init commit

2023-12-14 10:12:15 +03:00 · 2023-12-14 10:12:15 +03:00 · 2692e3a08d
commit 2692e3a08d
8 changed files with 60956 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,5 @@
 venv
 ~*
 *.pdf
 *.odt
 *.docx
--- a/APT41.txt
+++ b/APT41.txt
--- a/CURIUM.txt
+++ b/CURIUM.txt
@ -0,0 +1,246 @@
 type : intrusion-set
 id : intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2023-01-13T20:51:13.494Z
 modified : 2023-04-12T13:21:41.276Z
 name : CURIUM
 description : [CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
 aliases : ['CURIUM']
 external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1012', 'external_id': 'G1012'}, {'source_name': 'Microsoft Iranian Threat Actor Trends November 2021', 'description': 'MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021'}]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_attack_spec_version : 3.1.0
 x_mitre_deprecated : False
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_version : 1.0
 technique_ref : attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5
 relationship_description : [CURIUM](https://attack.mitre.org/groups/G1012) has exfiltrated data from a compromised machine.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
 relationship_id : relationship--6fad7038-4d0f-48c3-937a-7128d4bf0592
 revoked : False
 technique : Data from Local System
 technique_description : Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
 Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
 tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection')]
 technique_id : T1005
 matrix : mitre-attack
 platform : ['Linux', 'macOS', 'Windows', 'Network']
 data_sources : ['Process: OS API Execution', 'Script: Script Execution', 'Command: Command Execution', 'Process: Process Creation', 'File: File Access']
 ----------------------------------------------------------------------------------------------------
 type : intrusion-set
 id : intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2023-01-13T20:51:13.494Z
 modified : 2023-04-12T13:21:41.276Z
 name : CURIUM
 description : [CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
 aliases : ['CURIUM']
 external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1012', 'external_id': 'G1012'}, {'source_name': 'Microsoft Iranian Threat Actor Trends November 2021', 'description': 'MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021'}]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_attack_spec_version : 3.1.0
 x_mitre_deprecated : False
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_version : 1.0
 technique_ref : attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317
 relationship_description : [CURIUM](https://attack.mitre.org/groups/G1012) has used social media to deliver malicious files to victims.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
 relationship_id : relationship--06a1f6f9-0695-47e6-bf1b-363d435d0bb2
 revoked : False
 technique : Spearphishing via Service
 technique_description : Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. 
 All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.
 A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.
 tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
 technique_id : T1566.003
 matrix : mitre-attack
 platform : ['Linux', 'macOS', 'Windows']
 data_sources : ['Network Traffic: Network Traffic Flow', 'Application Log: Application Log Content', 'Network Traffic: Network Traffic Content']
 ----------------------------------------------------------------------------------------------------
 type : intrusion-set
 id : intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2023-01-13T20:51:13.494Z
 modified : 2023-04-12T13:21:41.276Z
 name : CURIUM
 description : [CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
 aliases : ['CURIUM']
 external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1012', 'external_id': 'G1012'}, {'source_name': 'Microsoft Iranian Threat Actor Trends November 2021', 'description': 'MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021'}]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_attack_spec_version : 3.1.0
 x_mitre_deprecated : False
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_version : 1.0
 technique_ref : attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e
 relationship_description : [CURIUM](https://attack.mitre.org/groups/G1012) has lured users into opening malicious files delivered via social media.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
 relationship_id : relationship--24021025-b5db-4ebb-89cb-49fe5c4d709e
 revoked : False
 technique : Malicious File
 technique_description : An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
 Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs) 
 While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
 tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
 technique_id : T1204.002
 matrix : mitre-attack
 platform : ['Linux', 'macOS', 'Windows']
 data_sources : ['Process: Process Creation', 'File: File Creation']
 ----------------------------------------------------------------------------------------------------
 type : intrusion-set
 id : intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2023-01-13T20:51:13.494Z
 modified : 2023-04-12T13:21:41.276Z
 name : CURIUM
 description : [CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
 aliases : ['CURIUM']
 external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1012', 'external_id': 'G1012'}, {'source_name': 'Microsoft Iranian Threat Actor Trends November 2021', 'description': 'MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021'}]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_attack_spec_version : 3.1.0
 x_mitre_deprecated : False
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_version : 1.0
 technique_ref : attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928
 relationship_description : [CURIUM](https://attack.mitre.org/groups/G1012) has established a network of fictitious social media accounts, including on Facebook and LinkedIn, to establish relationships with victims, often posing as an attractive woman.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
 relationship_id : relationship--6fc8e3dd-1bb7-4e76-8a8c-9e836f944488
 revoked : False
 technique : Social Media Accounts
 technique_description : Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)
 For operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona  on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. 
