection":"All login items created via shared file lists are viewable by using the System Preferences GUI or in the <code>~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm</code> file.(Citation: Open Login Items Apple)(Citation: Startup Items Eclectic)(Citation: objsee block blocking login items)(Citation: sentinelone macos persist Jun 2019) These locations should be monitored and audited for known good applications.\n\nOtherwise, login Items are located in <code>Contents/Library/LoginItems</code> within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items) Monitor applications that leverage login items with either the LSUIElement or LSBackgroundOnly key in the Info.plist file set to true.(Citation: Adding Login Items)(Citation: Launch Service Keys Developer Apple)\n\nMonitor processes that start at login for unusual or unknown applications. Usual applications for login items could include what users add to configure their user environment, such as email, chat, or music applications, or what administrators include for organization settings and protections. Check for running applications from login items that also have abnormal behavior,, such as establishing network connections."},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","name":"Reflective Code Loading","modified":"2021-11-01T18:09:09.670Z","created":"2021-10-05T01:15:06.293Z","kill_chain_phases":[{"kill_chain_name":"mitre-attack","phase_name":"defense-evasion"}],"id":"attack-pattern--4933e63b-9b77-476e-ab29-761bc5b7d15a","description":"Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL)\n\nReflective code injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://attack.mitre.org/techniques/T1620","external_id":"T1620","source_name":"mitre-attack"},{"url":"https://thewover.github.io/Introducing-Donut/","description":"The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021.","source_name":"Introducing Donut"},{"url":"https://www.sentinelone.com/blog/building-a-custom-tool-for-shellcode-analysis/","description":"Bunce, D. (2019, October 31). Building A Custom Tool For Shellcode Analysis. Retrieved October 4, 2021.","source_name":"S1 Custom Shellcode Tool"},{"url":"https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html","description":"Stuart. (2018, March 31). In-Memory-Only ELF Execution (Without tmpfs). Retrieved October 4, 2021.","source_name":"Stuart ELF Memory"},{"url":"https://0x00sec.org/t/super-stealthy-droppers/3715","description":"0x00pico. (2017, September 25). Super-Stealthy Droppers. Retrieved October 4, 2021.","source_name":"00sec Droppers"},{"url":"https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique","description":"Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 4, 2021.","source_name":"Mandiant BYOL"},{"url":"https://www.intezer.com/blog/research/acbackdoor-analysis-of-a-new-multiplatform-backdoor/","description":"Sanmillan, I. (2019, November 18). ACBackdoor: Analysis of a New Multiplatform Backdoor. Retrieved October 4, 2021.","source_name":"Intezer ACBackdoor"},{"url":"https://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/","description":"Landry, J. (2016, April 21). Teaching an old RAT new tricks. Retrieved October 4, 2021.","source_name":"S1 Old Rat New Tricks"},{"url":"https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft/","description":"MDSec Research. (n.d.). Detecting and Advancing In-Memory .NET Tradecraft. Retrieved October 4, 2021.","source_name":"MDSec Detecting DOTNET"}],"x_mitre_data_sources":["Script: Script Execution","Process: OS API Execution","Module: Module Load"],"x_mitre_version":"1.0","x_mitre_defense_bypassed":["Application control","Anti-virus"],"x_mitre_platforms":["macOS","Linux","Windows"],"x_mitre_is_subtechnique":false,"x_mitre_permissions_required":["User"],"x_mitre_contributors":["João Paulo de A. Filho, @Hug1nN__","Joas Antonio dos Santos, @C0d3Cr4zy","Shlomi Salem, SentinelOne","Lior Ribak, SentinelOne","Rex Guo, @Xiaofei_REX, Confluera"],"x_mitre_detection":"Monitor for code artifacts associated with reflectively loading code, such as the abuse of .NET functions such as <code>Assembly.Load()</code> and [Native API](https://attack.mitre.org/techniques/T1106) functions such as <code>CreateThread()</code>, <code>memfd_create()</code>, <code>execve()</code>, and/or <code>execveat()</code>.