Pushed by: admin
License: TA9O64YS7EPT (Professional)
Timestamp: 2026-02-22T20:39:40.958902
masterdev
Splunk Git Pusher 4 months ago
parent 1bcc82fee6
commit 798bb0a9bc

@ -1,3 +1,3 @@
[launcher]
author = JP-
version = 1.1.9
version = 1.2.0

@ -0,0 +1 @@
This is where you put any scripts you want to add to this app.

@ -0,0 +1,22 @@
[default]
[install]
is_configured = 0
install_source_checksum = b2120c21d6b58e46a7fb66bed265c3aee6acf443
[launcher]
description = The Sandfly Security App for Splunk includes dashboards, reports and logic for analyzing data ingested from a Sandfly Security server, including Alarms, Passed, and Errors.
version = 4.7.0
author = Sandfly Security
[package]
id = sandfly_security
[id]
name = sandfly_security
version = 4.7.0
[ui]
is_visible = 1
label = Sandfly Security

@ -0,0 +1,127 @@
{
"modelName": "At_Jobs_by_Username",
"displayName": "At Jobs by Username",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579142890.2382",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.atjob.username",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.atjob.username",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_process_persistence_at_jobs_list_all\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,127 @@
{
"modelName": "Crontabs_for_All_Users",
"displayName": "Crontabs for All Users",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579142594.2360",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.cron.username",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.cron.username",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_process_persistence_cron_list_all\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,123 @@
{
"modelName": "Intrusion_Detection_High_Entropy_Process",
"displayName": "Intrusion Detection High Entropy Process",
"description": "",
"objectSummary": {
"Event-Based": 0,
"Transaction-Based": 0,
"Search-Based": 1
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1581407784.12301",
"parentName": "BaseSearch",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.process.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.process.name",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [],
"lineage": "RootObject",
"baseSearch": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_process_list_all\" | spath \"data.results.process.entropy\" | search \"data.results.process.entropy\" > 7.5"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,135 @@
{
"modelName": "Intrusion_Detection_Immutable_Process_Binary_Running",
"displayName": "Intrusion Detection Immutable Process Binary Running",
"description": "",
"objectSummary": {
"Event-Based": 0,
"Transaction-Based": 0,
"Search-Based": 1
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1581399643.11599",
"parentName": "BaseSearch",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.process.command",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.process.command",
"comment": ""
},
{
"fieldName": "data.results.process.network_ports.listening",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.process.network_ports.listening",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [],
"lineage": "RootObject",
"baseSearch": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_process_list_all\" | spath \"data.results.process.flags.immutable\" | search \"data.results.process.flags.immutable\"=true"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,123 @@
{
"modelName": "Intrusion_Detection_Process_Running_As_Sniffer",
"displayName": "Intrusion Detection Process Running As Sniffer",
"description": "",
"objectSummary": {
"Event-Based": 0,
"Transaction-Based": 0,
"Search-Based": 1
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1581409059.13087",
"parentName": "BaseSearch",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.process.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.process.name",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [],
"lineage": "RootObject",
"baseSearch": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_process_list_all\" | spath \"data.results.process.file_descriptors{}.class\" | search \"data.results.process.file_descriptors{}.class\"=packet"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,123 @@
{
"modelName": "Intrusion_Detection_Process_Running_From_Temp_Directory",
"displayName": "Intrusion Detection Process Running From Temp Directory",
"description": "",
"objectSummary": {
"Event-Based": 0,
"Transaction-Based": 0,
"Search-Based": 1
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1581408195.12605",
"parentName": "BaseSearch",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.process.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.process.name",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [],
"lineage": "RootObject",
"baseSearch": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_process_list_all\" | spath \"data.results.process.path\" | search \"data.results.process.path\"=/tmp/* OR \"data.results.process.path\"=/var/tmp/*"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,123 @@
{
"modelName": "Intrusion_Detection_Process_Running_From_devshm",
"displayName": "Intrusion Detection Process Running From /dev/shm",
"description": "",
"objectSummary": {
"Event-Based": 0,
"Transaction-Based": 0,
"Search-Based": 1
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1581400361.12120",
"parentName": "BaseSearch",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.process.command",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.process.command",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [],
"lineage": "RootObject",
"baseSearch": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_process_list_all\" | spath \"data.results.process.path\" | search \"data.results.process.path\"=/dev/shm/*"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,123 @@
{
"modelName": "Intrusion_Detection_Process_Running_from_Public_HTML_Directory",
"displayName": "Intrusion Detection Process Running From Public HTML Directory",
"description": "",
"objectSummary": {
"Event-Based": 0,
"Transaction-Based": 0,
"Search-Based": 1
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1581408472.12837",
"parentName": "BaseSearch",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.process.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.process.name",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [],
"lineage": "RootObject",
"baseSearch": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_process_list_all\" | spath \"data.results.process.path\" | search \"data.results.process.path\"=*public_html*"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,127 @@
{
"modelName": "Logins_by_Username",
"displayName": "Logins by Username",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579143163.2406",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.log.lastlog.username",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.log.lastlog.username",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_log_list_lastlog\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,115 @@
{
"modelName": "OS_BIOS_Vendor",
"displayName": "OS BIOS Vendor",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579163818.4259",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
},
{
"fieldName": "data.results.os.hardware.dmi.bios_vendor",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.os.hardware.dmi.bios_vendor",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"os_identify\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,103 @@
{
"modelName": "Operating_System_BIOS_Version",
"displayName": "Operating System BIOS Version",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579166485.4348",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.os.hardware.dmi.bios_version",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.os.hardware.dmi.bios_version",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"os_identify\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,123 @@
{
"modelName": "Operating_System_Bogo_MIPS_Rating",
"displayName": "Operating System Bogo MIPS Rating",
"description": "",
"objectSummary": {
"Event-Based": 0,
"Transaction-Based": 0,
"Search-Based": 1
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579142129.2303",
"parentName": "BaseSearch",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.os.hardware.cpu.bogo_mips",
"owner": "RootObject",
"type": "number",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.os.hardware.cpu.bogo_mips",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [],
"lineage": "RootObject",
"baseSearch": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"os_identify\" | spath \"data.results.os.hardware.cpu.bogo_mips\" | search \"data.results.os.hardware.cpu.bogo_mips\"=*"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,123 @@
{
"modelName": "Operating_System_CPU_Architecture",
"displayName": "Operating System CPU Architecture",
"description": "",
"objectSummary": {
"Event-Based": 0,
"Transaction-Based": 0,
"Search-Based": 1
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579139757.2069",
"parentName": "BaseSearch",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.os.info.arch",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.os.info.arch",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [],
"lineage": "RootObject",
"baseSearch": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"os_identify\" | spath \"data.results.os.info.arch\" | search \"data.results.os.info.arch\"=*"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,123 @@
{
"modelName": "Operating_System_CPU_Model_Name",
"displayName": "Operating System CPU Model Name",
"description": "",
"objectSummary": {
"Event-Based": 0,
"Transaction-Based": 0,
"Search-Based": 1
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579141934.2277",
"parentName": "BaseSearch",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.os.hardware.cpu.model_name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.os.hardware.cpu.model_name",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [],
"lineage": "RootObject",
"baseSearch": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"os_identify\" | spath \"data.results.os.hardware.cpu.model_name\" | search \"data.results.os.hardware.cpu.model_name\"=*"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,139 @@
{
"modelName": "Operating_System_Linux_Kernel_Release_Version",
"displayName": "Operating System Linux Kernel Release Version",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579140404.2131",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.os.info.machine",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.os.info.machine",
"comment": ""
},
{
"fieldName": "data.results.os.info.release",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.os.info.release",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"os_identify\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,159 @@
{
"modelName": "Operating_System_Linux_Version",
"displayName": "Operating System Linux Version",
"description": "",
"objectSummary": {
"Event-Based": 0,
"Transaction-Based": 0,
"Search-Based": 1
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579141180.2193",
"parentName": "BaseSearch",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.os.info.machine",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.os.info.machine",
"comment": ""
},
{
"fieldName": "data.results.os.info.release",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.os.info.release",
"comment": ""
},
{
"fieldName": "data.results.os.info.uptime_days",
"owner": "RootObject",
"type": "number",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.os.info.uptime_days",
"comment": ""
},
{
"fieldName": "data.results.os.info.version",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.os.info.version",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [],
"lineage": "RootObject",
"baseSearch": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"os_identify\" | spath \"data.results.os.info.version\" | search \"data.results.os.info.version\"=*"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,123 @@
{
"modelName": "Operating_System_Machine_Type",
"displayName": "Operating System Machine Type",
"description": "",
"objectSummary": {
"Event-Based": 0,
"Transaction-Based": 0,
"Search-Based": 1
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579140260.2121",
"parentName": "BaseSearch",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.os.info.machine",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.os.info.machine",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [],
"lineage": "RootObject",
"baseSearch": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"os_identify\" | spath \"data.results.os.info.machine\" | search \"data.results.os.info.machine\"=*"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,127 @@
{
"modelName": "Operating_System_Product_Name",
"displayName": "Operating System Product Name",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579165868.4319",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.os.hardware.dmi.product_name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.os.hardware.dmi.product_name",
"comment": ""
},
{
"fieldName": "data.results.os.info.mounts{}.device",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.os.info.mounts{}.device",
"comment": ""
},
{
"fieldName": "data.results.os.info.mounts{}.mount_point",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.os.info.mounts{}.mount_point",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"os_identify\" \"data.results.os.hardware.cpu.bugs{}\"=\"*\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,147 @@
{
"modelName": "Operating_System_Uptime_in_Days",
"displayName": "Operating System Uptime in Days",
"description": "",
"objectSummary": {
"Event-Based": 0,
"Transaction-Based": 0,
"Search-Based": 1
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579140899.2172",
"parentName": "BaseSearch",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.os.info.machine",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.os.info.machine",
"comment": ""
},
{
"fieldName": "data.results.os.info.release",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.os.info.release",
"comment": ""
},
{
"fieldName": "data.results.os.info.uptime_days",
"owner": "RootObject",
"type": "number",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.os.info.uptime_days",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [],
"lineage": "RootObject",
"baseSearch": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"os_identify\" | spath \"data.results.os.info.uptime_days\" | search \"data.results.os.info.uptime_days\"=*"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,99 @@
{
"modelName": "Processes_With_Network_Ports_Listening",
"displayName": "Processes With Network Ports Listening",
"description": "",
"objectSummary": {
"Event-Based": 0,
"Transaction-Based": 0,
"Search-Based": 1
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579147821.3527",
"parentName": "BaseSearch",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.process.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.process.name",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [],
"lineage": "RootObject",
"baseSearch": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_process_list_all\" | spath \"data.results.process.network_ports.listening\" | search \"data.results.process.network_ports.listening\"=true"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,99 @@
{
"modelName": "Processes_With_Network_Ports_Operating",
"displayName": "Processes With Network Ports Operating",
"description": "",
"objectSummary": {
"Event-Based": 0,
"Transaction-Based": 0,
"Search-Based": 1
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579147584.3389",
"parentName": "BaseSearch",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.process.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.process.name",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [],
"lineage": "RootObject",
"baseSearch": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_process_list_all\" | spath \"data.results.process.network_ports.operating\" | search \"data.results.process.network_ports.operating\"=true"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,127 @@
{
"modelName": "User_Bad_Logins_Over_Time",
"displayName": "User Failed Logins Over Time",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1581410251.13577",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.log.btmp.date.created",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.log.btmp.date.created",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_log_list_logins_failed\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,139 @@
{
"modelName": "User_Successful_Logins_Over_Time",
"displayName": "User Successful Logins Over Time",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1581410002.13521",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.log.wtmp.date.created",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.log.wtmp.date.created",
"comment": ""
},
{
"fieldName": "data.results.log.wtmp.username",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.log.wtmp.username",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_log_list_logins_valid\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,103 @@
{
"modelName": "Username_Bad_Logins_by_Hostname",
"displayName": "Username Bad Logins by Hostname",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579153034.3723",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.log.btmp.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.log.btmp.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_log_list_logins_failed_24_hours\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,127 @@
{
"modelName": "Username_Logged_In",
"displayName": "Username Logged In",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579143428.2426",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.log.utmp.username",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.log.utmp.username",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_log_list_logged_in_users\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,139 @@
{
"modelName": "Username_Login_Shells_In_Use",
"displayName": "Username Login Shells In Use",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579144199.2642",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.user.shell",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.shell",
"comment": ""
},
{
"fieldName": "data.results.user.username",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.username",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_user_list_all\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,147 @@
{
"modelName": "Username_Password_Hash_Types",
"displayName": "Username Password Hash Types",
"description": "",
"objectSummary": {
"Event-Based": 0,
"Transaction-Based": 0,
"Search-Based": 1
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579144047.2593",
"parentName": "BaseSearch",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.user.password.present",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.password.present",
"comment": ""
},
{
"fieldName": "data.results.user.password.type",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.password.type",
"comment": ""
},
{
"fieldName": "data.results.user.username",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.username",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [],
"lineage": "RootObject",
"baseSearch": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_user_list_all\" | spath \"data.results.user.password.present\" | search \"data.results.user.password.present\"=true"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,283 @@
{
"modelName": "Username_root_UID_But_Not_Root",
"displayName": "Username root UID But Not Root",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1581394199.11095",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.user.gecos",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.gecos",
"comment": ""
},
{
"fieldName": "data.results.user.gid",
"owner": "RootObject",
"type": "number",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.gid",
"comment": ""
},
{
"fieldName": "data.results.user.gid_name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.gid_name",
"comment": ""
},
{
"fieldName": "data.results.user.group_membership",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.group_membership",
"comment": ""
},
{
"fieldName": "data.results.user.home_dir",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.home_dir",
"comment": ""
},
{
"fieldName": "data.results.user.password.disabled",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.password.disabled",
"comment": ""
},
{
"fieldName": "data.results.user.password.empty",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.password.empty",
"comment": ""
},
{
"fieldName": "data.results.user.password.locked",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.password.locked",
"comment": ""
},
{
"fieldName": "data.results.user.shell",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.shell",
"comment": ""
},
{
"fieldName": "data.results.user.ssh.authorized_keys.present",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.ssh.authorized_keys.present",
"comment": ""
},
{
"fieldName": "data.results.user.uid",
"owner": "RootObject",
"type": "number",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.uid",
"comment": ""
},
{
"fieldName": "data.results.user.username",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.username",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
},
{
"fieldName": "data.results.user.password.present",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.password.present",
"comment": ""
},
{
"fieldName": "data.results.user.password.type",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.password.type",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.results.user.uid=0 AND data.results.user.username != \"root\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,103 @@
{
"modelName": "Usernames_Bad_Logins_Against_Hostname",
"displayName": "Usernames Bad Logins Against Hostname",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579162015.4081",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_log_list_logins_failed\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,127 @@
{
"modelName": "Usernames_Bad_Logins_By_Username",
"displayName": "Usernames Bad Logins By Username",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579162015.4081",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.log.btmp.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.log.btmp.hostname",
"comment": ""
},
{
"fieldName": "data.results.log.btmp.username",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.log.btmp.username",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_log_list_logins_failed\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,115 @@
{
"modelName": "Usernames_Bad_Logins_From_Hostname",
"displayName": "Usernames Bad Logins From Hostname",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579162015.4081",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.log.btmp.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.log.btmp.hostname",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_log_list_logins_failed\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,115 @@
{
"modelName": "Usernames_Most_Bad_Logins_Against_Hostname",
"displayName": "Usernames Most Bad Logins Against Hostname",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579153034.3723",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.log.btmp.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.log.btmp.hostname",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_log_list_logins_failed\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,127 @@
{
"modelName": "Usernames_Present_on_Host",
"displayName": "Usernames Present on Host",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579143571.2439",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.user.username",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.username",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_user_list_all\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,127 @@
{
"modelName": "Usernames_Valid_Logins_Against_Hostname",
"displayName": "Usernames Valid Logins Against Hostname",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579162697.4154",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.log.wtmp.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.log.wtmp.hostname",
"comment": ""
},
{
"fieldName": "data.results.log.wtmp.username",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.log.wtmp.username",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_log_list_logins_valid\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,127 @@
{
"modelName": "Usernames_Valid_Logins_From_Hostname",
"displayName": "Usernames Valid Logins From Hostname",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579162697.4154",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.log.wtmp.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.log.wtmp.hostname",
"comment": ""
},
{
"fieldName": "data.results.log.wtmp.username",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.log.wtmp.username",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_log_list_logins_valid\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,127 @@
{
"modelName": "Usernames_Valid_Logins_by_Username",
"displayName": "Usernames Valid Logins by Username",
"description": "",
"objectSummary": {
"Event-Based": 1,
"Transaction-Based": 0,
"Search-Based": 0
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579162697.4154",
"parentName": "BaseEvent",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.log.wtmp.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.log.wtmp.hostname",
"comment": ""
},
{
"fieldName": "data.results.log.wtmp.username",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.log.wtmp.username",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [
{
"search": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_log_list_logins_valid\"",
"owner": "RootObject"
}
],
"lineage": "RootObject"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,123 @@
{
"modelName": "Usernames_with_Blank_Password_Fields",
"displayName": "Usernames with Blank Password Fields",
"description": "",
"objectSummary": {
"Event-Based": 0,
"Transaction-Based": 0,
"Search-Based": 1
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579144557.2819",
"parentName": "BaseSearch",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.user.username",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.username",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [],
"lineage": "RootObject",
"baseSearch": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_user_list_all\" | spath \"data.results.user.password.empty\" | search \"data.results.user.password.empty\"=true"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,135 @@
{
"modelName": "Usernames_with_Password_Hash_Present",
"displayName": "Usernames with Password Hash Present",
"description": "",
"objectSummary": {
"Event-Based": 0,
"Transaction-Based": 0,
"Search-Based": 1
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579143864.2512",
"parentName": "BaseSearch",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.user.password.present",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.password.present",
"comment": ""
},
{
"fieldName": "data.results.user.username",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.username",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [],
"lineage": "RootObject",
"baseSearch": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_user_list_all\" | spath \"data.results.user.password.present\" | search \"data.results.user.password.present\"=true"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,123 @@
{
"modelName": "Usernames_with_SSH_Authorized_Keys_Present",
"displayName": "Usernames with SSH Authorized Keys Present",
"description": "",
"objectSummary": {
"Event-Based": 0,
"Transaction-Based": 0,
"Search-Based": 1
},
"objects": [
{
"objectName": "RootObject",
"displayName": "1579144370.2728",
"parentName": "BaseSearch",
"comment": "",
"fields": [
{
"fieldName": "host",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "host",
"comment": ""
},
{
"fieldName": "source",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "source",
"comment": ""
},
{
"fieldName": "data.name",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.name",
"comment": ""
},
{
"fieldName": "data.results.user.username",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.results.user.username",
"comment": ""
},
{
"fieldName": "data.status",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "data.status",
"comment": ""
},
{
"fieldName": "header.hostname",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "header.hostname",
"comment": ""
},
{
"fieldName": "sourcetype",
"owner": "RootObject",
"type": "string",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "sourcetype",
"comment": ""
},
{
"fieldName": "_time",
"owner": "RootObject",
"type": "timestamp",
"fieldSearch": "",
"required": false,
"multivalue": false,
"hidden": false,
"editable": true,
"displayName": "_time",
"comment": ""
}
],
"calculations": [],
"constraints": [],
"lineage": "RootObject",
"baseSearch": "index=\"*\" sourcetype=\"sandfly:alarms\" data.name=\"recon_user_list_all\" | spath \"data.results.user.ssh.authorized_keys.present\" | search \"data.results.user.ssh.authorized_keys.present\"=true"
}
],
"objectNameList": [
"RootObject"
]
}