 Once a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).
 tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
 technique_id : T1585.001
 matrix : mitre-attack
 platform : ['PRE']
 data_sources : ['Network Traffic: Network Traffic Content', 'Persona: Social Media']
 ----------------------------------------------------------------------------------------------------
 type : intrusion-set
 id : intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2023-01-13T20:51:13.494Z
 modified : 2023-04-12T13:21:41.276Z
 name : CURIUM
 description : [CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
 aliases : ['CURIUM']
 external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1012', 'external_id': 'G1012'}, {'source_name': 'Microsoft Iranian Threat Actor Trends November 2021', 'description': 'MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021'}]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_attack_spec_version : 3.1.0
 x_mitre_deprecated : False
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_version : 1.0
 technique_ref : attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5
 relationship_description : [CURIUM](https://attack.mitre.org/groups/G1012) has exfiltrated data from a compromised machine.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
 relationship_id : relationship--6fad7038-4d0f-48c3-937a-7128d4bf0592
 revoked : False
 technique : Data from Local System
 technique_description : Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
 Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
 tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection')]
 technique_id : T1005
 matrix : mitre-attack
 platform : ['Linux', 'macOS', 'Windows', 'Network']
 data_sources : ['Process: OS API Execution', 'Script: Script Execution', 'Command: Command Execution', 'Process: Process Creation', 'File: File Access']
 ----------------------------------------------------------------------------------------------------
 type : intrusion-set
 id : intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2023-01-13T20:51:13.494Z
 modified : 2023-04-12T13:21:41.276Z
 name : CURIUM
 description : [CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
 aliases : ['CURIUM']
 external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1012', 'external_id': 'G1012'}, {'source_name': 'Microsoft Iranian Threat Actor Trends November 2021', 'description': 'MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021'}]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_attack_spec_version : 3.1.0
 x_mitre_deprecated : False
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_version : 1.0
 technique_ref : attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317
 relationship_description : [CURIUM](https://attack.mitre.org/groups/G1012) has used social media to deliver malicious files to victims.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
 relationship_id : relationship--06a1f6f9-0695-47e6-bf1b-363d435d0bb2
 revoked : False
 technique : Spearphishing via Service
 technique_description : Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. 
 All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.
 A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.
 tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
 technique_id : T1566.003
 matrix : mitre-attack
 platform : ['Linux', 'macOS', 'Windows']
 data_sources : ['Network Traffic: Network Traffic Flow', 'Application Log: Application Log Content', 'Network Traffic: Network Traffic Content']
 ----------------------------------------------------------------------------------------------------
 type : intrusion-set
 id : intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2023-01-13T20:51:13.494Z
 modified : 2023-04-12T13:21:41.276Z
 name : CURIUM
 description : [CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
 aliases : ['CURIUM']
 external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1012', 'external_id': 'G1012'}, {'source_name': 'Microsoft Iranian Threat Actor Trends November 2021', 'description': 'MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021'}]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_attack_spec_version : 3.1.0
 x_mitre_deprecated : False
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_version : 1.0
 technique_ref : attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e
 relationship_description : [CURIUM](https://attack.mitre.org/groups/G1012) has lured users into opening malicious files delivered via social media.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
 relationship_id : relationship--24021025-b5db-4ebb-89cb-49fe5c4d709e
 revoked : False
 technique : Malicious File
 technique_description : An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
 Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs) 
 While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
 tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
 technique_id : T1204.002
 matrix : mitre-attack
 platform : ['Linux', 'macOS', 'Windows']
 data_sources : ['Process: Process Creation', 'File: File Creation']
 ----------------------------------------------------------------------------------------------------
 type : intrusion-set
 id : intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2023-01-13T20:51:13.494Z
 modified : 2023-04-12T13:21:41.276Z
 name : CURIUM
 description : [CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
 aliases : ['CURIUM']
 external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1012', 'external_id': 'G1012'}, {'source_name': 'Microsoft Iranian Threat Actor Trends November 2021', 'description': 'MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021'}]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_attack_spec_version : 3.1.0
 x_mitre_deprecated : False
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_version : 1.0
 technique_ref : attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928
 relationship_description : [CURIUM](https://attack.mitre.org/groups/G1012) has established a network of fictitious social media accounts, including on Facebook and LinkedIn, to establish relationships with victims, often posing as an attractive woman.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
 relationship_id : relationship--6fc8e3dd-1bb7-4e76-8a8c-9e836f944488
 revoked : False
 technique : Social Media Accounts
 technique_description : Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)
 For operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona  on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. 
 Once a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).
 tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
 technique_id : T1585.001
 matrix : mitre-attack
 platform : ['PRE']
 data_sources : ['Network Traffic: Network Traffic Content', 'Persona: Social Media']
 ----------------------------------------------------------------------------------------------------
--- a/Group5.txt
+++ b/Group5.txt
@ -0,0 +1,234 @@
 type : intrusion-set
 id : intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2017-05-31T21:32:08.304Z
 modified : 2020-03-30T19:07:39.812Z
 name : Group5
 description : [Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)
 aliases : ['Group5']
 external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0043', 'external_id': 'G0043'}, {'source_name': 'Group5', 'description': '(Citation: Citizen Lab Group5)'}, {'source_name': 'Citizen Lab Group5', 'description': 'Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.', 'url': 'https://citizenlab.ca/2016/08/group5-syria/'}]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_version : 1.2
 technique_ref : attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4
 relationship_description : Malware used by [Group5](https://attack.mitre.org/groups/G0043) is capable of capturing keystrokes.(Citation: Citizen Lab Group5)
 relationship_id : relationship--8447c89e-a743-430e-8ef5-41abfcde1a01
 revoked : False
 technique : Keylogging
 technique_description : Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)
 Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:
 * Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.
 * Reading raw keystroke data from the hardware buffer.
 * Windows Registry modifications.
 * Custom drivers.
 * [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) 
 tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='credential-access')]
 technique_id : T1056.001
 matrix : mitre-attack
 platform : ['Windows', 'macOS', 'Linux', 'Network']
 data_sources : ['Driver: Driver Load', 'Process: OS API Execution', 'Windows Registry: Windows Registry Key Modification']
 ----------------------------------------------------------------------------------------------------
 type : intrusion-set
 id : intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2017-05-31T21:32:08.304Z
 modified : 2020-03-30T19:07:39.812Z
 name : Group5
 description : [Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)
 aliases : ['Group5']
 external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0043', 'external_id': 'G0043'}, {'source_name': 'Group5', 'description': '(Citation: Citizen Lab Group5)'}, {'source_name': 'Citizen Lab Group5', 'description': 'Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.', 'url': 'https://citizenlab.ca/2016/08/group5-syria/'}]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_version : 1.2
 technique_ref : attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688
 relationship_description : Malware used by [Group5](https://attack.mitre.org/groups/G0043) is capable of watching the victim's screen.(Citation: Citizen Lab Group5)
 relationship_id : relationship--8e69c855-db70-4b5e-866b-f9ce0b786156
 revoked : False
 technique : Screen Capture
 technique_description : Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)
 tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection')]
 technique_id : T1113
 matrix : mitre-attack
 platform : ['Linux', 'macOS', 'Windows']
 data_sources : ['Command: Command Execution', 'Process: OS API Execution']
 ----------------------------------------------------------------------------------------------------
 type : intrusion-set
 id : intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2017-05-31T21:32:08.304Z
 modified : 2020-03-30T19:07:39.812Z
 name : Group5
 description : [Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)
 aliases : ['Group5']
 external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0043', 'external_id': 'G0043'}, {'source_name': 'Group5', 'description': '(Citation: Citizen Lab Group5)'}, {'source_name': 'Citizen Lab Group5', 'description': 'Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.', 'url': 'https://citizenlab.ca/2016/08/group5-syria/'}]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_version : 1.2
 technique_ref : attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
 relationship_description : Malware used by [Group5](https://attack.mitre.org/groups/G0043) is capable of remotely deleting files from victims.(Citation: Citizen Lab Group5)
 relationship_id : relationship--a9bc7666-f637-4093-a5bb-4edb61710e45
 revoked : False
 technique : File Deletion
 technique_description : Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
 There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.
 tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
 technique_id : T1070.004
 matrix : mitre-attack
 platform : ['Linux', 'macOS', 'Windows']
 data_sources : ['Command: Command Execution', 'File: File Deletion']
 ----------------------------------------------------------------------------------------------------
 type : intrusion-set
 id : intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2017-05-31T21:32:08.304Z
 modified : 2020-03-30T19:07:39.812Z
 name : Group5
 description : [Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)
 aliases : ['Group5']
 external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0043', 'external_id': 'G0043'}, {'source_name': 'Group5', 'description': '(Citation: Citizen Lab Group5)'}, {'source_name': 'Citizen Lab Group5', 'description': 'Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.', 'url': 'https://citizenlab.ca/2016/08/group5-syria/'}]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_version : 1.2
 technique_ref : attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a
 relationship_description : [Group5](https://attack.mitre.org/groups/G0043) disguised its malicious binaries with several layers of obfuscation, including encrypting the files.(Citation: Citizen Lab Group5)
 relationship_id : relationship--c3a1969b-1edb-4a78-80ab-b122cc2822e4
 revoked : False
 technique : Obfuscated Files or Information
 technique_description : Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. 
 Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. 
 Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)
 Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) 
 tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
 technique_id : T1027
 matrix : mitre-attack
 platform : ['Linux', 'macOS', 'Windows']
 data_sources : ['WMI: WMI Creation', 'Script: Script Execution', 'File: File Creation', 'Module: Module Load', 'Command: Command Execution', 'File: File Metadata', 'Process: OS API Execution', 'Windows Registry: Windows Registry Key Creation', 'Process: Process Creation']
 ----------------------------------------------------------------------------------------------------
 type : intrusion-set
 id : intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2017-05-31T21:32:08.304Z
 modified : 2020-03-30T19:07:39.812Z
 name : Group5
 description : [Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)
 aliases : ['Group5']
 external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0043', 'external_id': 'G0043'}, {'source_name': 'Group5', 'description': '(Citation: Citizen Lab Group5)'}, {'source_name': 'Citizen Lab Group5', 'description': 'Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.', 'url': 'https://citizenlab.ca/2016/08/group5-syria/'}]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_version : 1.2
 technique_ref : attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4
 relationship_description : Malware used by [Group5](https://attack.mitre.org/groups/G0043) is capable of capturing keystrokes.(Citation: Citizen Lab Group5)
 relationship_id : relationship--8447c89e-a743-430e-8ef5-41abfcde1a01
 revoked : False
 technique : Keylogging
 technique_description : Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)
 Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:
 * Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.
 * Reading raw keystroke data from the hardware buffer.
 * Windows Registry modifications.
 * Custom drivers.