(Citation: 00sec Droppers)(Citation: S1 Old Rat New Tricks)\n\nMonitor for artifacts of abnormal process execution. For example, a common signature related to reflective code loading on Windows is mechanisms related to the .NET Common Language Runtime (CLR) -- such as mscor.dll, mscoree.dll, and clr.dll -- loading into abnormal processes (such as notepad.exe). Similarly, AMSI / ETW traces can be used to identify signs of arbitrary code execution from within the memory of potentially compromised processes.(Citation: MDSec Detecting DOTNET)(Citation: Introducing Donut)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. "},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","name":"Cloud Storage Object Discovery","modified":"2021-10-07T18:19:25.352Z","created":"2021-10-01T17:58:26.445Z","kill_chain_phases":[{"kill_chain_name":"mitre-attack","phase_name":"discovery"}],"id":"attack-pattern--8565825b-21c8-4518-b75e-cbc4c717a156","description":"Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.\n\nCloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://attack.mitre.org/techniques/T1619","external_id":"T1619","source_name":"mitre-attack"},{"url":"https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html","description":"Amazon - ListObjectsV2. Retrieved October 4, 2021.","source_name":"ListObjectsV2"},{"url":"https://docs.microsoft.com/en-us/rest/api/storageservices/list-blobs","description":"Microsoft - List Blobs. (n.d.). Retrieved October 4, 2021.","source_name":"List Blobs"}],"x_mitre_data_sources":["Cloud Storage: Cloud Storage Enumeration","Cloud Storage: Cloud Storage Access"],"x_mitre_version":"1.0","x_mitre_platforms":["IaaS"],"x_mitre_is_subtechnique":false,"x_mitre_contributors":["Regina Elwell","Isif Ibrahima"],"x_mitre_detection":"System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. \nMonitor cloud logs for API calls used for file or object enumeration for unusual activity. "},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","name":"MMC","modified":"2021-10-16T00:13:18.889Z","created":"2021-09-28T01:36:41.638Z","kill_chain_phases":[{"kill_chain_name":"mitre-attack","phase_name":"defense-evasion"}],"id":"attack-pattern--ffbcfdb0-de22-4106-9ed3-fc23c8a01407","description":"Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console, or MMC, is a signed Windows binary and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)\n\nFor example, <code>mmc C:\\Users\\foo\\admintools.msc /a</code> will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is <code>mmc gpedit.msc</code>, which will open the Group Policy Editor application window. \n\nAdversaries may use MMC commands to perform malicious tasks. For example, <code>mmc wbadmin.msc delete catalog -quiet</code> deletes the backup catalog on the system (i.e. [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)) without prompts to the user (Note: <code>wbadmin.msc</code> may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal)\n\nAdversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: <code>mmc.exe -Embedding C:\\path\\to\\test.msc</code>.(Citation: abusing_com_reg)","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://attack.mitre.org/techniques/T1218/014","external_id":"T1218.014","source_name":"mitre-attack"},{"url":"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mmc","description":"Microsoft. (2017, October 16). mmc. Retrieved September 20, 2021.","source_name":"win_mmc"},{"url":"https://docs.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/what-is-microsoft-management-console","description":"Microsoft. (2020, September 27). What is Microsoft Management Console?. Retrieved October 5, 2021.","source_name":"what_is_mmc"},{"url":"https://www.ghacks.net/2017/06/10/windows-msc-files-overview/","description":"Brinkmann, M.. (2017, June 10). Windows .msc files overview. Retrieved September 20, 2021.","source_name":"win_msc_files_overview"},{"url":"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-catalog","description":"Microsoft. (2017, October 16). wbadmin delete catalog. Retrieved September 20, 2021.","source_name":"win_wbadmin_delete_catalog"},{"url":"https://www.virustotal.com/gui/file/0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81/detection ","description":"Phobos Ransomware. (2020, December 30). Phobos Ransomware, Fast.exe. Retrieved September 20, 2021.","source_name":"phobos_virustotal"},{"url":"https://docs.microsoft.com/en-us/windows/win32/com/clsid-key-hklm","description":"Microsoft. (2018, May 31). CLSID Key. Retrieved September 24, 2021.","source_name":"win_clsid_key"},{"url":"https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/","description":"Boxiner, A., Vaknin, E. (2019, June 