@ -0,0 +1,7 @@
<nav search_view="search" color="#21f4db">
<view name="search" default='true' />
<view name="datasets" />
<view name="reports" />
<view name="alerts" />
<view name="dashboards" />
</nav>

@ -0,0 +1 @@
Add all the views that your app needs in this directory

@ -0,0 +1,98 @@
<form version="1.1" theme="light">
<label>Audit Logs - Authentication</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Successful Login</title>
<single>
<search>
<query>`sandfly_search_audit` audit_log.message="successful login"
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<title>Valid SAML Response</title>
<single>
<search>
<query>`sandfly_search_audit` audit_log.message="received valid SAML response*"
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<title>Failed Login</title>
<single>
<search>
<query>`sandfly_search_audit` audit_log.message="*login*" OR audit_log.message="*SAML*"
| search NOT audit_log.message="successful login"
| search NOT audit_log.message="received valid SAML response*"
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Successful Login by UserName</title>
<chart>
<search>
<query>`sandfly_search_audit` audit_log.message="successful login"
| stats count by audit_log.username</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
<panel>
<title>Valid SAML Response by UserName</title>
<chart>
<search>
<query>`sandfly_search_audit` audit_log.message="received valid SAML response*"
| rex field=audit_log.message "'\s*(?&lt;t_username&gt;[^']+?)\s*'"
| stats count by t_username</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
<panel>
<title>Failed Login by UserName</title>
<chart>
<search>
<query>`sandfly_search_audit` audit_log.message="login attempt for user*"
| rex field=audit_log.message "'\s*(?&lt;t_username&gt;[^']+?)\s*'"
| stats count by t_username</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
</row>
</form>

@ -0,0 +1,97 @@
<form version="1.1" theme="light">
<label>Audit Logs - License Errors</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<single>
<title>Cannot run scheduled scans with an expired license</title>
<search>
<query>`sandfly_search_audit` audit_log.message="Cannot run scheduled scans with an expired license."
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0xf8be34","0xdc4e41"]</option>
<option name="rangeValues">[0,10]</option>
<option name="refresh.display">progressbar</option>
<option name="useColors">1</option>
</single>
</panel>
<panel>
<single>
<title>Cannot run scheduled scans without a license</title>
<search>
<query>`sandfly_search_audit` audit_log.message="Cannot run scheduled scans without a license."
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0xf8be34","0xdc4e41"]</option>
<option name="rangeValues">[0,10]</option>
<option name="useColors">1</option>
</single>
</panel>
<panel>
<single>
<title>The number of configured email alerts exceeds the license limitation</title>
<search>
<query>`sandfly_search_audit` audit_log.message="The number of configured email alerts exceeds the license limitation;*"
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0xf8be34","0xdc4e41"]</option>
<option name="rangeValues">[0,10]</option>
<option name="useColors">1</option>
</single>
</panel>
<panel>
<single>
<title>The number of configured syslog alerts exceeds the license limitation</title>
<search>
<query>`sandfly_search_audit` audit_log.message="The number of configured syslog alerts exceeds the license limitation;*"
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0xf8be34","0xdc4e41"]</option>
<option name="rangeValues">[0,10]</option>
<option name="useColors">1</option>
</single>
</panel>
</row>
<row>
<panel>
<table>
<title>Most Recent Instance of License Error</title>
<search>
<query>`sandfly_search_audit` audit_log.message="*license*"
| search NOT audit_log.message="retrieved license"
| search NOT audit_log.message="deleted license key"
| search NOT audit_log.message="added license key*"
| eval TimeStamp=strftime(_time,"%x %r")
| dedup audit_log.message
| sort - _time
| table TimeStamp audit_log.message
| rename audit_log.message as Message</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>

@ -0,0 +1,198 @@
<form version="1.1" theme="light">
<label>Audit Logs Overview</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Total Audit Logs Trend - Previous 7 Days</title>
<single>
<search>
<query>`sandfly_search_audit` earliest=-7d@d latest=@d
| timechart count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendDisplayMode">percent</option>
<option name="trendInterval">-24h</option>
<option name="useColors">0</option>
</single>
</panel>
<panel>
<title>Audit Logs - Today</title>
<single>
<search>
<query>`sandfly_search_audit` earliest=@d
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<title>Audit Logs - Last Hour</title>
<single>
<search>
<query>`sandfly_search_audit`
| stats count</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Audit Logs over Time Range by Record Type</title>
<chart>
<search>
<query>`sandfly_search_audit`
| timechart count by audit_log.record_type</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Audit Logs over Time Range by Level</title>
<chart>
<search>
<query>`sandfly_search_audit`
| timechart count by audit_log.level</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Audit Logs over Time Range by IP Address</title>
<chart>
<search>
<query>`sandfly_search_audit`
| rename audit_log.ip_addr as "IP_Addr"
| stats count by IP_Addr</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
<panel>
<title>Audit Logs over Time Range by UserName</title>
<chart>
<search>
<query>`sandfly_search_audit`
| rename audit_log.username as "UserName"
| stats count by UserName</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Audit Logs</title>
<input type="dropdown" token="tok_username" searchWhenChanged="true">
<label>UserName</label>
<choice value="*">All</choice>
<fieldForLabel>audit_log.username</fieldForLabel>
<fieldForValue>audit_log.username</fieldForValue>
<search>
<query>`sandfly_search_audit` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$ audit_log.level="$tok_level$" audit_log.ip_addr="$tok_ipaddr$"
| dedup audit_log.username
| table audit_log.username
| sort audit_log.username</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="tok_level" searchWhenChanged="true">
<label>Level</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>audit_log.level</fieldForLabel>
<fieldForValue>audit_log.level</fieldForValue>
<search>
<query>`sandfly_search_audit` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$ audit_log.username="$tok_username$" audit_log.ip_addr="$tok_ipaddr$"
| dedup audit_log.level
| table audit_log.level
| sort audit_log.level</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="tok_ipaddr" searchWhenChanged="true">
<label>IP Address</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>audit_log.ip_addr</fieldForLabel>
<fieldForValue>audit_log.ip_addr</fieldForValue>
<search>
<query>`sandfly_search_audit` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$ audit_log.username="$tok_username$" audit_log.level="$tok_level$"
| dedup audit_log.ip_addr
| table audit_log.ip_addr
| sort audit_log.ip_addr</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
</input>
<table>
<search>
<query>`sandfly_search_audit` audit_log.username="$tok_username$" audit_log.level="$tok_level$" audit_log.ip_addr="$tok_ipaddr$"
| eval TimeStamp=strftime(_time,"%x %r")
| sort - _time
| table TimeStamp audit_log.record_type audit_log.level audit_log.username audit_log.ip_addr audit_log.id audit_log.message
| rename audit_log.record_type as RecordType
| rename audit_log.level as Level
| rename audit_log.username as UserName
| rename audit_log.ip_addr as IP_Addr
| rename audit_log.id as ID
| rename audit_log.message as Message</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>

@ -0,0 +1,172 @@
<form version="1.1" theme="light">
<label>Audit Logs - System Changes</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<single>
<title>Added License Key</title>
<search>
<query>`sandfly_search_audit` audit_log.message="added license key*"
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
<panel>
<table>
<search>
<query>`sandfly_search_audit` audit_log.message="added license key*"
| rex field=audit_log.message "\(\s*(?&lt;t_license_info&gt;[^\)]+?)\s*\)"
| rename t_license_info as LicenseInfo
| eval AddedByUser='audit_log.username'
| eval TimeStamp=strftime(_time,"%x %r")
| sort - _time
| table TimeStamp LicenseInfo AddedByUser</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="count">5</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<single>
<title>User Accounts Created</title>
<search>
<query>`sandfly_search_audit` audit_log.message="created user*"
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
<panel>
<table>
<search>
<query>`sandfly_search_audit` audit_log.message="created user*"
| rex field=audit_log.message "'\s*(?&lt;t_username&gt;[^']+?)\s*'"
| rename t_username as NewUserName
| eval CreatedByUser='audit_log.username'
| eval TimeStamp=strftime(_time,"%x %r")
| sort - _time
| table TimeStamp NewUserName CreatedByUser</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="count">5</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<single>
<title>Custom Sandflies Created</title>
<search>
<query>`sandfly_search_audit` audit_log.message="created custom sandfly*"
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<table>
<search>
<query>`sandfly_search_audit` audit_log.message="created custom sandfly*"
| rex field=audit_log.message "\s*(?&lt;t_custom_sandfly&gt;[\S]+)$"
| rename t_custom_sandfly as CustomSandfly
| eval CreatedByUser='audit_log.username'
| eval TimeStamp=strftime(_time,"%x %r")
| sort - _time
| table TimeStamp CustomSandfly CreatedByUser</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="count">5</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<single>
<title>Schedules Created</title>
<search>
<query>`sandfly_search_audit` audit_log.message="created schedule*"
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<table>
<search>
<query>`sandfly_search_audit` audit_log.message="created schedule*"
| rex field=audit_log.message "\s*(?&lt;t_custom_schedule&gt;[\S]+)$"
| rename t_custom_schedule as CustomSchedule
| eval CreatedByUser='audit_log.username'
| eval TimeStamp=strftime(_time,"%x %r")
| sort - _time
| table TimeStamp CustomSchedule CreatedByUser</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="count">5</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel>
<single>
<title>SSH Security Zones Created</title>
<search>
<query>`sandfly_search_audit` audit_log.message="SSH security zone * created"
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
<panel>
<table>
<search>
<query>`sandfly_search_audit` audit_log.message="SSH security zone * created"
| eval SSHSecurityZone='audit_log.message'
| eval CreatedByUser='audit_log.username'
| eval TimeStamp=strftime(_time,"%x %r")
| sort - _time
| table TimeStamp SSHSecurityZone CreatedByUser</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="count">5</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>

