vadzik/mitre
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mitre/need_group_software.txt
vadzik 2692e3a08d init commit
2023-12-14 10:12:15 +03:00

174 lines
16 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

type : malware
id : malware--ec9e00dd-0313-4d5b-8105-c20aa47abffc
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2021-03-23 20:49:39.954000+00:00
modified : 2023-03-26 20:09:03.093000+00:00
name : ShadowPad
description : [ShadowPad](https://attack.mitre.org/software/S0596) is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by [APT41](https://attack.mitre.org/groups/G0096), but has since been observed to be used by various Chinese threat activity groups. (Citation: Recorded Future RedEcho Feb 2021)(Citation: Securelist ShadowPad Aug 2017)(Citation: Kaspersky ShadowPad Aug 2017)
revoked : False
labels : ['malware']
external_references : [ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0596', external_id='S0596'), ExternalReference(source_name='POISONPLUG.SHADOW', description='(Citation: FireEye APT41 Aug 2019)'), ExternalReference(source_name='FireEye APT41 Aug 2019', description='Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', url='https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'), ExternalReference(source_name='Securelist ShadowPad Aug 2017', description='GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021.', url='https://securelist.com/shadowpad-in-corporate-networks/81432/'), ExternalReference(source_name='Recorded Future RedEcho Feb 2021', description='Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021.', url='https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf'), ExternalReference(source_name='Kaspersky ShadowPad Aug 2017', description='Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.', url='https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf')]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_aliases : ['ShadowPad', 'POISONPLUG.SHADOW']
x_mitre_attack_spec_version : 3.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms : ['Windows']
x_mitre_version : 1.2
----------------------------------------------------------------------------------------------------
type : tool
id : tool--b63970b7-ddfb-4aee-97b1-80d335e033a8
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2021-03-17 15:26:20.015000+00:00
modified : 2021-04-24 20:45:08.323000+00:00
name : NBTscan
description : [NBTscan](https://attack.mitre.org/software/S0590) is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June 2003)(Citation: Symantec Waterbug Jun 2019)(Citation: FireEye APT39 Jan 2019)
revoked : False
labels : ['tool']
external_references : [ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0590', external_id='S0590'), ExternalReference(source_name='Debian nbtscan Nov 2019', description='Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021.', url='https://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html'), ExternalReference(source_name='SecTools nbtscan June 2003', description='SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021.', url='https://sectools.org/tool/nbtscan/'), ExternalReference(source_name='Symantec Waterbug Jun 2019', description='Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.', url='https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments'), ExternalReference(source_name='FireEye APT39 Jan 2019', description='Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.', url='https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html')]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_aliases : ['NBTscan']
x_mitre_attack_spec_version : 2.1.0
x_mitre_contributors : ['Daniyal Naeem, BT Security']
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms : ['Windows', 'Linux', 'macOS']
x_mitre_version : 1.0
----------------------------------------------------------------------------------------------------
type : malware
id : malware--8787e86d-8475-4f13-acea-d33eb83b6105
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2020-04-29 15:06:59.171000+00:00
modified : 2020-07-01 18:34:02.367000+00:00
name : Winnti for Linux
description : [Winnti for Linux](https://attack.mitre.org/software/S0430) is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including [Winnti Group](https://attack.mitre.org/groups/G0044). The Windows variant is tracked separately under [Winnti for Windows](https://attack.mitre.org/software/S0141).(Citation: Chronicle Winnti for Linux May 2019)
revoked : False
labels : ['malware']
external_references : [ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0430', external_id='S0430'), ExternalReference(source_name='Chronicle Winnti for Linux May 2019', description='Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.', url='https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a')]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_aliases : ['Winnti for Linux']
x_mitre_attack_spec_version : 2.1.0
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms : ['Linux']
x_mitre_version : 1.0
----------------------------------------------------------------------------------------------------
type : tool
id : tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2019-02-14 17:08:55.176000+00:00
modified : 2023-08-09 18:03:17.167000+00:00
name : Nltest
description : [Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)
revoked : False
labels : ['tool']
external_references : [ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0359', external_id='S0359'), ExternalReference(source_name='Nltest Manual', description='ss64. (n.d.). NLTEST.exe - Network Location Test. Retrieved February 14, 2019.', url='https://ss64.com/nt/nltest.html')]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_aliases : ['Nltest']