11). Microsoft Management Console (MMC) Vulnerabilities. Retrieved September 24, 2021.","source_name":"mmc_vulns"},{"url":"https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/","description":"bohops. (2018, August 18). ABUSING THE COM REGISTRY STRUCTURE (PART 2): HIJACKING & LOADING TECHNIQUES. Retrieved September 20, 2021.","source_name":"abusing_com_reg"}],"x_mitre_data_sources":["Process: Process Creation","File: File Creation","Command: Command Execution"],"x_mitre_version":"1.0","x_mitre_defense_bypassed":["Application control","Digital Certificate Validation"],"x_mitre_platforms":["Windows"],"x_mitre_is_subtechnique":true,"x_mitre_permissions_required":["User","Administrator"],"x_mitre_contributors":["Wes Hurd"],"x_mitre_detection":"Monitor processes and command-line parameters for suspicious or malicious use of MMC. Since MMC is a signed Windows binary, verify use of MMC is legitimate and not malicious. \n\nMonitor for creation and use of .msc files. MMC may legitimately be used to call Microsoft-created .msc files, such as <code>services.msc</code> or <code>eventvwr.msc</code>. Invoking non-Microsoft .msc files may be an indicator of malicious activity. "},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","name":"Mavinject","modified":"2021-10-14T22:11:03.446Z","created":"2021-09-22T17:45:10.241Z","id":"attack-pattern--1bae753e-8e52-4055-a66d-2ead90303ca9","description":"Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)\n\nAdversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001)), allowing for arbitrary code execution (ex. <code>C:\\Windows\\system32\\mavinject.exe PID /INJECTRUNNING PATH_DLL</code>).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe is digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process. \n\nIn addition to [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001), Mavinject.exe can also be abused to perform import descriptor injection via its <code>/HMODULE</code> command-line parameter (ex. <code>mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed)","kill_chain_phases":[{"kill_chain_name":"mitre-attack","phase_name":"defense-evasion"}],"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://attack.mitre.org/techniques/T1218/013","external_id":"T1218.013","source_name":"mitre-attack"},{"url":"https://lolbas-project.github.io/lolbas/Binaries/Mavinject/","description":"LOLBAS. (n.d.). Mavinject.exe. Retrieved September 22, 2021.","source_name":"LOLBAS Mavinject"},{"url":"https://cybersecurity.att.com/blogs/labs-research/lazarus-campaign-ttps-and-evolution","description":"Fernando Martinez. (2021, July 6). Lazarus campaign TTPs and evolution. Retrieved September 22, 2021.","source_name":"ATT Lazarus TTP Evolution"},{"url":"https://reaqta.com/2017/12/mavinject-microsoft-injector/","description":"Reaqta. (2017, December 16). From False Positive to True Positive: the story of Mavinject.exe, the Microsoft Injector. Retrieved September 22, 2021.","source_name":"Reaqta Mavinject"},{"url":"https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e","description":"Matt Graeber. (2018, May 29). mavinject.exe Functionality Deconstructed. Retrieved September 22, 2021.","source_name":"Mavinject Functionality Deconstructed"}],"x_mitre_data_sources":["Process: Process Creation","Command: Command Execution"],"x_mitre_version":"1.0","x_mitre_permissions_required":["User"],"x_mitre_platforms":["Windows"],"x_mitre_is_subtechnique":true,"x_mitre_detection":"Monitor the execution and arguments of mavinject.exe. Compare recent invocations of mavinject.exe with prior history of known good arguments and injected DLLs to determine anomalous and potentially adversarial activity.\n\nAdversaries may rename abusable binaries to evade detections, but the argument <code>INJECTRUNNING</code> is required for mavinject.exe to perform [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001) and may therefore be monitored to alert malicious activity."},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","name":"System Language Discovery","modified":"2021-10-15T22:00:56.174Z","created":"2021-08-18T14:06:45.244Z","kill_chain_phases":[{"kill_chain_name":"mitre-attack","phase_name":"discovery"}],"id":"attack-pattern--c1b68a96-3c48-49ea-a6c0-9b27359f9c19","description":"Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)\n\nThere are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Query Registry](https://attack.mitre.org/techniques/T1012) and calls to [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: CrowdStrike Ryuk January 2019) \n\nFor example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language</code> or parsing the outputs of Windows API functions <code>GetUserDefaultUILanguage</code>, <code>GetSystemDefaultUILanguage</code>, <code>GetKeyboardLayoutList</code> and <code>GetUserDefaultLangID</code>.