 * [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) 
 tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='credential-access')]
 technique_id : T1056.001
 matrix : mitre-attack
 platform : ['Windows', 'macOS', 'Linux', 'Network']
 data_sources : ['Driver: Driver Load', 'Process: OS API Execution', 'Windows Registry: Windows Registry Key Modification']
 ----------------------------------------------------------------------------------------------------
 type : intrusion-set
 id : intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2017-05-31T21:32:08.304Z
 modified : 2020-03-30T19:07:39.812Z
 name : Group5
 description : [Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)
 aliases : ['Group5']
 external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0043', 'external_id': 'G0043'}, {'source_name': 'Group5', 'description': '(Citation: Citizen Lab Group5)'}, {'source_name': 'Citizen Lab Group5', 'description': 'Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.', 'url': 'https://citizenlab.ca/2016/08/group5-syria/'}]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_version : 1.2
 technique_ref : attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688
 relationship_description : Malware used by [Group5](https://attack.mitre.org/groups/G0043) is capable of watching the victim's screen.(Citation: Citizen Lab Group5)
 relationship_id : relationship--8e69c855-db70-4b5e-866b-f9ce0b786156
 revoked : False
 technique : Screen Capture
 technique_description : Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)
 tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection')]
 technique_id : T1113
 matrix : mitre-attack
 platform : ['Linux', 'macOS', 'Windows']
 data_sources : ['Command: Command Execution', 'Process: OS API Execution']
 ----------------------------------------------------------------------------------------------------
 type : intrusion-set
 id : intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2017-05-31T21:32:08.304Z
 modified : 2020-03-30T19:07:39.812Z
 name : Group5
 description : [Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)
 aliases : ['Group5']
 external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0043', 'external_id': 'G0043'}, {'source_name': 'Group5', 'description': '(Citation: Citizen Lab Group5)'}, {'source_name': 'Citizen Lab Group5', 'description': 'Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.', 'url': 'https://citizenlab.ca/2016/08/group5-syria/'}]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_version : 1.2
 technique_ref : attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
 relationship_description : Malware used by [Group5](https://attack.mitre.org/groups/G0043) is capable of remotely deleting files from victims.(Citation: Citizen Lab Group5)
 relationship_id : relationship--a9bc7666-f637-4093-a5bb-4edb61710e45
 revoked : False
 technique : File Deletion
 technique_description : Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
 There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.
 tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
 technique_id : T1070.004
 matrix : mitre-attack
 platform : ['Linux', 'macOS', 'Windows']
 data_sources : ['Command: Command Execution', 'File: File Deletion']
 ----------------------------------------------------------------------------------------------------
 type : intrusion-set
 id : intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2017-05-31T21:32:08.304Z
 modified : 2020-03-30T19:07:39.812Z
 name : Group5
 description : [Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)
 aliases : ['Group5']
 external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0043', 'external_id': 'G0043'}, {'source_name': 'Group5', 'description': '(Citation: Citizen Lab Group5)'}, {'source_name': 'Citizen Lab Group5', 'description': 'Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.', 'url': 'https://citizenlab.ca/2016/08/group5-syria/'}]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_version : 1.2
 technique_ref : attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a
 relationship_description : [Group5](https://attack.mitre.org/groups/G0043) disguised its malicious binaries with several layers of obfuscation, including encrypting the files.(Citation: Citizen Lab Group5)
 relationship_id : relationship--c3a1969b-1edb-4a78-80ab-b122cc2822e4
 revoked : False
 technique : Obfuscated Files or Information
 technique_description : Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. 
 Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. 
 Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)
 Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) 
 tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
 technique_id : T1027
 matrix : mitre-attack
 platform : ['Linux', 'macOS', 'Windows']
 data_sources : ['WMI: WMI Creation', 'Script: Script Execution', 'File: File Creation', 'Module: Module Load', 'Command: Command Execution', 'File: File Metadata', 'Process: OS API Execution', 'Windows Registry: Windows Registry Key Creation', 'Process: Process Creation']
 ----------------------------------------------------------------------------------------------------
--- a/MITRE_ATT&CK.mhtml
+++ b/MITRE_ATT&CK.mhtml
--- a/main.py
+++ b/main.py
@ -0,0 +1,96 @@
 from attackcti import attack_client
 technique_severity = {}
 group_techniques = []
 group_severity = {}
 def get_techniques_id(id):
    global group_techniques
    for technique in group_techniques:
        if id == technique["technique_id"]:
            return technique
 def main():
    global group_techniques, group_severity
    client = attack_client()
    group_techniques = client.get_techniques_used_by_all_groups()
    for technique in group_techniques:
        if technique["technique_id"] not in technique_severity.keys():
            technique_severity[technique['technique_id']] = 1
        else:
            technique_severity[technique['technique_id']] += 1
    technique_severity_asc = dict(sorted(technique_severity.items(), key=lambda x: x[1]))
    technique_severity_des = dict(reversed(sorted(technique_severity.items(), key=lambda x: x[1])))
    i = 0
    for technique in technique_severity_asc:
        technique_info = get_techniques_id(technique)
        print(f"| {technique_info['technique_id']:10} | {technique_severity_des[technique]}")
        i += 1
        if i == 5:
            break
    i = 0
    for technique in technique_severity_des:
        technique_info = get_techniques_id(technique)
        print(f"| {technique_info['technique_id']:10} | {technique_severity_des[technique]}")
        i += 1
        if i == 5:
            break
    for technique in group_techniques:
        if technique["name"] not in group_severity.keys():
            group_severity[technique['name']] = 1
        else:
            group_severity[technique['name']] += 1
    group_severity_des = dict(sorted(group_severity.items(), key=lambda x:(-x[1], x[0])))
    needed_group = None
    needed_group_stix = None
    i = 0
    for group in group_severity_des:
        print(f"{group} | {group_severity_des[group]}")
        if i == 22:
            needed_group = group
        i += 1
    print(needed_group)
    for technique in group_techniques:
        if technique['name'] == "APT41" or technique['name'] == "CURIUM" or technique['name'] == "Group5":
            for key,item in technique.items():
                with open(f"{technique['name']}.txt", "a") as file:
                    file.write(f"{key} : {item}\n")
            with open(f"{technique['name']}.txt", "a") as file:
                    file.write("-"*100 + "\n")
    for technique in group_techniques:
        if technique['name'] == needed_group:
            needed_group_stix = technique
            for key,item in technique.items():
                with open("need_group.txt", "a") as file:
                    file.write(f"{key} : {item}\n")
            with open("need_group.txt", "a") as file:
                    file.write("-"*100 + "\n")
    group_software = client.get_software_used_by_group(needed_group_stix)
    for software in group_software:
        for key,item in software.items():
            with open("need_group_software.txt", "a") as file:
                file.write(f"{key} : {item}\n")
        with open("need_group_software.txt", "a") as file:
                file.write("-"*100 + "\n")
 if __name__ == "__main__":
    main()
--- a/need_group.txt
+++ b/need_group.txt
--- a/need_group_software.txt
+++ b/need_group_software.txt
@ -0,0 +1,173 @@
 type : malware
 id : malware--ec9e00dd-0313-4d5b-8105-c20aa47abffc
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2021-03-23 20:49:39.954000+00:00
 modified : 2023-03-26 20:09:03.093000+00:00
 name : ShadowPad
 description : [ShadowPad](https://attack.mitre.org/software/S0596) is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by [APT41](https://attack.mitre.org/groups/G0096), but has since been observed to be used by various Chinese threat activity groups. (Citation: Recorded Future RedEcho Feb 2021)(Citation: Securelist ShadowPad Aug 2017)(Citation: Kaspersky ShadowPad Aug 2017) 
 revoked : False
 labels : ['malware']
 external_references : [ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0596', external_id='S0596'), ExternalReference(source_name='POISONPLUG.SHADOW', description='(Citation: FireEye APT41 Aug 2019)'), ExternalReference(source_name='FireEye APT41 Aug 2019', description='Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', url='https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'), ExternalReference(source_name='Securelist ShadowPad Aug 2017', description='GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021.', url='https://securelist.com/shadowpad-in-corporate-networks/81432/'), ExternalReference(source_name='Recorded Future RedEcho Feb 2021', description='Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021.', url='https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf'), ExternalReference(source_name='Kaspersky ShadowPad Aug 2017', description='Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.', url='https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf')]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_aliases : ['ShadowPad', 'POISONPLUG.SHADOW']