@ -0,0 +1,135 @@
<form version="1.1" theme="light">
<label>Audit Logs - User Accounts</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<single>
<title>User Accounts Created</title>
<search>
<query>`sandfly_search_audit` audit_log.message="created user*"
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<single>
<title>User Accounts Deleted</title>
<search>
<query>`sandfly_search_audit` audit_log.message="deleted user*"
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>`sandfly_search_audit` audit_log.message="created user*"
| rex field=audit_log.message "'\s*(?&lt;t_username&gt;[^']+?)\s*'"
| rename t_username as NewUserName
| eval CreatedByUser='audit_log.username'
| eval TimeStamp=strftime(_time,"%x %r")
| table TimeStamp NewUserName CreatedByUser</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rowNumbers">true</option>
</table>
</panel>
<panel>
<table>
<search>
<query>`sandfly_search_audit` audit_log.message="deleted user*"
| rex field=audit_log.message "'\s*(?&lt;t_username&gt;[^']+?)\s*'"
| rename t_username as UserName
| eval DeletedByUser='audit_log.username'
| eval TimeStamp=strftime(_time,"%x %r")
| table TimeStamp UserName DeletedByUser</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rowNumbers">true</option>
</table>
</panel>
</row>
<row>
<panel>
<single>
<title>Passwords Changed</title>
<search>
<query>`sandfly_search_audit` audit_log.message="changed password for*"
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<single>
<title>User Account Details Updated</title>
<search>
<query>`sandfly_search_audit` audit_log.message="updated user*"
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
</single>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>`sandfly_search_audit` audit_log.message="changed password for*"
| rex field=audit_log.message "\s*(?&lt;t_username&gt;[\S]+)$"
| rename t_username as UserName
| eval ChangedByUser='audit_log.username'
| eval TimeStamp=strftime(_time,"%x %r")
| table TimeStamp UserName ChangedByUser</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rowNumbers">true</option>
</table>
</panel>
<panel>
<table>
<search>
<query>`sandfly_search_audit` audit_log.message="updated user*"
| rex field=audit_log.message "\s*(?&lt;t_username&gt;[\S]+)$"
| rename t_username as UserName
| eval UpdatedByUser='audit_log.username'
| eval TimeStamp=strftime(_time,"%x %r")
| table TimeStamp UserName UpdatedByUser</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rowNumbers">true</option>
</table>
</panel>
</row>
</form>

@ -0,0 +1,161 @@
<form version="1.1" theme="light">
<label>Error Logs Overview</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-30d@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="tok_log_mode" searchWhenChanged="true">
<label>Log Mode</label>
<choice value="summary">Summary</choice>
<choice value="detailed">Detailed</choice>
<default>summary</default>
<initialValue>summary</initialValue>
</input>
</fieldset>
<row>
<panel>
<title>Error Logs - Last 30 Days</title>
<single>
<search>
<query>`sandfly_search_errors` log_mode=$tok_log_mode$ earliest=-30d@d
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<title>Error Logs - Today</title>
<single>
<search>
<query>`sandfly_search_errors` log_mode=$tok_log_mode$ earliest=@d
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Error Logs by Error Type over Time Range</title>
<chart>
<search>
<query>`sandfly_search_errors` log_mode=$tok_log_mode$
| rex field=error_log.error_msg "(?&lt;t_error_tag&gt;[^:]*)"
| timechart count by t_error_tag</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Error Logs over Time Range by Error Type</title>
<chart>
<search>
<query>`sandfly_search_errors` log_mode=$tok_log_mode$
| rex field=error_log.error_msg "(?&lt;t_error_tag&gt;[^:]*)"
| stats count by t_error_tag</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>Error Logs over Time Range by Target Address</title>
<chart>
<search>
<query>`sandfly_search_errors` log_mode=summary
| stats count by error_log.hostname</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Error Logs</title>
<input type="dropdown" token="tok_host_id" searchWhenChanged="true">
<label>Hostname (Target Address)</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>target_name</fieldForLabel>
<fieldForValue>target_id</fieldForValue>
<search>
<query>`sandfly_search_errors` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$ log_mode=$tok_log_mode$
| dedup error_log.host_id
| rex field=error_log.error_msg "(?&lt;t_error_tag&gt;[^:]*)"
| search t_error_tag="$tok_error_type$"
| lookup sandfly_hosts.csv host_id AS error_log.host_id OUTPUTNEW os_info_node
| eval os_info_node = if(isnull(os_info_node) OR len(os_info_node)==0, "&lt;unknown&gt;", os_info_node)
| eval target_id = 'error_log.host_id'
| eval target_name = os_info_node + " (" + 'error_log.hostname' + ")"
| table target_id target_name
| sort target_name</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="tok_error_type" searchWhenChanged="true">
<label>Error Type</label>
<choice value="*">All</choice>
<fieldForLabel>t_error_tag</fieldForLabel>
<fieldForValue>t_error_tag</fieldForValue>
<search>
<query>`sandfly_search_errors` log_mode=$tok_log_mode$ earliest=$tok_time1.earliest$ latest=$tok_time1.latest$ error_log.host_id="$tok_host_id$"
| rex field=error_log.error_msg "(?&lt;t_error_tag&gt;[^:]*)"
| dedup t_error_tag
| sort t_error_tag</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<default>*</default>
<initialValue>*</initialValue>
</input>
<table>
<search>
<query>`sandfly_search_errors` log_mode=$tok_log_mode$ error_log.host_id="$tok_host_id$"
| rex field=error_log.error_msg "(?&lt;t_error_tag&gt;[^:]*)"
| rex field=error_log.error_msg "[^:]:\s(?&lt;t_error_data&gt;.*)"
| eval t_error_data = if(isnull(t_error_data) OR len(t_error_data)==0, t_error_tag, t_error_data)
| search t_error_tag="$tok_error_type$"
| eval TimeStamp=strftime(_time,"%x %r")
| sort - _time
| lookup sandfly_hosts.csv host_id AS error_log.host_id OUTPUTNEW os_info_node
| eval os_info_node = if(isnull(os_info_node) OR len(os_info_node)==0, "&lt;unknown&gt;", os_info_node)
| table TimeStamp t_error_tag os_info_node error_log.hostname error_log.ip_addr error_log.queue_name t_error_data
| rename t_error_tag as ErrorType
| rename error_log.hostname as "Target Address"
| rename error_log.ip_addr as IP_Address
| rename os_info_node as "Host Name"
| rename error_log.queue_name as QueueName
| rename t_error_data as ErrorData</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>

@ -0,0 +1,64 @@
<form version="1.1" theme="dark">
<label>MITRE ATT&amp;CK Tactics and Techniques</label>
<fieldset submitButton="false"></fieldset>
<row>
<panel>
<title>MITRE ATT&amp;CK Tactics</title>
<table>
<search>
<query>| inputlookup mitre_tactics.csv
| table external_id name shortname description
| sort external_id
| rename external_id as "External ID"
| rename name as "Tactic Name"
| rename shortname as "Short Name"
| rename description as "Description"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">cell</option>
<drilldown>
<set token="tok_tactic">$row.Short Name$</set>
<set token="form.tok_tactic">$row.Short Name$</set>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>MITRE ATT&amp;CK Techniques</title>
<input type="dropdown" token="tok_tactic" searchWhenChanged="true">
<label>MITRE ATT&amp;CK Tactic</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>name</fieldForLabel>
<fieldForValue>shortname</fieldForValue>
<search>
<query>| inputlookup mitre_tactics.csv
| table name shortname
| sort shortname</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<table>
<search>
<query>| inputlookup mitre_techniques.csv
| eval t_tactics=split(tactics,"|")
| search t_tactics="$tok_tactic$"
| table external_id name t_tactics description
| sort external_id
| rename external_id as "External ID"
| rename name as "Technique Name"
| rename t_tactics as "Tactics"
| rename description as "Description"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>

@ -0,0 +1,131 @@
<form version="1.1" theme="light">
<label>MITRE ATT&amp;CK Techniques Detection</label>
<fieldset submitButton="false">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-3d@d</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>`sandfly_search_alarms`
| eval aaa_tags='data.tags{}'
| fields aaa_tags header.node_name header.host_id data.name
| mvexpand aaa_tags
| search aaa_tags="attack.id.*"
| rex field=aaa_tags "^attack\.id\.(?&lt;aaa_attack_id&gt;.*)$"
| stats count by aaa_attack_id
| rename aaa_attack_id as "MITRE ATT&amp;CK Techniques"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">all</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<set token="tok_id">$click.value$</set>
<set token="form.tok_id">$click.value$</set>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel>
<input type="dropdown" token="tok_host_id" searchWhenChanged="true">
<label>Hostname</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>header.node_name</fieldForLabel>
<fieldForValue>header.host_id</fieldForValue>
<search>
<query>`sandfly_search_alarms` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$
| eval aaa_tags='data.tags{}'
| mvexpand aaa_tags
| search aaa_tags="attack.id.*"
| rex field=aaa_tags "^attack\.id\.(?&lt;aaa_attack_id&gt;.*)$"
| search aaa_attack_id=$tok_id$
| dedup header.node_name
| table header.node_name header.host_id
| sort header.node_name</query>
</search>
</input>
<input type="dropdown" token="tok_id" searchWhenChanged="true">
<label>MITRE ATT&amp;CK Techniques</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>attack_info</fieldForLabel>
<fieldForValue>aaa_attack_id</fieldForValue>
<search>
<query>`sandfly_search_alarms` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$
| eval aaa_tags='data.tags{}'
| mvexpand aaa_tags
| search aaa_tags="attack.id.*"
| rex field=aaa_tags "^attack\.id\.(?&lt;aaa_attack_id&gt;.*)$"
| dedup aaa_attack_id
| lookup mitre_techniques.csv external_id AS aaa_attack_id OUTPUT name as attack_name
| eval attack_info=aaa_attack_id + " (" + attack_name + ")"
| table aaa_attack_id attack_name attack_info
| sort aaa_attack_id</query>
</search>
</input>
<table>
<search>
<query>`sandfly_search_alarms` header.host_id=$tok_host_id$
| eval aaa_tags='data.tags{}'
| fields aaa_tags header.node_name header.host_id data.name
| mvexpand aaa_tags
| search aaa_tags="attack.id.*"
| rex field=aaa_tags "^attack\.id\.(?&lt;aaa_attack_id&gt;.*)$"
| search aaa_attack_id=$tok_id$
| dedup header.host_id data.name aaa_attack_id
| lookup mitre_techniques.csv external_id as aaa_attack_id OUTPUT name as attack_name
| eval aaa_attack_info=aaa_attack_id + " (" + attack_name + ")"
| lookup sandflies.csv sandfly_name as data.name OUTPUT sandfly_description
| stats list(aaa_attack_info) by header.node_name data.name sandfly_description header.host_id
| table header.node_name list(aaa_attack_info) data.name sandfly_description header.host_id
| rename header.node_name as "Hostname"
| rename data.name as "Sandfly Name"
| rename sandfly_description as "Sandfly Description"
| rename list(aaa_attack_info) as "MITRE ATT&amp;CK Techniques"
| rename header.host_id as host_id</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<fields>["Hostname","MITRE ATT&amp;CK Techniques","Sandfly Name","Sandfly Description"]</fields>
<drilldown>
<link target="_blank">/app/sandfly_security/sandfly_security_host_alerts?form.tok_host_id=$row.host_id$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<event>
<search>
<query>`sandfly_search_alarms` header.host_id=$tok_host_id$
| eval aaa_tags='data.tags{}'
| fields aaa_tags header.node_name header.host_id data.name
| mvexpand aaa_tags
| search aaa_tags="attack.id.*"
| rex field=aaa_tags "^attack\.id\.(?&lt;aaa_attack_id&gt;.*)$"
| search aaa_attack_id=$tok_id$</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="list.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</event>
</panel>
</row>
</form>