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelgänging May 2018)\n\nOn a macOS or Linux system, adversaries may query <code>locale</code> to retrieve the value of the <code>$LANG</code> environment variable.","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://attack.mitre.org/techniques/T1614/001","external_id":"T1614.001","source_name":"mitre-attack"},{"url":"https://www.welivesecurity.com/2009/01/15/malware-trying-to-avoid-some-countries/","description":"Pierre-Marc Bureau. (2009, January 15). Malware Trying to Avoid Some Countries. Retrieved August 18, 2021.","source_name":"Malware System Language Check"},{"url":"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/","description":"Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.","source_name":"CrowdStrike Ryuk January 2019"},{"url":"https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware","description":"Cybereason Nocturnus. (2021, April 1). Cybereason vs. Darkside Ransomware. Retrieved August 18, 2021.","source_name":"Darkside Ransomware Cybereason"},{"url":"https://securelist.com/evolution-of-jsworm-ransomware/102428/","description":"Fedor Sinitsyn. (2021, May 25). Evolution of JSWorm Ransomware. Retrieved August 18, 2021.","source_name":"Securelist JSWorm"},{"url":"https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/","description":"Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.","source_name":"SecureList SynAck Doppelgänging May 2018"}],"x_mitre_data_sources":["Windows Registry: Windows Registry Key Access","Process: Process Creation","Process: OS API Execution","Command: Command Execution"],"x_mitre_version":"1.0","x_mitre_platforms":["Windows","Linux","macOS"],"x_mitre_is_subtechnique":true,"x_mitre_permissions_required":["User"],"x_mitre_contributors":["Harshal Tupsamudre, Qualys"],"x_mitre_detection":"System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system language information. This may include calls to various API functions and interaction with system configuration settings such as the Windows Registry."},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","name":"Group Policy Discovery","modified":"2021-10-15T23:16:28.296Z","created":"2021-08-06T13:10:12.916Z","kill_chain_phases":[{"kill_chain_name":"mitre-attack","phase_name":"discovery"}],"id":"attack-pattern--1b20efbf-8063-4fc3-a07d-b575318a301b","description":"Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predicable network path <code>\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\</code>.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)\n\nAdversaries may use commands such as <code>gpresult</code> or various publicly available PowerShell functions, such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code>, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://attack.mitre.org/techniques/T1615","external_id":"T1615","source_name":"mitre-attack"},{"url":"https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/","description":"srachui. (2012, February 13). Group Policy Basics – Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019.","source_name":"TechNet Group Policy Basics"},{"url":"https://adsecurity.org/?p=2716","description":"Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019.","source_name":"ADSecurity GPO Persistence 2016"},{"url":"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult","description":"Microsoft. (2017, October 16). gpresult. Retrieved August 6, 2021.","source_name":"Microsoft gpresult"},{"source_name":"Github PowerShell Empire","description":"Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.","url":"https://github.com/EmpireProject/Empire"}],"x_mitre_data_sources":["Network Traffic: Network Traffic Content","Active Directory: Active Directory Object Access","Script: Script Execution","Command: Command Execution","Process: Process Creation"],"x_mitre_version":"1.0","x_mitre_platforms":["Windows"],"x_mitre_is_subtechnique":false,"x_mitre_permissions_required":["User"],"x_mitre_contributors":["Ted Samuels, Rapid7","Jonhnathan Ribeiro, 3CORESec, @_w0rk3r"],"x_mitre_detection":"System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor for suspicious use of <code>gpresult</code>. Monitor for the use of PowerShell functions such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code> and processes spawning with command-line arguments containing <code>GPOLocalGroup</code>.