 x_mitre_attack_spec_version : 3.1.0
 x_mitre_deprecated : False
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_platforms : ['Windows']
 x_mitre_version : 1.2
 ----------------------------------------------------------------------------------------------------
 type : tool
 id : tool--b63970b7-ddfb-4aee-97b1-80d335e033a8
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2021-03-17 15:26:20.015000+00:00
 modified : 2021-04-24 20:45:08.323000+00:00
 name : NBTscan
 description : [NBTscan](https://attack.mitre.org/software/S0590) is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June 2003)(Citation: Symantec Waterbug Jun 2019)(Citation: FireEye APT39 Jan 2019)
 revoked : False
 labels : ['tool']
 external_references : [ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0590', external_id='S0590'), ExternalReference(source_name='Debian nbtscan Nov 2019', description='Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021.', url='https://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html'), ExternalReference(source_name='SecTools nbtscan June 2003', description='SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021.', url='https://sectools.org/tool/nbtscan/'), ExternalReference(source_name='Symantec Waterbug Jun 2019', description='Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.', url='https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments'), ExternalReference(source_name='FireEye APT39 Jan 2019', description='Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.', url='https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html')]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_aliases : ['NBTscan']
 x_mitre_attack_spec_version : 2.1.0
 x_mitre_contributors : ['Daniyal Naeem, BT Security']
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_platforms : ['Windows', 'Linux', 'macOS']
 x_mitre_version : 1.0
 ----------------------------------------------------------------------------------------------------
 type : malware
 id : malware--8787e86d-8475-4f13-acea-d33eb83b6105
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2020-04-29 15:06:59.171000+00:00
 modified : 2020-07-01 18:34:02.367000+00:00
 name : Winnti for Linux
 description : [Winnti for Linux](https://attack.mitre.org/software/S0430) is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including [Winnti Group](https://attack.mitre.org/groups/G0044). The Windows variant is tracked separately under [Winnti for Windows](https://attack.mitre.org/software/S0141).(Citation: Chronicle Winnti for Linux May 2019)
 revoked : False
 labels : ['malware']
 external_references : [ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0430', external_id='S0430'), ExternalReference(source_name='Chronicle Winnti for Linux May 2019', description='Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.', url='https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a')]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_aliases : ['Winnti for Linux']
 x_mitre_attack_spec_version : 2.1.0
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_platforms : ['Linux']
 x_mitre_version : 1.0
 ----------------------------------------------------------------------------------------------------
 type : tool
 id : tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2019-02-14 17:08:55.176000+00:00
 modified : 2023-08-09 18:03:17.167000+00:00
 name : Nltest
 description : [Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)
 revoked : False
 labels : ['tool']
 external_references : [ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0359', external_id='S0359'), ExternalReference(source_name='Nltest Manual', description='ss64. (n.d.). NLTEST.exe - Network Location Test. Retrieved February 14, 2019.', url='https://ss64.com/nt/nltest.html')]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_aliases : ['Nltest']
 x_mitre_attack_spec_version : 3.1.0
 x_mitre_deprecated : False
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_platforms : ['Windows']
 x_mitre_version : 1.2
 ----------------------------------------------------------------------------------------------------
 type : tool
 id : tool--13cd9151-83b7-410d-9f98-25d0f0d1d80d
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2018-04-18 17:59:24.739000+00:00
 modified : 2023-08-17 19:50:17.832000+00:00
 name : PowerSploit
 description : [PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)
 revoked : False
 labels : ['tool']