@ -0,0 +1,108 @@
<form version="1.1" theme="light">
<label>MITRE ATT&amp;CK Techniques Sandflies</label>
<fieldset submitButton="false" autoRun="false">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>`sandfly_search_sandflies`
| dedup sandfly_info.name
| eval aaa_tags='sandfly_info.tags{}'
| mvexpand aaa_tags
| search aaa_tags="attack.id.*"
| rex field=aaa_tags "^attack\.id\.(?&lt;aaa_attack_id&gt;.*)$"
| stats count(sandfly_info.name) as "Sandflies" by aaa_attack_id
| rename aaa_attack_id as "MITRE ATT&amp;CK Techniques"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<set token="tok_id">$click.value$</set>
<set token="form.tok_id">$click.value$</set>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel>
<input type="dropdown" token="tok_id" searchWhenChanged="true">
<label>MITRE ATT&amp;CK Techniques</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>attack_info</fieldForLabel>
<fieldForValue>aaa_attack_id</fieldForValue>
<search>
<query>`sandfly_search_sandflies` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$
| dedup sandfly_info.name
| eval aaa_tags='sandfly_info.tags{}'
| mvexpand aaa_tags
| search aaa_tags="attack.id.*"
| rex field=aaa_tags "^attack\.id\.(?&lt;aaa_attack_id&gt;.*)$"
| dedup aaa_attack_id
| lookup mitre_techniques.csv external_id AS aaa_attack_id OUTPUT name as attack_name
| eval attack_info=aaa_attack_id + " (" + attack_name + ")"
| table aaa_attack_id attack_name attack_info
| sort aaa_attack_id</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<table>
<search>
<query>`sandfly_search_sandflies`
| dedup sandfly_info.name
| eval aaa_tags='sandfly_info.tags{}'
| mvexpand aaa_tags
| search aaa_tags="attack.id.*"
| rex field=aaa_tags "^attack\.id\.(?&lt;aaa_attack_id&gt;.*)$"
| search aaa_attack_id=$tok_id$
| lookup mitre_techniques.csv external_id as aaa_attack_id OUTPUT name as attack_name
| eval aaa_attack_info=aaa_attack_id + " (" + attack_name + ")"
| lookup sandflies.csv sandfly_name as sandfly_info.name OUTPUT sandfly_description
| stats list(aaa_attack_info) by sandfly_info.name sandfly_description
| table sandfly_info.name list(aaa_attack_info) sandfly_description
| rename sandfly_info.name as "Sandfly Name"
| rename sandfly_description as "Sandfly Description"
| rename list(aaa_attack_info) as "MITRE ATT&amp;CK Technique"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<event>
<search>
<query>`sandfly_search_sandflies`
| dedup sandfly_info.name
| eval aaa_tags='sandfly_info.tags{}'
| mvexpand aaa_tags
| search aaa_tags="attack.id.*"
| rex field=aaa_tags "^attack\.id\.(?&lt;aaa_attack_id&gt;.*)$"
| search aaa_attack_id=$tok_id$</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="list.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</event>
</panel>
</row>
</form>

@ -0,0 +1,128 @@
<form version="1.1" theme="light">
<label>MITRE ATT&amp;CK Tactics Detection</label>
<fieldset submitButton="false">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-3d@d</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>`sandfly_search_alarms`
| eval aaa_tags='data.tags{}'
| fields aaa_tags header.node_name header.host_id data.name
| mvexpand aaa_tags
| search aaa_tags="attack.tactic.*"
| rex field=aaa_tags "^attack\.tactic\.(?&lt;aaa_attack_tactic&gt;.*)$"
| stats count by aaa_attack_tactic
| sort aaa_attack_tactic</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.axisTitleX.text">MITRE ATT&amp;CK Tactic</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">all</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<set token="tok_tactic">$click.value$</set>
<set token="form.tok_tactic">$click.value$</set>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel>
<input type="dropdown" token="tok_host_id" searchWhenChanged="true">
<label>Hostname</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>header.node_name</fieldForLabel>
<fieldForValue>header.host_id</fieldForValue>
<search>
<query>`sandfly_search_alarms` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$
| eval aaa_tags='data.tags{}'
| mvexpand aaa_tags
| search aaa_tags="attack.tactic.*"
| rex field=aaa_tags "^attack\.tactic\.(?&lt;aaa_attack_tactic&gt;.*)$"
| search aaa_attack_tactic=$tok_tactic$
| dedup header.node_name
| table header.node_name header.host_id
| sort header.node_name</query>
</search>
</input>
<input type="dropdown" token="tok_tactic" searchWhenChanged="true">
<label>MITRE ATT&amp;CK Tactics</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>aaa_attack_tactic</fieldForLabel>
<fieldForValue>aaa_attack_tactic</fieldForValue>
<search>
<query>`sandfly_search_alarms` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$
| eval aaa_tags='data.tags{}'
| mvexpand aaa_tags
| search aaa_tags="attack.tactic.*"
| rex field=aaa_tags "^attack\.tactic\.(?&lt;aaa_attack_tactic&gt;.*)$"
| dedup aaa_attack_tactic
| table aaa_attack_tactic
| sort aaa_attack_tactic</query>
</search>
</input>
<table>
<search>
<query>`sandfly_search_alarms` header.host_id=$tok_host_id$
| eval aaa_tags='data.tags{}'
| fields aaa_tags header.node_name header.host_id data.name
| mvexpand aaa_tags
| search aaa_tags="attack.tactic.*"
| rex field=aaa_tags "^attack\.tactic\.(?&lt;aaa_attack_tactic&gt;.*)$"
| search aaa_attack_tactic=$tok_tactic$
| dedup header.host_id data.name aaa_attack_tactic
| lookup mitre_tactics.csv shortname as aaa_attack_tactic OUTPUT name as attack_tactic_name
| lookup sandflies.csv sandfly_name as data.name OUTPUT sandfly_description
| stats list(aaa_attack_tactic) by header.node_name data.name sandfly_description header.host_id
| table header.node_name list(aaa_attack_tactic) data.name sandfly_description header.host_id
| rename header.node_name as "Hostname"
| rename data.name as "Sandfly Name"
| rename sandfly_description as "Sandfly Description"
| rename list(aaa_attack_tactic) as "MITRE ATT&amp;CK Tactics"
| rename header.host_id as host_id</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<fields>["Hostname","MITRE ATT&amp;CK Tactics","Sandfly Name","Sandfly Description"]</fields>
<drilldown>
<link target="_blank">/app/sandfly_security/sandfly_security_host_alerts?form.tok_host_id=$row.host_id$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<event>
<search>
<query>`sandfly_search_alarms` header.host_id=$tok_host_id$
| eval aaa_tags='data.tags{}'
| fields aaa_tags header.node_name header.host_id data.name
| mvexpand aaa_tags
| search aaa_tags="attack.tactic.*"
| rex field=aaa_tags "^attack\.tactic\.(?&lt;aaa_attack_tactic&gt;.*)$"
| search aaa_attack_tactic=$tok_tactic$</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="list.drilldown">none</option>
</event>
</panel>
</row>
</form>

@ -0,0 +1,106 @@
<form version="1.1" theme="light">
<label>MITRE ATT&amp;CK Tactics Sandflies</label>
<fieldset submitButton="false" autoRun="false">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>`sandfly_search_sandflies`
| dedup sandfly_info.name
| eval aaa_tags='sandfly_info.tags{}'
| mvexpand aaa_tags
| search aaa_tags="attack.tactic.*"
| rex field=aaa_tags "^attack\.tactic\.(?&lt;aaa_attack_tactic&gt;.*)$"
| stats count(sandfly_info.name) as "Sandflies" by aaa_attack_tactic
| sort aaa_attack_tactic
| rename aaa_attack_tactic as "MITRE ATT&amp;CK Tactic"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<set token="tok_tactic">$click.value$</set>
<set token="form.tok_tactic">$click.value$</set>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel>
<input type="dropdown" token="tok_tactic" searchWhenChanged="true">
<label>MITRE ATT&amp;CK Tactics</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>aaa_attack_tactic</fieldForLabel>
<fieldForValue>aaa_attack_tactic</fieldForValue>
<search>
<query>`sandfly_search_sandflies` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$
| dedup sandfly_info.name
| eval aaa_tags='sandfly_info.tags{}'
| mvexpand aaa_tags
| search aaa_tags="attack.tactic.*"
| rex field=aaa_tags "^attack\.tactic\.(?&lt;aaa_attack_tactic&gt;.*)$"
| dedup aaa_attack_tactic
| table aaa_attack_tactic
| sort aaa_attack_tactic</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<table>
<search>
<query>`sandfly_search_sandflies`
| dedup sandfly_info.name
| eval aaa_tags='sandfly_info.tags{}'
| mvexpand aaa_tags
| search aaa_tags="attack.tactic.*"
| rex field=aaa_tags "^attack\.tactic\.(?&lt;aaa_attack_tactic&gt;.*)$"
| search aaa_attack_tactic=$tok_tactic$
| lookup mitre_tactics.csv shortname as aaa_attack_tactic OUTPUT name as attack_tactic_name
| lookup sandflies.csv sandfly_name as sandfly_info.name OUTPUT sandfly_description
| stats list(aaa_attack_tactic) by sandfly_info.name sandfly_description
| table list(aaa_attack_tactic) sandfly_info.name sandfly_description
| rename sandfly_info.name as "Sandfly Name"
| rename sandfly_description as "Sandfly Description"
| rename list(aaa_attack_tactic) as "MITRE ATT&amp;CK Tactics"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<event>
<search>
<query>`sandfly_search_sandflies`
| dedup sandfly_info.name
| eval aaa_tags='sandfly_info.tags{}'
| mvexpand aaa_tags
| search aaa_tags="attack.tactic.*"
| rex field=aaa_tags "^attack\.tactic\.(?&lt;aaa_attack_tactic&gt;.*)$"
| search aaa_attack_tactic=$tok_tactic$</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="list.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</event>
</panel>
</row>
</form>

@ -0,0 +1,172 @@
<form version="1.1" theme="light">
<label>Sandfly Security - Drift Detection</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Total Drift Results</title>
<single>
<search>
<query>`sandfly_search_drift`
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<title>Containerized Drift Results</title>
<single>
<search>
<query>`sandfly_search_drift` containerized=true
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
<panel>
<title>Total Hosts with Drift Results</title>
<single>
<search>
<query>`sandfly_search_drift`
| dedup "header.host_id"
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<title>Total Drift Results by Host</title>
<chart>
<search>
<query>`sandfly_search_drift`
| stats count by header.node_name</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Total Drift Results by Sandfly</title>
<chart>
<search>
<query>`sandfly_search_drift`
| stats count by data.name
| sort -count
| head 10</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.axisTitleX.text">Sandfly Name</option>
<option name="charting.axisTitleY.text">Number of Results</option>
<option name="charting.chart">bar</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>Total Drift Results over Time by Host</title>
<chart>
<search>
<query>`sandfly_search_drift`
| timechart count by header.node_name</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<input type="dropdown" token="tok_host_id" searchWhenChanged="true">
<label>Hostname</label>
<choice value="*">All</choice>
<fieldForLabel>target_name</fieldForLabel>
<fieldForValue>target_id</fieldForValue>
<search>
<query>`sandfly_search_drift` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$
| search data.name="$tok_sandfly$"
| search containerized="$tok_container$"
| dedup header.host_id
| eval target_id = 'header.host_id'
| eval target_addr = 'header.hostname'
| eval target_name = 'header.node_name' + " (" + 'header.hostname' + ")"
| table target_id target_name
| sort target_name</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="tok_sandfly" searchWhenChanged="true">
<label>Sandfly Name</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>sandfly_name</fieldForLabel>
<fieldForValue>sandfly_name</fieldForValue>
<search>
<query>`sandfly_search_drift` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$
| search header.host_id="$tok_host_id$"
| search containerized="$tok_container$"
| dedup data.name
| eval sandfly_name='data.name'
| table sandfly_name
| sort sandfly_name</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="tok_container" searchWhenChanged="true">
<label>Containerized</label>
<choice value="*">All</choice>
<choice value="true">True</choice>
<choice value="false">False</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<table>
<search>
<query>`sandfly_search_drift` header.host_id="$tok_host_id$" data.name="$tok_sandfly$" containerized="$tok_container$"
| dedup header.host_id data.key_data
| table _time header.hostname header.ip_addr header.node_name data.name containerized data.key_data data.results.explanation
| rename header.hostname as "Target Address"
| rename header.ip_addr as "IP Address"
| rename header.node_name as "Hostname"
| rename data.name as "Sandfly Name"
| rename containerized as "Containerized"
| rename data.key_data as "Key Forensic"
| rename data.results.explanation as "Explanation"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>

@ -0,0 +1,173 @@
<form version="1.1" theme="light">
<label>Sandfly Security - Whitelisted Results</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Total Whitelisted Results</title>
<single>
<search>
<query>`sandfly_search_results_whitelisted`
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<title>Containerized Whitelisted Results</title>
<single>
<search>
<query>`sandfly_search_results_whitelisted` containerized=true
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<title>Total Hosts with Whitelisted Results</title>
<single>
<search>
<query>`sandfly_search_results_whitelisted`
| dedup "header.host_id"
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<title>Total Whitelisted Results by Host</title>
<chart>
<search>
<query>`sandfly_search_results_whitelisted`
| stats count by header.node_name</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Total Whitelisted Results by Sandfly</title>
<chart>
<search>
<query>`sandfly_search_results_whitelisted`
| stats count by data.name
| sort -count
| head 10</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.axisTitleX.text">Sandfly Name</option>
<option name="charting.axisTitleY.text">Number of Results</option>
<option name="charting.chart">bar</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>Total Whitelisted Results over Time by Host</title>
<chart>
<search>
<query>`sandfly_search_results_whitelisted`
| timechart count by header.node_name</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<input type="dropdown" token="tok_host_id" searchWhenChanged="true">
<label>Hostname</label>
<choice value="*">All</choice>
<fieldForLabel>target_name</fieldForLabel>
<fieldForValue>target_id</fieldForValue>
<search>
<query>`sandfly_search_results_whitelisted` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$
| search data.name="$tok_sandfly$"
| search containerized="$tok_container$"
| dedup header.host_id
| eval target_id = 'header.host_id'
| eval target_addr = 'header.hostname'
| eval target_name = 'header.node_name' + " (" + 'header.hostname' + ")"
| table target_id target_name
| sort target_name</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="tok_sandfly" searchWhenChanged="true">
<label>Sandfly Name</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>sandfly_name</fieldForLabel>
<fieldForValue>sandfly_name</fieldForValue>
<search>
<query>`sandfly_search_results_whitelisted` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$
| search header.host_id="$tok_host_id$"
| search containerized="$tok_container$"
| dedup data.name
| eval sandfly_name='data.name'
| table sandfly_name
| sort sandfly_name</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="tok_container" searchWhenChanged="true">
<label>Containerized</label>
<choice value="*">All</choice>
<choice value="true">True</choice>
<choice value="false">False</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<table>
<search>
<query>`sandfly_search_results_whitelisted` header.host_id="$tok_host_id$" data.name="$tok_sandfly$" containerized="$tok_container$"
| dedup header.host_id data.key_data
| table _time header.hostname header.ip_addr header.node_name data.name containerized data.key_data data.results.explanation
| rename header.hostname as "Target Address"
| rename header.ip_addr as "IP Address"
| rename header.node_name as "Hostname"
| rename data.name as "Sandfly Name"
| rename containerized as "Containerized"
| rename data.key_data as "Key Forensic"
| rename data.results.explanation as "Explanation"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>