\n\nMonitor for abnormal LDAP queries with filters for <code>groupPolicyContainer</code> and high volumes of LDAP traffic to domain controllers. Windows Event ID 4661 can also be used to detect when a directory service has been accessed."},{"type":"attack-pattern","modified":"2021-10-14T21:09:59.588Z","name":"Double File Extension","created":"2021-08-04T20:54:03.066Z","id":"attack-pattern--11f29a39-0942-4d62-92b6-fe236cf3066e","description":"Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: <code>File.txt.exe</code> may render in some views as just <code>File.txt</code>). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) \n\nAdversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user’s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named <code>Evil.txt.exe</code> may display as <code>Evil.txt</code> to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)\n\nCommon file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.","object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"kill_chain_phases":[{"kill_chain_name":"mitre-attack","phase_name":"defense-evasion"}],"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://attack.mitre.org/techniques/T1036/007","external_id":"T1036.007","source_name":"mitre-attack"},{"url":"https://www.pcmag.com/encyclopedia/term/double-extension","description":"PCMag. (n.d.). Encyclopedia: double extension. Retrieved August 4, 2021.","source_name":"PCMag DoubleExtension"},{"url":"https://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/","description":"Eugene Tkachenko. (2020, May 1). Rule of the Week: Possible Malicious File Double Extension. Retrieved July 27, 2021.","source_name":"SOCPrime DoubleExtension"},{"url":"https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/","description":"Seqrite. (n.d.). How to avoid dual attack and vulnerable files with double extension?. Retrieved July 27, 2021.","source_name":"Seqrite DoubleExtension"}],"x_mitre_data_sources":["File: File Creation","File: File Metadata"],"x_mitre_version":"1.0","x_mitre_platforms":["Windows"],"x_mitre_is_subtechnique":true,"x_mitre_detection":"Monitor for files written to disk that contain two file extensions, particularly when the second is an executable.(Citation: Seqrite DoubleExtension)"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","name":"Safe Mode Boot","modified":"2021-08-31T14:51:47.352Z","created":"2021-06-23T20:00:27.600Z","kill_chain_phases":[{"kill_chain_name":"mitre-attack","phase_name":"defense-evasion"}],"id":"attack-pattern--28170e17-8384-415c-8486-2e6b294cb803","description":"Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)\n\nAdversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021)\n\nAdversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://attack.mitre.org/techniques/T1562/009","external_id":"T1562.009","source_name":"mitre-attack"},{"url":"https://support.microsoft.com/en-us/windows/start-your-pc-in-safe-mode-in-windows-10-92c27cff-db89-8644-1ce4-b3e5e56fe234","description":"Microsoft. (n.d.). Start your PC in safe mode in Windows 10. Retrieved June 23, 2021.","source_name":"Microsoft Safe Mode"},{"url":"https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/","description":"Sophos. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved June 23, 2021.","source_name":"Sophos Snatch Ransomware 2019"},{"url":"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit","description":"Microsoft. (2021, May 27). bcdedit. Retrieved June 23, 2021.","source_name":"Microsoft bcdedit 2021"},{"url":"https://www.cyberark.com/resources/blog/cyberark-labs-from-safe-mode-to-domain-compromise","description":"Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode to Domain Compromise. Retrieved June 23, 2021.","source_name":"CyberArk Labs Safe Mode 2016"},{"url":"https://www.cybereason.com/blog/medusalocker-ransomware","description":"Cybereason Nocturnus. (2020, November 19). Cybereason vs. MedusaLocker Ransomware. Retrieved June 23, 2021.","source_name":"Cybereason Nocturnus MedusaLocker 2020"},{"url":"https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/","description":"Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021.","source_name":"BleepingComputer