x_mitre_attack_spec_version : 3.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms : ['Windows']
x_mitre_version : 1.2
----------------------------------------------------------------------------------------------------
type : tool
id : tool--13cd9151-83b7-410d-9f98-25d0f0d1d80d
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2018-04-18 17:59:24.739000+00:00
modified : 2023-08-17 19:50:17.832000+00:00
name : PowerSploit
description : [PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)
revoked : False
labels : ['tool']
external_references : [ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0194', external_id='S0194'), ExternalReference(source_name='PowerShellMagazine PowerSploit July 2014', description='Graeber, M. (2014, July 8). PowerSploit. Retrieved February 6, 2018.', url='http://www.powershellmagazine.com/2014/07/08/powersploit/'), ExternalReference(source_name='GitHub PowerSploit May 2012', description='PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.', url='https://github.com/PowerShellMafia/PowerSploit'), ExternalReference(source_name='PowerSploit Documentation', description='PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.', url='http://powersploit.readthedocs.io')]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_aliases : ['PowerSploit']
x_mitre_attack_spec_version : 3.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms : ['Windows']
x_mitre_version : 1.6
----------------------------------------------------------------------------------------------------
type : tool
id : tool--0a68f1f1-da74-4d28-8d9a-696c082706cc
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2017-12-14 16:46:06.044000+00:00
modified : 2023-07-27 15:28:27.482000+00:00
name : certutil
description : [certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)
revoked : False
labels : ['tool']
external_references : [ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0160', external_id='S0160'), ExternalReference(source_name='TechNet Certutil', description='Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.', url='https://technet.microsoft.com/library/cc732443.aspx')]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_aliases : ['certutil', 'certutil.exe']
x_mitre_attack_spec_version : 3.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms : ['Windows']
x_mitre_version : 1.4
----------------------------------------------------------------------------------------------------
type : malware
id : malware--a7881f21-e978-4fe4-af56-92c9416a2616
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2017-12-14 16:46:06.044000+00:00
modified : 2023-08-09 16:47:36.538000+00:00
name : Cobalt Strike
description : [Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strikes interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.(Citation: cobaltstrike manual)
In addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: cobaltstrike manual)
revoked : False
labels : ['malware']
external_references : [ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0154', external_id='S0154'), ExternalReference(source_name='cobaltstrike manual', description='Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.', url='https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf')]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_aliases : ['Cobalt Strike']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Martin Sohn Christensen, Improsec', 'Josh Abraham']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms : ['Windows', 'Linux', 'macOS']
x_mitre_version : 1.11
----------------------------------------------------------------------------------------------------
type : tool
id : tool--2e45723a-31da-4a7e-aaa6-e01998a6788f
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2017-05-31 21:32:39.233000+00:00
modified : 2022-10-12 21:30:23.536000+00:00
name : Tasklist
description : The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist)
revoked : False
labels : ['tool']
external_references : [ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0057', external_id='S0057'), ExternalReference(source_name='Microsoft Tasklist', description='Microsoft. (n.d.). Tasklist. Retrieved December 23, 2015.', url='https://technet.microsoft.com/en-us/library/bb491010.aspx')]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_aliases : ['Tasklist']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.1
----------------------------------------------------------------------------------------------------
type : tool
id : tool--afc079f3-c0ea-4096-b75d-3f05338b7f60
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2017-05-31 21:32:11.544000+00:00
modified : 2023-07-27 15:33:07.594000+00:00
name : Mimikatz
description : [Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)
revoked : False
labels : ['tool']
external_references : [ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0002', external_id='S0002'), ExternalReference(source_name='Deply Mimikatz', description='Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.', url='https://github.com/gentilkiwi/mimikatz'), ExternalReference(source_name='Adsecurity Mimikatz Guide', description='Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.', url='https://adsecurity.org/?page_id=1821')]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_aliases : ['Mimikatz']
x_mitre_attack_spec_version : 3.1.0
x_mitre_contributors : ['Vincent Le Toux']
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_platforms : ['Windows']
x_mitre_version : 1.8
----------------------------------------------------------------------------------------------------
Reference in New Issue View Git Blame Copy Permalink