@ -0,0 +1,294 @@
<form version="1.1" theme="dark">
<label>Sandfly Security - Host Details</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="tok_host_id" searchWhenChanged="true">
<label>Hostname (Target Address)</label>
<fieldForLabel>target_name</fieldForLabel>
<fieldForValue>target_id</fieldForValue>
<search>
<query>`sandfly_search_hosts_summary` host_summary.active="true" earliest=$tok_time1.earliest$ latest=$tok_time1.latest$
| dedup host_summary.host_id
| eval target_id = 'host_summary.host_id'
| eval target_name = 'host_summary.os_info_node' + " (" + 'host_summary.hostname' + ")"
| table target_id target_name
| sort target_name</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<title>Alerts</title>
<single>
<search>
<query>`sandfly_search_hosts_summary` host_summary.host_id="$tok_host_id$"
| dedup "host_summary.host_id"
| table host_summary.results_alert</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">all</option>
<option name="rangeColors">["0x53a051","0xdc4e41"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">Alerts detected by Sandfly.</option>
<option name="unit">Alerts</option>
<option name="useColors">1</option>
<drilldown>
<link target="_blank">/app/sandfly_security/sandfly_security_host_alerts?form.tok_host_id=$tok_host_id$</link>
</drilldown>
</single>
</panel>
<panel>
<title>Pass</title>
<single>
<search>
<query>`sandfly_search_hosts_summary` host_summary.host_id="$tok_host_id$"
| dedup "host_summary.host_id"
| table host_summary.results_pass</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">Sandflies passed.</option>
<option name="unit">Pass</option>
</single>
</panel>
<panel>
<title>Errors</title>
<single>
<search>
<query>`sandfly_search_hosts_summary` host_summary.host_id="$tok_host_id$"
| dedup "host_summary.host_id"
| table host_summary.results_error</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0xdc4e41"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">Errors whilst scanning.</option>
<option name="unit">Errors</option>
<option name="useColors">1</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Host Last Scan</title>
<table>
<search>
<query>`sandfly_search_hosts_summary` host_summary.host_id="$tok_host_id$"
| dedup "host_summary.host_id"
| rename host_summary.date_last_scan as date_last_scan
| eval last_scan_epoch = strptime(date_last_scan, "%Y-%m-%dT%H:%M:%S%Z")
| eval local_last_scan = strftime(last_scan_epoch, "%Y-%m-%dT%H:%M:%S %Z")
| eval time_diff = ceiling(now() - last_scan_epoch)
| eval temp_duration = tostring(time_diff, "duration")
| eval host_last_scan=replace(temp_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes")
| table date_last_scan local_last_scan host_last_scan
| rename date_last_scan as "Date Last Scan (UTC)"
| rename local_last_scan as "Date Last Scan (Local Time)"
| rename host_last_scan as "Time Since Last Scan"
| transpose
| rename "row 1" as "Date/Time"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Host Details</title>
<table>
<search>
<query>`sandfly_search_hosts_details` host_details.host_id="$tok_host_id$"
| dedup "host_details.host_id"
| table host_details.hostname host_details.data.os.info.node host_details.last_seen_ip_addr host_details.first_seen_ip_addr host_details.host_id host_details.data.os.info.os_release.pretty_name host_details.data.os.info.platform host_details.data.os.info.release host_details.data.os.hardware.cpu.model_name host_details.data.os.info.arch host_details.tags{}
| rename host_details.hostname as "Target Address"
| rename host_details.data.os.info.node as "Hostname"
| rename host_details.last_seen_ip_addr as "Last Seen IP Address"
| rename host_details.first_seen_ip_addr as "First Seen IP Address"
| rename host_details.host_id as "Host ID"
| rename host_details.data.os.info.os_release.pretty_name as "Distribution"
| rename host_details.data.os.info.platform as "Platform"
| rename host_details.data.os.info.release as "Release"
| rename host_details.data.os.hardware.cpu.model_name as "CPU Model"
| rename host_details.data.os.info.arch as "Arch"
| rename host_details.tags{} as "Tags"
| transpose header_field="Host"
| rename "row 1" as "Details"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="count">15</option>
<option name="drilldown">none</option>
</table>
</panel>
<panel>
<title>Operational Status</title>
<table>
<search>
<query>`sandfly_search_hosts_summary` host_summary.host_id="$tok_host_id$"
| dedup "host_summary.host_id"
| table host_summary.os_info_uptime_days host_summary.os_info_uptime_date host_summary.date_last_scan host_summary.date_last_seen host_summary.date_first_seen host_summary.queue_name host_summary.credentials_id host_summary.authentication_status host_summary.jump_hosts{}
| rename host_summary.os_info_uptime_days as "Uptime (days)"
| rename host_summary.os_info_uptime_date as "Uptime (Date)"
| rename host_summary.date_last_scan as "Date Last Scan"
| rename host_summary.date_last_seen as "Date Last Seen"
| rename host_summary.date_first_seen as "Date First Seen"
| rename host_summary.queue_name as "Queue Name"
| rename host_summary.credentials_id as "Credential"
| rename host_summary.authentication_status as "Authentication Status"
| rename host_summary.jump_hosts{} as "Jump Hosts"
| transpose</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="count">15</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel depends="$all_panel_show$">
<title>Whitelists - All Hosts</title>
<table>
<search>
<query>`sandfly_search_whitelist` whitelist_rule.active=* whitelist_rule.all_hosts="true"
| dedup whitelist_rule.id
| eval whitelist_type=if('whitelist_rule.exclude_sandfly'=="true", "Disable Sandfly", "Match Rules")
| eval is_active=if('whitelist_rule.active'=="true","True","False")
| table is_active whitelist_rule.id whitelist_rule.sandfly whitelist_type
| rename is_active as "Active"
| rename whitelist_rule.id as "ID"
| rename whitelist_rule.sandfly as "Sandfly"
| rename whitelist_type as "Whitelist Type"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
<progress>
<condition match="'job.resultCount' &gt; 0">
<set token="all_panel_show">true</set>
</condition>
<condition>
<unset token="all_panel_show"></unset>
</condition>
</progress>
</search>
<option name="drilldown">none</option>
</table>
</panel>
<panel depends="$host_panel_show$">
<title>Whitelists - by Host ID</title>
<table>
<search>
<query>`sandfly_search_whitelist` whitelist_rule.active=* whitelist_rule.all_hosts="false"
| dedup whitelist_rule.id
| eval num_host_ids=mvcount('whitelist_rule.host_ids{}')
| fillnull value=0 num_host_ids
| search num_host_ids&gt;0
| eval aaa_host_found=if(isnull(mvfind('whitelist_rule.host_ids{}', "$tok_host_id$")), "false", "true")
| search aaa_host_found="true"
| eval whitelist_type=if('whitelist_rule.exclude_sandfly'=="true", "Disable Sandfly", "Match Rules")
| eval is_active=if('whitelist_rule.active'=="true","True","False")
| table is_active whitelist_rule.id whitelist_rule.sandfly whitelist_type
| rename is_active as "Active"
| rename whitelist_rule.id as "ID"
| rename whitelist_rule.sandfly as "Sandfly"
| rename whitelist_type as "Whitelist Type"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
<progress>
<condition match="'job.resultCount' &gt; 0">
<set token="host_panel_show">true</set>
</condition>
<condition>
<unset token="host_panel_show"></unset>
</condition>
</progress>
</search>
<option name="drilldown">none</option>
</table>
</panel>
<panel depends="$tags_panel_show$">
<title>Whitelists - by Tags</title>
<table>
<search>
<progress>
<condition match="'job.resultCount' &gt; 0">
<set token="tags_panel_show">true&gt;</set>
</condition>
<condition>
<unset token="tags_panel_show"></unset>
</condition>
</progress>
<query>`sandfly_search_hosts_summary` host_summary.host_id="$tok_host_id$"
| dedup "host_summary.host_id"
| eval num_tags=mvcount('host_summary.tags{}')
| fillnull value=0 num_tags
| search num_tags&gt;0
| eval aaa_tag='host_summary.tags{}'
| mvexpand aaa_tag
| map
[ search `sandfly_search_whitelist` whitelist_rule.active=*
| dedup whitelist_rule.id
| eval aaa_host_tag="$$aaa_tag$$"
| eval aaa_tag_found=if(isnull(mvfind('whitelist_rule.host_tags{}', aaa_host_tag)), "false", "true")
| search aaa_tag_found="true"]
| eval whitelist_type=if('whitelist_rule.exclude_sandfly'=="true", "Disable Sandfly", "Match Rules")
| eval is_active=if('whitelist_rule.active'=="true","True","False")
| table is_active aaa_host_tag whitelist_rule.id whitelist_rule.sandfly whitelist_type
| rename is_active as "Active"
| rename aaa_host_tag as "Tag"
| rename whitelist_rule.id as "ID"
| rename whitelist_rule.sandfly as "Sandfly"
| rename whitelist_type as "Whitelist Type"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Host Summary Raw Event</title>
<event>
<search>
<query>`sandfly_search_hosts_summary` host_summary.host_id="$tok_host_id$"
| dedup "host_summary.host_id"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="list.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</event>
</panel>
<panel>
<title>Host Details Raw Event</title>
<event>
<search>
<query>`sandfly_search_hosts_details` host_details.host_id="$tok_host_id$"
| dedup "host_details.host_id"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="list.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</event>
</panel>
</row>
</form>

@ -0,0 +1,140 @@
<form version="1.1" theme="dark">
<label>Sandfly Security - Hosts</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Total Unique Hosts</title>
<single>
<search>
<query>`sandfly_search_hosts_summary`
| dedup "host_summary.host_id"
| stats count</query>
<earliest>$tok_time.earliest$</earliest>
<latest>$tok_time.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<title>OS Release Names</title>
<chart>
<search>
<query>`sandfly_search_hosts_summary`
| dedup "host_summary.host_id"
| eval os_release_name = 'host_summary.os_info_os_release_pretty_name'
| stats count by os_release_name</query>
<earliest>$tok_time.earliest$</earliest>
<latest>$tok_time.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>System Architecture</title>
<chart>
<search>
<query>`sandfly_search_hosts_summary`
| dedup "host_summary.host_id"
| eval arch='host_summary.os_info_arch'
| eval arch=if(arch="", "unknown", arch)
| stats count by arch</query>
<earliest>$tok_time.earliest$</earliest>
<latest>$tok_time.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Active Hosts</title>
<table>
<search>
<query>`sandfly_search_hosts_summary` host_summary.active="true"
| dedup "host_summary.host_id"
| table host_summary.os_info_node host_summary.hostname host_summary.last_seen_ip_addr host_summary.os_info_os_release_pretty_name host_summary.tags{} host_summary.jump_hosts{} host_summary.authentication_status host_summary.credentials_id host_summary.results_alert host_summary.results_pass host_summary.results_error host_summary.os_info_uptime_days host_summary.date_last_scan host_summary.host_id
| rename host_summary.os_info_node as "Hostname"
| rename host_summary.hostname as "Target Address"
| rename host_summary.last_seen_ip_addr as "IP Address"
| rename host_summary.os_info_os_release_pretty_name as "OS"
| rename host_summary.tags{} as "Tags"
| rename host_summary.jump_hosts{} as "Jump Hosts"
| rename host_summary.authentication_status as "Auth Status"
| rename host_summary.credentials_id as "Credential"
| rename host_summary.results_alert as "Alerts"
| rename host_summary.results_pass as "Passing"
| rename host_summary.results_error as "Errors"
| rename host_summary.os_info_uptime_days as "Uptime (Days)"
| rename host_summary.date_last_scan as "Last Scan"
| rename host_summary.host_id as "host_id"</query>
<earliest>$tok_time.earliest$</earliest>
<latest>$tok_time.latest$</latest>
</search>
<option name="count">5</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
<fields>["Hostname","Target Address","IP Address","OS","Tags","Jump Hosts","Auth Status","Credential","Alerts","Passing","Errors","Uptime (Days)","Last Scan"]</fields>
<drilldown>
<link target="_blank">/app/sandfly_security/sandfly_security__host_details?form.tok_host_id=$row.host_id$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>Inactive Hosts</title>
<table>
<search>
<query>`sandfly_search_hosts_summary` host_summary.active="false"
| dedup "host_summary.host_id"
| eval date_last_scan='host_summary.date_last_scan'
| eval date_last_scan=if(isnull(date_last_scan) OR len(date_last_scan)==0 OR date_last_scan=="null", "N/A", date_last_scan)
| table host_summary.hostname host_summary.os_info_os_release_pretty_name host_summary.active host_summary.tags{} host_summary.jump_hosts{} host_summary.authentication_status host_summary.credentials_id date_last_scan
| rename host_summary.hostname as "Target Address"
| rename host_summary.os_info_os_release_pretty_name as "OS"
| rename host_summary.active as "Active"
| rename host_summary.tags{} as "Tags"
| rename host_summary.jump_hosts{} as "Jump Hosts"
| rename host_summary.authentication_status as "Auth Status"
| rename host_summary.credentials_id as "Credential"
| rename date_last_scan as "Last Scan"</query>
<earliest>$tok_time.earliest$</earliest>
<latest>$tok_time.latest$</latest>
</search>
<option name="count">5</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Raw Event</title>
<event>
<search>
<query>`sandfly_search_hosts_summary`
| dedup "host_summary.host_id"</query>
<earliest>$tok_time.earliest$</earliest>
<latest>$tok_time.latest$</latest>
</search>
<option name="list.drilldown">none</option>
</event>
</panel>
</row>
</form>