REvil 2021"},{"url":"https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg","description":"Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August 30, 2021.","source_name":"Microsoft Bootcfg"}],"x_mitre_data_sources":["Process: Process Creation","Windows Registry: Windows Registry Key Modification","Windows Registry: Windows Registry Key Creation","Command: Command Execution"],"x_mitre_version":"1.0","x_mitre_defense_bypassed":["Host Intrusion Prevention Systems","Anti-virus"],"x_mitre_platforms":["Windows"],"x_mitre_is_subtechnique":true,"x_mitre_permissions_required":["Administrator"],"x_mitre_contributors":["Jorell Magtibay, National Australia Bank Limited","Kiyohito Yamamoto, RedLark, NTT Communications","Yusuke Kubo, RedLark, NTT Communications"],"x_mitre_detection":"Monitor Registry modification and additions for services that may start on safe mode. For example, a program can be forced to start on safe mode boot by adding a <code>\\*</code> in front of the \"Startup\" value name: <code>HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\[\"\\*Startup\"=\"{Path}\"]</code> or by adding a key to <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal</code>.(Citation: BleepingComputer REvil 2021)(Citation: Sophos Snatch Ransomware 2019)\n\nMonitor execution of processes and commands associated with making configuration changes to boot settings, such as <code>bcdedit.exe</code> and <code>bootcfg.exe</code>.(Citation: Microsoft bcdedit 2021)(Citation: Microsoft Bootcfg)(Citation: Sophos Snatch Ransomware 2019)"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","name":"Email Hiding Rules","modified":"2021-10-16T01:24:31.674Z","created":"2021-06-07T13:20:23.767Z","kill_chain_phases":[{"kill_chain_name":"mitre-attack","phase_name":"defense-evasion"}],"id":"attack-pattern--0cf55441-b176-4332-89e7-2c4c7799d0ff","description":"Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)\n\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.\n\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as <code>malware</code>, <code>suspicious</code>, <code>phish</code>, and <code>hack</code>) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://attack.mitre.org/techniques/T1564/008","external_id":"T1564.008","source_name":"mitre-attack"},{"url":"https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59","description":"Microsoft. (n.d.). Manage email messages by using rules. Retrieved June 11, 2021.","source_name":"Microsoft Inbox Rules"},{"url":"https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac","description":"Apple. (n.d.). Use rules to manage emails you receive in Mail on Mac. Retrieved June 14, 2021.","source_name":"MacOS Email Rules"},{"url":"https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps","description":"Microsoft. (n.d.). New-InboxRule. Retrieved June 7, 2021.","source_name":"Microsoft New-InboxRule"},{"url":"https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps","description":"Microsoft. (n.d.). Set-InboxRule. Retrieved June 7, 2021.","source_name":"Microsoft Set-InboxRule"},{"url":"https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154","description":"Niv Goldenberg. (2018, December 12). Rule your inbox with Microsoft Cloud App Security. Retrieved June 7, 2021.","source_name":"Microsoft Cloud App Security"},{"url":"https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/","description":"Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021.","source_name":"Microsoft BEC Campaign"}],"x_mitre_data_sources":["File: File Modification","Command: Command Execution","Application Log: Application Log Content"],"x_mitre_version":"1.0","x_mitre_platforms":["Windows","Office 365","Linux","macOS"],"x_mitre_is_subtechnique":true,"x_mitre_permissions_required":["User"],"x_mitre_contributors":["Dor Edry, Microsoft"],"x_mitre_detection":"Monitor email clients and applications for suspicious activity, such as missing messages or abnormal configuration and/or log entries.\n\nOn Windows systems, monitor for creation of suspicious inbox rules through the use of the <code>New-InboxRule</code> and <code>Set-InboxRule</code> PowerShell cmdlets.(Citation: Microsoft BEC Campaign) On MacOS systems, monitor for modifications to the <code>RulesActiveState.plist</code>, <code>SyncedRules.plist</code>, <code>UnsyncedRules.plist</code>, and <code>MessageRules.plist</code> files.