 external_references : [ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0194', external_id='S0194'), ExternalReference(source_name='PowerShellMagazine PowerSploit July 2014', description='Graeber, M. (2014, July 8). PowerSploit. Retrieved February 6, 2018.', url='http://www.powershellmagazine.com/2014/07/08/powersploit/'), ExternalReference(source_name='GitHub PowerSploit May 2012', description='PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.', url='https://github.com/PowerShellMafia/PowerSploit'), ExternalReference(source_name='PowerSploit Documentation', description='PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.', url='http://powersploit.readthedocs.io')]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_aliases : ['PowerSploit']
 x_mitre_attack_spec_version : 3.1.0
 x_mitre_deprecated : False
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_platforms : ['Windows']
 x_mitre_version : 1.6
 ----------------------------------------------------------------------------------------------------
 type : tool
 id : tool--0a68f1f1-da74-4d28-8d9a-696c082706cc
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2017-12-14 16:46:06.044000+00:00
 modified : 2023-07-27 15:28:27.482000+00:00
 name : certutil
 description : [certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)
 revoked : False
 labels : ['tool']
 external_references : [ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0160', external_id='S0160'), ExternalReference(source_name='TechNet Certutil', description='Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.', url='https://technet.microsoft.com/library/cc732443.aspx')]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_aliases : ['certutil', 'certutil.exe']
 x_mitre_attack_spec_version : 3.1.0
 x_mitre_deprecated : False
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_platforms : ['Windows']
 x_mitre_version : 1.4
 ----------------------------------------------------------------------------------------------------
 type : malware
 id : malware--a7881f21-e978-4fe4-af56-92c9416a2616
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2017-12-14 16:46:06.044000+00:00
 modified : 2023-08-09 16:47:36.538000+00:00
 name : Cobalt Strike
 description : [Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.(Citation: cobaltstrike manual)
 In addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: cobaltstrike manual)
 revoked : False
 labels : ['malware']
 external_references : [ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0154', external_id='S0154'), ExternalReference(source_name='cobaltstrike manual', description='Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.', url='https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf')]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_aliases : ['Cobalt Strike']
 x_mitre_attack_spec_version : 3.1.0
 x_mitre_contributors : ['Martin Sohn Christensen, Improsec', 'Josh Abraham']
 x_mitre_deprecated : False
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_platforms : ['Windows', 'Linux', 'macOS']
 x_mitre_version : 1.11
 ----------------------------------------------------------------------------------------------------
 type : tool
 id : tool--2e45723a-31da-4a7e-aaa6-e01998a6788f
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2017-05-31 21:32:39.233000+00:00
 modified : 2022-10-12 21:30:23.536000+00:00
 name : Tasklist
 description : The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist)
 revoked : False
 labels : ['tool']
 external_references : [ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0057', external_id='S0057'), ExternalReference(source_name='Microsoft Tasklist', description='Microsoft. (n.d.). Tasklist. Retrieved December 23, 2015.', url='https://technet.microsoft.com/en-us/library/bb491010.aspx')]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_aliases : ['Tasklist']
 x_mitre_attack_spec_version : 2.1.0
 x_mitre_deprecated : False
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_version : 1.1
 ----------------------------------------------------------------------------------------------------
 type : tool
 id : tool--afc079f3-c0ea-4096-b75d-3f05338b7f60
 created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 created : 2017-05-31 21:32:11.544000+00:00
 modified : 2023-07-27 15:33:07.594000+00:00
 name : Mimikatz
 description : [Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)
 revoked : False
 labels : ['tool']
 external_references : [ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0002', external_id='S0002'), ExternalReference(source_name='Deply Mimikatz', description='Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.', url='https://github.com/gentilkiwi/mimikatz'), ExternalReference(source_name='Adsecurity Mimikatz Guide', description='Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.', url='https://adsecurity.org/?page_id=1821')]
 object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
 x_mitre_aliases : ['Mimikatz']
 x_mitre_attack_spec_version : 3.1.0
 x_mitre_contributors : ['Vincent Le Toux']
 x_mitre_deprecated : False
 x_mitre_domains : ['enterprise-attack']
 x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
 x_mitre_platforms : ['Windows']
 x_mitre_version : 1.8
 ----------------------------------------------------------------------------------------------------