@ -0,0 +1,196 @@
<form version="1.1" theme="dark">
<label>Sandfly Security - Hosts by Tags</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="tok_tag" searchWhenChanged="true">
<label>Tags</label>
<choice value="*">All</choice>
<choice value="&quot;&quot;">NO TAGS</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>aaa_host_tag</fieldForLabel>
<fieldForValue>aaa_host_tag</fieldForValue>
<search>
<query>`sandfly_search_hosts_summary` earliest=$tok_time.earliest$ latest=$tok_time.latest$
| dedup host_summary.host_id
| eval num_tags=mvcount('host_summary.tags{}')
| fillnull value=0 num_tags
| search num_tags&gt;0
| eval aaa_host_tag='host_summary.tags{}'
| mvexpand aaa_host_tag
| dedup aaa_host_tag
| table aaa_host_tag
| sort aaa_host_tag</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<title>Total Unique Hosts</title>
<single>
<search>
<query>`sandfly_search_hosts_summary`
| dedup host_summary.host_id
| eval aaa_host_tag='host_summary.tags{}'
| mvexpand aaa_host_tag
| search aaa_host_tag="$tok_tag$"
| dedup host_summary.host_id
| stats count</query>
<earliest>$tok_time.earliest$</earliest>
<latest>$tok_time.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<title>OS Release Names</title>
<chart>
<search>
<query>`sandfly_search_hosts_summary`
| dedup "host_summary.host_id"
| eval aaa_host_tag='host_summary.tags{}'
| mvexpand aaa_host_tag
| search aaa_host_tag="$tok_tag$"
| dedup host_summary.host_id
| eval os_release_name = 'host_summary.os_info_os_release_pretty_name'
| stats count by os_release_name</query>
<earliest>$tok_time.earliest$</earliest>
<latest>$tok_time.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>System Architecture</title>
<chart>
<search>
<query>`sandfly_search_hosts_summary`
| dedup "host_summary.host_id"
| eval aaa_host_tag='host_summary.tags{}'
| mvexpand aaa_host_tag
| search aaa_host_tag="$tok_tag$"
| dedup host_summary.host_id
| eval arch='host_summary.os_info_arch'
| eval arch=if(arch="", "unknown", arch)
| stats count by arch</query>
<earliest>$tok_time.earliest$</earliest>
<latest>$tok_time.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Active Hosts</title>
<table>
<search>
<query>`sandfly_search_hosts_summary` host_summary.active="true"
| dedup "host_summary.host_id"
| eval aaa_host_tag='host_summary.tags{}'
| mvexpand aaa_host_tag
| search aaa_host_tag="$tok_tag$"
| dedup host_summary.host_id
| table host_summary.os_info_node host_summary.hostname host_summary.last_seen_ip_addr host_summary.os_info_os_release_pretty_name host_summary.tags{} host_summary.jump_hosts{} host_summary.authentication_status host_summary.credentials_id host_summary.results_alert host_summary.results_pass host_summary.results_error host_summary.os_info_uptime_days host_summary.date_last_scan host_summary.host_id
| rename host_summary.os_info_node as "Hostname"
| rename host_summary.hostname as "Target Address"
| rename host_summary.last_seen_ip_addr as "IP Address"
| rename host_summary.os_info_os_release_pretty_name as "OS"
| rename host_summary.tags{} as "Tags"
| rename host_summary.jump_hosts{} as "Jump Hosts"
| rename host_summary.authentication_status as "Auth Status"
| rename host_summary.credentials_id as "Credential"
| rename host_summary.results_alert as "Alerts"
| rename host_summary.results_pass as "Passing"
| rename host_summary.results_error as "Errors"
| rename host_summary.os_info_uptime_days as "Uptime (Days)"
| rename host_summary.date_last_scan as "Last Scan"
| rename host_summary.host_id as "host_id"</query>
<earliest>$tok_time.earliest$</earliest>
<latest>$tok_time.latest$</latest>
</search>
<option name="count">5</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
<fields>["Hostname","Target Address","IP Address","OS","Tags","Jump Hosts","Auth Status","Credential","Alerts","Passing","Errors","Uptime (Days)","Last Scan"]</fields>
<drilldown>
<link target="_blank">/app/sandfly_security/sandfly_security__host_details?form.tok_host_id=$row.host_id$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel depends="$inactive_panel_show$">
<title>Inactive Hosts</title>
<table>
<search>
<progress>
<condition match="'job.resultCount' &gt; 0">
<set token="inactive_panel_show">true</set>
</condition>
<condition>
<unset token="inactive_panel_show"></unset>
</condition>
</progress>
<query>`sandfly_search_hosts_summary` host_summary.active="false"
| dedup "host_summary.host_id"
| eval aaa_host_tag='host_summary.tags{}'
| mvexpand aaa_host_tag
| search aaa_host_tag="$tok_tag$"
| dedup host_summary.host_id
| eval date_last_scan='host_summary.date_last_scan'
| eval date_last_scan=if(isnull(date_last_scan) OR len(date_last_scan)==0 OR date_last_scan=="null", "N/A", date_last_scan)
| table host_summary.hostname host_summary.os_info_os_release_pretty_name host_summary.active host_summary.tags{} host_summary.jump_hosts{} host_summary.authentication_status host_summary.credentials_id date_last_scan
| rename host_summary.hostname as "Target Address"
| rename host_summary.os_info_os_release_pretty_name as "OS"
| rename host_summary.active as "Active"
| rename host_summary.tags{} as "Tags"
| rename host_summary.jump_hosts{} as "Jump Hosts"
| rename host_summary.authentication_status as "Auth Status"
| rename host_summary.credentials_id as "Credential"
| rename date_last_scan as "Last Scan"</query>
<earliest>$tok_time.earliest$</earliest>
<latest>$tok_time.latest$</latest>
</search>
<option name="count">5</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Raw Event</title>
<event>
<search>
<query>`sandfly_search_hosts_summary`
| dedup "host_summary.host_id"
| eval aaa_host_tag='host_summary.tags{}'
| mvexpand aaa_host_tag
| search aaa_host_tag="$tok_tag$"
| dedup host_summary.host_id</query>
<earliest>$tok_time.earliest$</earliest>
<latest>$tok_time.latest$</latest>
</search>
<option name="list.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</event>
</panel>
</row>
</form>

@ -0,0 +1,67 @@
<form version="1.1">
<label>Sandfly Security - SSH authorized_keys File Created</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time_range" searchWhenChanged="true">
<label>Time Range (Events)</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="time" token="tok_time_file" searchWhenChanged="true">
<label>Time Range (File Created)</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<single>
<title>Number of authorized_keys Files Created</title>
<search>
<query>`sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true"
| rename data.results.user.ssh.authorized_keys.file{}.date.created as aaa_date_created
| rename data.results.user.ssh.authorized_keys.file{}.path as aaa_file_path
| rename header.hostname as host_name
| rename data.results.user.username as user_name
| dedup host_name user_name
| eval aaa_date_created_epoch = strptime(aaa_date_created, "%Y-%m-%dT%H:%M:%SZ")
| where aaa_date_created_epoch &gt;= relative_time(now(), "$tok_time_file.earliest$")
| stats count</query>
<earliest>$tok_time_range.earliest$</earliest>
<latest>$tok_time_range.latest$</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
<panel>
<table>
<search>
<query>`sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true"
| rename data.results.user.ssh.authorized_keys.file{}.date.created as aaa_date_created
| rename data.results.user.ssh.authorized_keys.file{}.path as aaa_file_path
| rename header.hostname as target_address
| rename header.ip_addr as ip_address
| rename header.node_name as host_name
| rename data.results.user.username as user_name
| dedup host_name user_name
| eval aaa_date_created_epoch = strptime(aaa_date_created, "%Y-%m-%dT%H:%M:%SZ")
| where aaa_date_created_epoch &gt;= relative_time(now(), "$tok_time_file.earliest$")
| table aaa_date_created host_name target_address ip_address user_name aaa_file_path
| rename aaa_date_created as "Date Created"
| rename host_name as "Hostname"
| rename target_address as "Target Address"
| rename ip_address as "IP Address"
| rename user_name as "Username"
| rename aaa_file_path as "File Path"</query>
<earliest>$tok_time_range.earliest$</earliest>
<latest>$tok_time_range.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>

@ -0,0 +1,185 @@
<form version="1.1">
<label>Sandfly Security - SSH authorized_keys File Report</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>User Names with SSH authorized_keys File Present</title>
<chart>
<search>
<query>`sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true"
| stats count by data.results.user.username</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
<panel>
<title>Duplicate SSH Keys Found</title>
<single>
<search>
<query>`sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true" data.results.user.ssh.authorized_keys.duplicate_found
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
</row>
<row>
<panel>
<title>SSH authorized_keys File Accessed Today</title>
<table>
<search>
<query>`sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true"
| rename data.results.user.ssh.authorized_keys.file{}.date.accessed as aaa_date_accessed
| rename header.hostname as host_name
| rename data.results.user.username as user_name
| dedup host_name user_name
| eval aaa_date_accessed_epoch = strptime(aaa_date_accessed, "%Y-%m-%dT%H:%M:%SZ")
| where aaa_date_accessed_epoch &gt;= relative_time(now(), "@d")
| table host_name user_name aaa_date_accessed
| rename host_name as "Host Name", user_name as "User Name", aaa_date_accessed as "Date Accessed"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel>
<title>SSH authorized_keys File Modified Today</title>
<table>
<search>
<query>`sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true"
| rename data.results.user.ssh.authorized_keys.file{}.date.modified as aaa_date_modified
| rename header.hostname as host_name
| rename data.results.user.username as user_name
| dedup host_name user_name
| eval aaa_date_modified_epoch = strptime(aaa_date_modified, "%Y-%m-%dT%H:%M:%SZ")
| where aaa_date_modified_epoch &gt;= relative_time(now(), "@d")
| table host_name user_name aaa_date_modified
| rename host_name as "Host Name", user_name as "User Name", aaa_date_modified as "Date Modified"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel>
<title>SSH authorized_keys File Created Today</title>
<table>
<search>
<query>`sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true"
| rename data.results.user.ssh.authorized_keys.file{}.date.created as aaa_date_created
| rename header.hostname as host_name
| rename data.results.user.username as user_name
| dedup host_name user_name
| eval aaa_date_created_epoch = strptime(aaa_date_created, "%Y-%m-%dT%H:%M:%SZ")
| where aaa_date_created_epoch &gt;= relative_time(now(), "@d")
| table host_name user_name aaa_date_created
| rename host_name as "Host Name", user_name as "User Name", aaa_date_created as "Date Created"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Hosts with Immutable SSH authorized_keys File Alerts</title>
<table>
<search>
<query>`sandfly_search_alarms` data.engine="sandfly_engine_user" data.name="user_ssh_authorized_keys_immutable" data.status="alert"
| dedup header.host_id
| table header.node_name header.hostname header.ip_addr data.results.explanation
| rename header.node_name as "Hostname"
| rename header.hostname as "Target Address"
| rename header.ip_addr as "IP Address"
| rename data.results.explanation as Explanation</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<title>User Names Associated with Specific SSH Key</title>
<table>
<search>
<query>`sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true"
| spath output=aaa_keys path=data.results.user.ssh.authorized_keys.data{}.key
| mvexpand aaa_keys
| eval aaa_keys_count = mvcount(aaa_keys)
| eval aaa_keys_len = len(aaa_keys)
| where aaa_keys_len &gt; 0
| fields aaa_keys header.hostname data.results.user.username
| rename aaa_keys as ssh_key, header.hostname as host_name, data.results.user.username as user_name
| dedup ssh_key, user_name, host_name
| stats values(user_name) as "User Names" by ssh_key
| rename ssh_key as "SSH Key"
| table "User Names", "SSH Key"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>SSH authorized_keys File Last Accessed, Last Modified and Created</title>
<table>
<search>
<query>`sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true"
| rename data.results.user.ssh.authorized_keys.file{}.date.accessed_minutes as aaa_date_accessed_minutes
| rename data.results.user.ssh.authorized_keys.file{}.date.accessed as aaa_date_accessed
| eval temp_duration1 = tostring(aaa_date_accessed_minutes*60, "duration")
| eval aaa_accessed_duration=replace(temp_duration1,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs")
| rename data.results.user.ssh.authorized_keys.file{}.date.created_minutes as aaa_date_created_minutes
| rename data.results.user.ssh.authorized_keys.file{}.date.created as aaa_date_created
| eval temp_duration2 = tostring(aaa_date_created_minutes*60, "duration")
| eval aaa_created_duration=replace(temp_duration2,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs")
| rename data.results.user.ssh.authorized_keys.file{}.date.modified_minutes as aaa_date_modified_minutes
| rename data.results.user.ssh.authorized_keys.file{}.date.modified as aaa_date_modified
| eval temp_duration3 = tostring(aaa_date_modified_minutes*60, "duration")
| eval aaa_modified_duration=replace(temp_duration3,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs")
| rename header.hostname as target_address
| rename data.results.user.username as user_name
| dedup target_address user_name
| table header.node_name target_address header.ip_addr user_name aaa_accessed_duration aaa_modified_duration aaa_created_duration
| sort aaa_date_accessed_minutes
| rename header.node_name as "Hostname"
| rename target_address as "Target Address"
| rename header.ip_addr as "IP Address"
| rename user_name as "Username"
| rename aaa_accessed_duration as "Last Accessed"
| rename aaa_modified_duration as "Last Modified"
| rename aaa_created_duration as "Created"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>