(Citation: MacOS Email Rules)"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","name":"IIS Components","modified":"2021-10-17T15:06:24.161Z","created":"2021-06-03T18:44:29.770Z","kill_chain_phases":[{"kill_chain_name":"mitre-attack","phase_name":"persistence"}],"id":"attack-pattern--b46a801b-fd98-491c-a25a-bca25d6e3001","description":"Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)\n\nAdversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Extension All Incoming 2017)(Citation: Dell TG-3390)(Citation: Trustwave IIS Module 2013)(Citation: MMPC ISAPI Filter 2012)\n\nAdversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports <code>RegisterModule</code>, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Trustwave IIS Module 2013)(Citation: ESET IIS Malware 2021)","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://attack.mitre.org/techniques/T1505/004","external_id":"T1505.004","source_name":"mitre-attack"},{"url":"https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525172(v=vs.90)","description":"Microsoft. (2017, June 16). ISAPI Extension Overview. Retrieved June 3, 2021.","source_name":"Microsoft ISAPI Extension Overview 2017"},{"url":"https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524610(v=vs.90)","description":"Microsoft. (2017, June 16). ISAPI Filter Overview. Retrieved June 3, 2021.","source_name":"Microsoft ISAPI Filter Overview 2017"},{"url":"https://web.archive.org/web/20170106175935/http:/esec-lab.sogeti.com/posts/2011/02/02/iis-backdoor.html","description":"Julien. (2011, February 2). IIS Backdoor. Retrieved June 3, 2021.","source_name":"IIS Backdoor 2011"},{"url":"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-curious-case-of-the-malicious-iis-module/","description":"Grunzweig, J. (2013, December 9). The Curious Case of the Malicious IIS Module. Retrieved June 3, 2021.","source_name":"Trustwave IIS Module 2013"},{"url":"https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525696(v=vs.90)","description":"Microsoft. (2017, June 16). Intercepting All Incoming IIS Requests. Retrieved June 3, 2021.","source_name":"Microsoft ISAPI Extension All Incoming 2017"},{"url":"https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage","description":"Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.","source_name":"Dell TG-3390"},{"url":"https://web.archive.org/web/20140804175025/http:/blogs.technet.com/b/mmpc/archive/2012/10/03/malware-signed-with-the-adobe-code-signing-certificate.aspx","description":"MMPC. (2012, October 3). Malware signed with the Adobe code signing certificate. Retrieved June 3, 2021.","source_name":"MMPC ISAPI Filter 2012"},{"url":"https://docs.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview","description":"Microsoft. (2007, November 24). IIS Modules Overview. Retrieved June 17, 2021.","source_name":"Microsoft IIS Modules Overview 2007"},{"url":"https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf","description":"Hromcová, Z., Cherepanov, A. (2021). Anatomy of Native IIS Malware. Retrieved September 9, 2021.","source_name":"ESET IIS Malware 2021"},{"source_name":"Unit 42 RGDoor Jan 2018","description":"Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.","url":"https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/"}],"x_mitre_data_sources":["File: File Creation","File: File Modification","Command: Command Execution"],"x_mitre_version":"1.0","x_mitre_platforms":["Windows"],"x_mitre_is_subtechnique":true,"x_mitre_permissions_required":["Administrator","SYSTEM"],"x_mitre_contributors":["Wes Hurd"],"x_mitre_detection":"Monitor for creation and/or modification of files (especially DLLs on webservers) that could be abused as malicious ISAPI extensions/filters or IIS modules. Changes to <code>%windir%\\system32\\inetsrv\\config\\applicationhost.config</code> could indicate an IIS module installation.(Citation: Microsoft IIS Modules Overview 2007)(Citation: ESET IIS Malware 2021)\n\nMonitor execution and command-line arguments of <code>AppCmd.exe</code>, which may be abused to install malicious IIS modules.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Unit 42 RGDoor Jan 2018)(Citation: ESET IIS Malware 2021)"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","name":"HTML Smuggling","modified":"2021-10-18T12:03:12.510Z","created":"2021-05-20T12:20:42.219Z","kill_chain_phases":[{"kill_chain_name":"mitre-attack","phase_name":"defense-evasion"}],"id":"attack-pattern--d4dc46e3-5ba5-45b9-8204-010867cacfcb","description":"Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)\n\nAdversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as <code>text/plain</code> and/or <code>text/html</code>. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.\n\nFor example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as <code>msSaveBlob</code>.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://attack.mitre.org/techniques/T1027/006","external_id":"T1027.006","source_name":"mitre-attack"},{"url":"https://www.menlosecurity.com/blog/new-attack-alert-duri","description":"Subramanian, K. (2020, August 18). New HTML Smuggling Attack Alert: Duri. Retrieved May 20, 2021.","source_name":"HTML Smuggling Menlo Security 2020"},{"url":"https://outflank.nl/blog/2018/08/14/html-smuggling-explained/","description":"Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved May 20, 2021.","source_name":"Outlflank HTML Smuggling 2018"},{"url":"https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/","description":"Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.","source_name":"MSTIC NOBELIUM May 2021"},{"url":"https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/","description":"Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved May 20, 2021.","source_name":"nccgroup Smuggling HTA 2017"}],"x_mitre_data_sources":["File: File Creation"],"x_mitre_version":"1.0","x_mitre_defense_bypassed":["Web content filters","Anti-virus","Static file analysis"],"x_mitre_platforms":["Windows","Linux","macOS"],"x_mitre_is_subtechnique":true,"x_mitre_permissions_required":["User"],"x_mitre_contributors":["Stan Hegt, Outflank","Jonathan Boucher, @crash_wave, Bank of Canada"],"x_mitre_detection":"Detection of HTML Smuggling is difficult as HTML5 and JavaScript attributes are used by legitimate services and applications. HTML Smuggling can be performed in many ways via JavaScript, developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging.(Citation: Outlflank HTML Smuggling 2018) Detecting specific JavaScript and/or HTML5 attribute strings such as <code>Blob</code>, <code>msSaveOrOpenBlob</code>, and/or <code>download</code> may be a good indicator of HTML Smuggling. These strings may also be used by legitimate services therefore it is possible to raise false positives.\n\nConsider monitoring files downloaded from the Internet, possibly by HTML Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities."},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","name":"Code Repositories","modified":"2021-10-16T01:35:43.483Z","created":"2021-05-11T18:51:16.343Z","kill_chain_phases":[{"kill_chain_name":"mitre-attack","phase_name":"collection"}],"id":"attack-pattern--cff94884-3b1c-4987-a70b-6d5643c621c3","description":"Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.\n\n\nOnce adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code. Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.: 64467
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/root/DeTTECT/dettect.py", line 353, in <module>
_menu(_init_menu())
File "/root/DeTTECT/dettect.py", line 315, in _menu
get_statistics_data_sources(args.datasources, platform)
File "/root/DeTTECT/generic_mode.py", line 41, in get_statistics_data_sources
techniques = load_attack_data(stix_type)
File "/root/DeTTECT/generic.py", line 143, in load_attack_data
stix_attack_data = mitre.get_enterprise_techniques()
File "/root/DeTTECT/venv/lib/python3.9/site-packages/attackcti/attack_api.py", line 356, in get_enterprise_techniques
enterprise_techniques = self.TC_ENTERPRISE_SOURCE.query(Filter("type", "=", "attack-pattern"))
File "/root/DeTTECT/venv/lib/python3.9/site-packages/stix2/datastore/taxii.py", line 301, in query
for resource in paged_request(self.collection.get_objects, per_request=self.items_per_page, **taxii_filters_dict):
File "/root/DeTTECT/venv/lib/python3.9/site-packages/taxii2client/v20/__init__.py", line 36, in as_pages
yield _to_json(resp)
File "/root/DeTTECT/venv/lib/python3.9/site-packages/taxii2client/common.py", line 127, in _to_json
six.raise_from(InvalidJSONError(
File "<string>", line 3, in raise_from
taxii2client.exceptions.InvalidJSONError: Invalid JSON was received from https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match%5Btype%5D=attack-pattern
marcusbakker commented
Having the idea that something is going wrong at the TAXII server of MITRE. Also one of my Github Actions failed to run while I have not introduced any changes.
marcusbakker commented
Seems like the problem is resolved at the TAXII server.