@ -0,0 +1,352 @@
<form version="1.1">
<label>Sandfly Security Daily Snapshot</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="myTime1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="t_status" searchWhenChanged="true">
<label>Status</label>
<choice value="alert">Alarms</choice>
<choice value="pass">Passed</choice>
<choice value="error">Errors</choice>
<default>alert,pass</default>
<initialValue>alert,pass</initialValue>
<valuePrefix>data.status="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
</fieldset>
<row>
<panel>
<title>Total Events Trend Previous 7 Days</title>
<single>
<search>
<query>`sandfly_search` $t_status$ earliest=-8d@d latest=-1d@d
| timechart count</query>
<earliest>-8d@d</earliest>
<latest>@d</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="height">115</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x53a051", "0x0877a6", "0xf8be34", "0xf1813f", "0xdc4e41"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
<panel>
<title>Total Events Today</title>
<single>
<search>
<query>`sandfly_search` $t_status$ earliest=@d
| stats count</query>
<earliest>@d</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="height">115</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
<panel>
<title>Total Events Last Hour</title>
<single>
<search>
<query>`sandfly_search` $t_status$
| stats count</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="height">115</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x53a051", "0x0877a6", "0xf8be34", "0xf1813f", "0xdc4e41"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Total Events Over Time Range</title>
<chart>
<search>
<query>`sandfly_search` $t_status$
| timechart count</query>
<earliest>$myTime1.earliest$</earliest>
<latest>$myTime1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.text">Time Range</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<title>Alarms by Status Over Time Range</title>
<chart>
<search>
<query>`sandfly_search`
| stats count by data.status</query>
<earliest>$myTime1.earliest$</earliest>
<latest>$myTime1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.text">Alarm Status</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<title>Events by Target Address Over Time Range</title>
<chart>
<search>
<query>`sandfly_search` $t_status$
| rename header.hostname as TargetAddress
| stats count by TargetAddress</query>
<earliest>$myTime1.earliest$</earliest>
<latest>$myTime1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<drilldown>
<link target="_blank">/app/sandfly_security/sandfly_security_host_investigation?form.t_hostname=$click.value$&amp;form.t_status=fail&amp;form.t_status=pass</link>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel>
<title>Top 10 Target Addresses over Time Range</title>
<chart>
<search>
<query>`sandfly_search` $t_status$
| rename header.hostname as TargetAddress
| top limit=10 TargetAddress</query>
<earliest>$myTime1.earliest$</earliest>
<latest>$myTime1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">bar</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<drilldown>
<link target="_blank">/app/sandfly_security/sandfly_security_host_investigation?form.t_hostname=$click.value$&amp;form.t_status=fail&amp;form.t_status=pass</link>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel>
<title>Top 10 Sandflies over Time Range</title>
<chart>
<search>
<query>`sandfly_search` $t_status$
| lookup sandflies.csv sandfly_name as data.name
| top limit=10 sandfly_title</query>
<earliest>$myTime1.earliest$</earliest>
<latest>$myTime1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">bar</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
</form>

@ -0,0 +1,576 @@
<form version="1.1" theme="dark">
<label>Sandfly Security - Host Alerts</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="tok_host_id" searchWhenChanged="true">
<label>Hostname (Target Address)</label>
<fieldForLabel>target_name</fieldForLabel>
<fieldForValue>target_id</fieldForValue>
<search>
<query>`sandfly_search_alarms` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$
| dedup header.host_id
| eval target_id = 'header.host_id'
| eval target_addr = 'header.hostname'
| eval target_name = 'header.node_name' + " (" + 'header.hostname' + ")"
| table target_id target_name
| sort target_name</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<chart>
<title>Status</title>
<search>
<query>`sandfly_search_alarms` header.host_id="$tok_host_id$"
| stats count by data.status</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
<panel>
<chart>
<title>Status Counts</title>
<search>
<query>`sandfly_search_alarms` header.host_id="$tok_host_id$"
| timechart count by data.status</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.axisTitleX.text">Time Range</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<single>
<title>Alerts</title>
<search>
<query>`sandfly_search_alarms` header.host_id="$tok_host_id$" data.status="alert"
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0xdc4e41"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="unit">Alerts</option>
<option name="useColors">1</option>
</single>
</panel>
<panel>
<single>
<title>Pass</title>
<search>
<query>`sandfly_search_alarms` header.host_id="$tok_host_id$" data.status="pass"
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x118832"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="unit">Pass</option>
<option name="useColors">0</option>
</single>
</panel>
<panel>
<single>
<title>Errors</title>
<search>
<query>`sandfly_search_alarms` header.host_id="$tok_host_id$" data.status="error"
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0xdc4e41"]</option>
<option name="rangeValues">[0]</option>
<option name="unit">Errors</option>
<option name="useColors">1</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Alerts</title>
<input type="dropdown" token="tok_status" searchWhenChanged="true">
<label>Sandfly Status</label>
<choice value="*">All</choice>
<choice value="alert">Alert</choice>
<choice value="pass">Pass</choice>
<choice value="error">Error</choice>
<default>alert</default>
<initialValue>alert</initialValue>
</input>
<input type="dropdown" token="tok_alert_engine" searchWhenChanged="true">
<label>Sandfly Engine</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>t_sandfly_engine</fieldForLabel>
<fieldForValue>t_sandfly_engine</fieldForValue>
<search>
<query>`sandfly_search_alarms` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$ header.host_id="$tok_host_id$" data.status="$tok_status$" data.name="$tok_alert_name$" data.severity=$tok_severity$
| dedup data.engine
| table data.engine
| sort data.engine
| rename data.engine as t_sandfly_engine</query>
</search>
</input>
<input type="dropdown" token="tok_alert_name" searchWhenChanged="true">
<label>Sandfly Name</label>
<fieldForLabel>t_sandfly_name</fieldForLabel>
<fieldForValue>t_sandfly_name</fieldForValue>
<search>
<query>`sandfly_search_alarms` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$ header.host_id="$tok_host_id$" data.status="$tok_status$" data.engine="$tok_alert_engine$" data.severity=$tok_severity$
| dedup data.name
| table data.name
| sort data.name
| rename data.name as t_sandfly_name</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="tok_severity" searchWhenChanged="true">
<label>Severity</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>t_severity</fieldForLabel>
<fieldForValue>t_severity</fieldForValue>
<search>
<query>`sandfly_search_alarms` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$ header.host_id="$tok_host_id$" data.status="$tok_status$" data.name="$tok_alert_name$" data.engine="$tok_alert_engine$"
| dedup data.severity
| table data.severity
| sort - data.severity
| rename data.severity as t_severity</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<table>
<search>
<query>`sandfly_search_alarms` header.host_id="$tok_host_id$" data.status="$tok_status$" data.name="$tok_alert_name$" data.engine="$tok_alert_engine$" data.severity=$tok_severity$
| table _time header.hostname header.ip_addr header.node_name data.name data.status data.severity data.key_data data.results.explanation
| rename header.hostname as "Target Address"
| rename header.ip_addr as "IP Address"
| rename header.node_name as "Hostname"
| rename data.name as "Sandfly Name"
| rename data.status as "Status"
| rename data.severity as "Severity"
| rename data.key_data as "Key Forensic"
| rename data.results.explanation as "Explanation"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="count">5</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Top 5 Sandflies</title>
<input type="dropdown" token="tok_sandfly_status" searchWhenChanged="true">
<label>Sandfly Status</label>
<choice value="*">All</choice>
<choice value="alert">Alert</choice>
<choice value="pass">Pass</choice>
<choice value="error">Error</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="tok_sandfly_engine" searchWhenChanged="true">
<label>Sandfly Engine</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>t_data_engine</fieldForLabel>
<fieldForValue>t_data_engine</fieldForValue>
<search>
<query>`sandfly_search_alarms` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$ header.host_id="$tok_host_id$" data.status="$tok_sandfly_status$" data.severity=$tok_sandfly_sev$
| dedup data.engine
| table data.engine
| sort data.engine
| rename data.engine as t_data_engine</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="tok_sandfly_sev" searchWhenChanged="true">
<label>Severity</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>t_data_severity</fieldForLabel>
<fieldForValue>t_data_severity</fieldForValue>
<search>
<query>`sandfly_search_alarms` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$ header.host_id="$tok_host_id$" data.status="$tok_sandfly_status$" data.engine="$tok_sandfly_engine$"
| dedup data.severity
| table data.severity
| sort - data.severity
| rename data.severity as t_data_severity</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<chart>
<search>
<query>`sandfly_search_alarms` header.host_id="$tok_host_id$" data.status="$tok_sandfly_status$" data.engine="$tok_sandfly_engine$" data.severity=$tok_sandfly_sev$
| stats count by data.name
| sort - count
| head 5
| rename data.name as "Sandfly Name"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">bar</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>User Process List</title>
<input type="dropdown" token="tok_proc_username" searchWhenChanged="true">
<label>Username</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>t_username</fieldForLabel>
<fieldForValue>t_username</fieldForValue>
<search>
<query>`sandfly_search_alarms` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$ header.host_id="$tok_host_id$" data.name="recon_process_list_all"
| search data.results.process.command!="kworker/*"
| dedup data.results.process.cmdline
| dedup data.results.process.username
| table data.results.process.username
| sort data.results.process.username
| rename data.results.process.username as t_username</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<table>
<search>
<query>`sandfly_search_alarms` header.host_id="$tok_host_id$" data.name="recon_process_list_all" data.results.process.username="$tok_proc_username$"
| search data.results.process.command!="kworker/*"
| dedup data.results.process.cmdline
| table data.results.process.command data.results.process.cmdline data.results.process.pid data.results.process.username data.results.process.uid data.results.process.true_path
| rename data.results.process.command as "Command"
| rename data.results.process.cmdline as "Command Line"
| rename data.results.process.pid as "PID"
| rename data.results.process.username as "Username"
| rename data.results.process.uid as "UID"
| rename data.results.process.true_path as "True Path"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<title>User List</title>
<input type="dropdown" token="tok_pw_present" searchWhenChanged="true">
<label>Password Present</label>
<choice value="*">All</choice>
<choice value="true">True</choice>
<choice value="false">False</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="tok_pw_locked" searchWhenChanged="true">
<label>Password Locked</label>
<choice value="*">All</choice>
<choice value="true">True</choice>
<choice value="false">False</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="tok_pw_type" searchWhenChanged="true">
<label>Password Type</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>pw_type</fieldForLabel>
<fieldForValue>pw_type</fieldForValue>
<search>
<query>`sandfly_search_alarms` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$ header.host_id="$tok_host_id$" data.name="recon_user_list_all" data.results.user.password.locked="$tok_pw_locked$" data.results.user.password.present="$tok_pw_present$"
| dedup data.results.user.password.type
| table data.results.user.password.type
| sort data.results.user.password.type
| rename data.results.user.password.type as "pw_type"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<table>
<search>
<query>`sandfly_search_alarms` header.host_id="$tok_host_id$" data.name="recon_user_list_all" data.results.user.password.locked="$tok_pw_locked$" data.results.user.password.present="$tok_pw_present$" data.results.user.password.type="$tok_pw_type$"
| table data.results.user.username data.results.user.uid data.results.user.groupname data.results.user.gid data.results.user.home_dir data.results.user.shell data.results.user.password.present data.results.user.password.locked data.results.user.password.type data.results.user.password.days_since_last_changed data.results.user.password.days_since_expired
| sort data.results.user.uid
| rename data.results.user.username as "Username"
| rename data.results.user.uid as "UID"
| rename data.results.user.groupname as "Group"
| rename data.results.user.gid as "GID"
| rename data.results.user.home_dir as "Home Dir"
| rename data.results.user.shell as "Shell"
| rename data.results.user.password.present as "PW Present"
| rename data.results.user.password.locked as "PW Locked"
| rename data.results.user.password.type as "PW Type"
| rename data.results.user.password.days_since_last_changed as "Last Changed Days"
| rename data.results.user.password.days_since_expired as "Expired Days"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Crontab Entries</title>
<input type="dropdown" token="tok_cron_username" searchWhenChanged="true">
<label>Username</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>t_cron_user</fieldForLabel>
<fieldForValue>t_cron_user</fieldForValue>
<search>
<query>`sandfly_search_alarms` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$ header.host_id="$tok_host_id$" data.name="recon_process_persistence_cron_list_all" data.results.cron.path="$tok_cron_path$"
| eval is_null = if(isnull('data.results.cron.username') OR len('data.results.cron.username')==0, "true", "false")
| search is_null="false"
| dedup data.results.cron.username
| sort data.results.cron.username
| table data.results.cron.username
| rename data.results.cron.username as t_cron_user</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="tok_cron_path" searchWhenChanged="true">
<label>Crontab File</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>t_cron_path</fieldForLabel>
<fieldForValue>t_cron_path</fieldForValue>
<search>
<query>`sandfly_search_alarms` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$ header.host_id="$tok_host_id$" data.name="recon_process_persistence_cron_list_all" data.results.cron.username="$tok_cron_username$"
| eval is_null = if(isnull('data.results.cron.path') OR len('data.results.cron.path')==0, "true", "false")
| search is_null="false"
| dedup data.results.cron.path
| sort data.results.cron.path
| table data.results.cron.path
| rename data.results.cron.path as t_cron_path</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<table>
<search>
<query>`sandfly_search_alarms` header.host_id="$tok_host_id$" data.name="recon_process_persistence_cron_list_all" data.results.cron.username="$tok_cron_username$" data.results.cron.path="$tok_cron_path$"
| eval is_null = if(isnull('data.results.cron.command') OR len('data.results.cron.command')==0, "true", "false")
| search is_null="false"
| table data.results.cron.command data.results.cron.username data.results.cron.minute data.results.cron.hour data.results.cron.day data.results.cron.month data.results.cron.day_of_week data.results.cron.entry data.results.cron.time_macro data.results.cron.path
| rename data.results.cron.command as "Command"
| rename data.results.cron.username as "Username"
| rename data.results.cron.minute as "Minute"
| rename data.results.cron.hour as "Hour"
| rename data.results.cron.day as "Day"
| rename data.results.cron.month as "Month"
| rename data.results.cron.day_of_week as "Day of Week"
| rename data.results.cron.entry as "Entry"
| rename data.results.cron.time_macro as "Time Macro"
| rename data.results.cron.path as "Crontab File"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Crontab Errors</title>
<input type="dropdown" token="tok_cronerr_user" searchWhenChanged="true">
<label>Username</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>t_cronerr_user</fieldForLabel>
<fieldForValue>t_cronerr_user</fieldForValue>
<search>
<query>`sandfly_search_alarms` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$ header.host_id="$tok_host_id$" data.name="recon_process_persistence_cron_list_all"
| eval is_null = if(isnull('data.results.cron.username') OR len('data.results.cron.username')==0, "true", "false")
| search is_null="true"
| dedup data.results.file.username
| sort data.results.file.username
| table data.results.file.username
| rename data.results.file.username as t_cronerr_user</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<table>
<search>
<query>`sandfly_search_alarms` header.host_id="$tok_host_id$" data.name="recon_process_persistence_cron_list_all"
| eval is_null = if(isnull('data.results.cron.command') OR len('data.results.cron.command')==0, "true", "false")
| search is_null="true"
| table data.results.file.path data.results.file.username data.results.explanation
| rename data.results.file.path as "Path"
| rename data.results.file.username as "Username"
| rename data.results.explanation as "Explanation"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<title>At Jobs</title>
<input type="dropdown" token="tok_at_user" searchWhenChanged="true">
<label>Username</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>t_atjob_user</fieldForLabel>
<fieldForValue>t_atjob_user</fieldForValue>
<search>
<query>`sandfly_search_alarms` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$ header.host_id="$tok_host_id$" data.name="recon_process_persistence_at_jobs_list_all"
| dedup data.results.atjob.username
| sort data.results.atjob.username
| table data.results.atjob.username
| rename data.results.atjob.username as t_atjob_user</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<table>
<search>
<query>`sandfly_search_alarms` header.host_id="$tok_host_id$" data.name="recon_process_persistence_at_jobs_list_all" data.results.atjob.username="$tok_at_user$"
| table data.results.atjob.name data.results.atjob.number data.results.atjob.path data.results.atjob.username data.results.atjob.date.created data.results.atjob.date.execution data.results.atjob.command{}
| rename data.results.atjob.name as "Name"
| rename data.results.atjob.number as "Number"
| rename data.results.atjob.path as "Path"
| rename data.results.atjob.username as "Username"
| rename data.results.atjob.date.created as "Created Date"
| rename data.results.atjob.date.execution as "Execution Date"
| rename data.results.atjob.command{} as "Command"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Kernel Modules</title>
<input type="dropdown" token="tok_module_state" searchWhenChanged="true">
<label>Module State</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>t_module_state</fieldForLabel>
<fieldForValue>t_module_state</fieldForValue>
<search>
<query>`sandfly_search_alarms` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$ header.host_id="$tok_host_id$" data.name="recon_kernel_modules" data.results.kernel_module.hidden="$tok_module_hidden$"
| dedup data.results.kernel_module.state
| sort data.results.kernel_module.state
| table data.results.kernel_module.state
| rename data.results.kernel_module.state as t_module_state</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="tok_module_hidden" searchWhenChanged="true">
<label>Module Hidden</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>t_module_hidden</fieldForLabel>
<fieldForValue>t_module_hidden</fieldForValue>
<search>
<query>`sandfly_search_alarms` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$ header.host_id="$tok_host_id$" data.name="recon_kernel_modules" data.results.kernel_module.state="$tok_module_state$"
| dedup data.results.kernel_module.hidden
| sort data.results.kernel_module.hidden
| table data.results.kernel_module.hidden
| rename data.results.kernel_module.hidden as t_module_hidden</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<table>
<search>
<query>`sandfly_search_alarms` header.host_id="$tok_host_id$" data.name="recon_kernel_modules" data.results.kernel_module.state="$tok_module_state$" data.results.kernel_module.hidden="$tok_module_hidden$"
| dedup data.results.kernel_module.name
| table data.results.kernel_module.name data.results.kernel_module.module_file_path data.results.kernel_module.instance_count data.results.kernel_module.memory_size data.results.kernel_module.memory_offset data.results.kernel_module.state data.results.kernel_module.hidden data.results.kernel_module.dependencies{}
| rename data.results.kernel_module.name as "Module Name"
| rename data.results.kernel_module.module_file_path as "Module Path"
| rename data.results.kernel_module.instance_count as "Instance Count"
| rename data.results.kernel_module.memory_size as "Memory Size"
| rename data.results.kernel_module.memory_offset as "Memory Offset"
| rename data.results.kernel_module.state as "State"
| rename data.results.kernel_module.hidden as "Hidden"
| rename data.results.kernel_module.dependencies{} as "Dependencies"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<event>
<search>
<query>`sandfly_search_alarms` header.host_id="$tok_host_id$"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="list.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</event>
</panel>
</row>
</form>

@ -0,0 +1,80 @@
<form version="1.1">
<label>Sandfly Security Sandfly Investigation</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="t_time" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="t_sandfly" searchWhenChanged="true">
<label>Sandflies</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>sandfly_name</fieldForLabel>
<fieldForValue>sandfly_name</fieldForValue>
<search>
<query>`sandfly_search`
| lookup sandflies.csv sandfly_name as data.name OUTPUT sandfly_name
| dedup sandfly_name
| sort by sandfly_name
| table sandfly_name</query>
<earliest>$t_time.earliest$</earliest>
<latest>$t_time.latest$</latest>
</search>
</input>
<input type="multiselect" token="t_status" searchWhenChanged="true">
<label>Status</label>
<choice value="alert">Alerts</choice>
<choice value="pass">Passed</choice>
<choice value="error">Errors</choice>
<default>alert</default>
<initialValue>alert</initialValue>
<valuePrefix>data.status="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
</fieldset>
<row>
<panel>
<single>
<title>Total Sandfly Instances</title>
<search>
<query>`sandfly_search` data.name=$t_sandfly$ $t_status$
| rename data.name as Sandfly
| stats count</query>
<earliest>$t_time.earliest$</earliest>
<latest>$t_time.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<table>
<title>Sandfly Instances</title>
<search>
<query>`sandfly_search` data.name=$t_sandfly$ $t_status$
| rename data.name as Sandfly
| stats count by Sandfly
| sort - count</query>
<earliest>$t_time.earliest$</earliest>
<latest>$t_time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<link target="_blank">search?q=%60sandfly_search%60%20data.name%3D%22$row.Sandfly$%22%20$t_status$&amp;earliest=$t_time.earliest$&amp;latest=$t_time.latest$</link>
</drilldown>
</table>
</panel>
</row>
</form>

@ -0,0 +1,171 @@
<form version="1.1" theme="dark">
<label>Sandfly Security SourceType Review</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>All Sandfly Indexes</title>
<chart>
<search>
<query>| tstats count WHERE index=* sourcetype="sandfly:*" by _time index
| timechart sum(count) by index</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>All Sandfly SourceTypes</title>
<chart>
<search>
<query>| tstats count WHERE index=* sourcetype="sandfly:*" by _time sourcetype
| timechart sum(count) by sourcetype</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>sandfly:alarms - alert or pass or error</title>
<chart>
<search>
<query>`sandfly_search_alarms`
| eval t_sourcetype = sourcetype + " (" + 'data.status' + ")"
| timechart count by t_sourcetype</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>sandfly:logs:audit - info or error</title>
<chart>
<search>
<query>`sandfly_search_audit`
| eval t_sourcetype = sourcetype + " (" + 'audit_log.level' + ")"
| timechart count by t_sourcetype</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>sandfly:logs:error - detailed or summary</title>
<chart>
<search>
<query>`sandfly_search_errors`
| eval t_sourcetype = sourcetype + " (" + log_mode + ")"
| timechart count by t_sourcetype</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>sandfly:hosts - host_details or host_summary</title>
<chart>
<search>
<query>`sandfly_search_hosts`
| eval t_sourcetype = sourcetype + " (" + event_type + ")"
| timechart count by t_sourcetype</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>sandfly:sandflies</title>
<chart>
<search>
<query>`sandfly_search_sandflies`
| timechart count by sourcetype</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>sandfly:ssh:keys - host_details or key_details or user_details or zone_details</title>
<chart>
<search>
<query>`sandfly_search_sshkeys`
| eval t_sourcetype = sourcetype + " (" + event_type + ")"
| timechart count by t_sourcetype</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>sandfly:whitelist</title>
<chart>
<search>
<query>`sandfly_search_whitelist`
| timechart count by sourcetype</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
</row>
</form>

@ -0,0 +1,334 @@
<form version="1.1" theme="dark">
<label>Sandfly Security - Whitelist Rule Details</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="tok_id" searchWhenChanged="true">
<label>Whitelist Rule</label>
<fieldForLabel>whitelist_name</fieldForLabel>
<fieldForValue>whitelist_id</fieldForValue>
<search>
<query>`sandfly_search_whitelist`
| dedup whitelist_rule.id
| eval whitelist_name=tostring('whitelist_rule.id') + " " + 'whitelist_rule.sandfly'
| table whitelist_rule.id whitelist_name
| rename whitelist_rule.id as whitelist_id
| sort whitelist_id</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<title>Id</title>
<single>
<search>
<query>`sandfly_search_whitelist` whitelist_rule.id=$tok_id$
| dedup whitelist_rule.id
| table whitelist_rule.id</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
<panel>
<title>Sandfly</title>
<single>
<search>
<query>`sandfly_search_whitelist` whitelist_rule.id=$tok_id$
| dedup whitelist_rule.id
| table whitelist_rule.sandfly</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
<panel>
<title>Active</title>
<single>
<search>
<query>`sandfly_search_whitelist` whitelist_rule.id=$tok_id$
| dedup whitelist_rule.id
| eval is_active=if('whitelist_rule.active'=="true","Active","Inactive")
| table is_active</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Whitelist Type</title>
<single>
<search>
<query>`sandfly_search_whitelist` whitelist_rule.id=$tok_id$
| dedup whitelist_rule.id
| eval whitelist_type=if('whitelist_rule.exclude_sandfly'=="true", "Disable Sandfly", "Match Rules")
| table whitelist_type</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
<panel>
<title>Scope</title>
<single>
<search>
<query>`sandfly_search_whitelist` whitelist_rule.id=$tok_id$
| dedup whitelist_rule.id
| eval num_host_ids=mvcount('whitelist_rule.host_ids{}')
| fillnull value=0 num_host_ids
| eval num_host_tags=mvcount('whitelist_rule.host_tags{}')
| fillnull value=0 num_host_tags
| eval scope=if(num_host_ids==0 AND num_host_tags==0, "None", "match")
| eval scope=if(num_host_ids&gt;0 AND num_host_tags&gt;0, "Mixed", scope)
| eval scope=if(num_host_ids&gt;0 AND num_host_tags==0, "Match Host IDs", scope)
| eval scope=if(num_host_ids==0 AND num_host_tags&gt;0, "Match By Tags", scope)
| eval scope=if('whitelist_rule.all_hosts'=="true", "All Hosts", scope)
| table scope</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
<panel>
<title>Number of Hosts Covered</title>
<single>
<search>
<query>`sandfly_search_whitelist` whitelist_rule.id=$tok_id$
| dedup whitelist_rule.id
| table whitelist_rule.hosts_covered</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>`sandfly_search_whitelist` whitelist_rule.id=$tok_id$
| dedup whitelist_rule.id
| table whitelist_rule.comment
| rename whitelist_rule.comment as "Comment"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel depends="$tags_panel_show$">
<title>Number of Tags</title>
<single>
<search>
<query>`sandfly_search_whitelist` whitelist_rule.id=$tok_id$
| dedup whitelist_rule.id
| eval num_host_tags=mvcount('whitelist_rule.host_tags{}')
| fillnull value=0 num_host_tags
| search num_host_tags&gt;0
| table num_host_tags</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
<progress>
<condition match="'job.resultCount' &gt; 0">
<set token="tags_panel_show">true</set>
</condition>
<condition>
<unset token="tags_panel_show"></unset>
</condition>
</progress>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel depends="$tags_panel_show$">
<table>
<search>
<query>`sandfly_search_whitelist` whitelist_rule.id=$tok_id$
| dedup whitelist_rule.id
| eval num_host_tags=mvcount('whitelist_rule.host_tags{}')
| fillnull value=0 num_host_tags
| search num_host_tags&gt;0
| eval aaa_host_tag='whitelist_rule.host_tags{}'
| mvexpand aaa_host_tag
| map
[ search `sandfly_search_hosts_summary`
| dedup host_summary.host_id
| eval aaa_tag="$$aaa_host_tag$$"
| eval aaa_tag_found=if(isnull(mvfind('host_summary.tags{}', aaa_tag)), "false", "true")
| search aaa_tag_found="true"]
| table aaa_tag host_summary.hostname host_summary.last_seen_ip_addr host_summary.os_info_node host_summary.host_id
| rename aaa_tag as "Tag"
| rename host_summary.hostname as "Target Address"
| rename host_summary.last_seen_ip_addr as "IP Address"
| rename host_summary.os_info_node as "Hostname"
| rename host_summary.host_id as "HostID"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="count">5</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<link target="_blank">/app/sandfly_security/sandfly_security__host_details?form.tok_host_id=$row.HostID$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel depends="$hosts_panel_show$">
<title>Number of Host IDs</title>
<single>
<search>
<query>`sandfly_search_whitelist` whitelist_rule.id=$tok_id$
| dedup whitelist_rule.id
| eval num_host_ids=mvcount('whitelist_rule.host_ids{}')
| fillnull value=0 num_host_ids
| search num_host_ids&gt;0
| table num_host_ids</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
<progress>
<condition match="'job.resultCount' &gt; 0">
<set token="hosts_panel_show">true</set>
</condition>
<condition>
<unset token="hosts_panel_show"></unset>
</condition>
</progress>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel depends="$hosts_panel_show$">
<table>
<search>
<query>`sandfly_search_whitelist` whitelist_rule.id=$tok_id$
| dedup whitelist_rule.id
| eval num_host_ids=mvcount('whitelist_rule.host_ids{}')
| fillnull value=0 num_host_ids
| search num_host_ids&gt;0
| eval aaa_host_id='whitelist_rule.host_ids{}'
| mvexpand aaa_host_id
| foreach whitelist_rule.host_info.*
[ eval t_match = if(like("&lt;&lt;FIELD&gt;&gt;", "%" + aaa_host_id + "%"), "true", "false")
| eval fieldnames=if(t_match == "true", mvappend(fieldnames,"&lt;&lt;FIELD&gt;&gt;"), fieldnames)
| eval t_value=if(isnull('&lt;&lt;FIELD&gt;&gt;') or len('&lt;&lt;FIELD&gt;&gt;')==0, "foobar", '&lt;&lt;FIELD&gt;&gt;')
| eval fieldvalues=if(t_match == "true", mvappend(fieldvalues,'&lt;&lt;FIELD&gt;&gt;'), fieldvalues)]
```| table aaa_host_id namematch fieldnames fielddata fieldvalues```
| eval t_hostname=mvindex(fieldvalues,mvfind(fieldnames,".*" + aaa_host_id + "\.hostname"))
| eval t_ip_addr=mvindex(fieldvalues,mvfind(fieldnames,".*" + aaa_host_id + "\.last_seen_ip_addr"))
| eval t_node_name=mvindex(fieldvalues,mvfind(fieldnames,".*" + aaa_host_id + "\.node_name"))
| table t_hostname t_ip_addr t_node_name aaa_host_id
| rename t_hostname as "Target Address"
| rename t_ip_addr as "IP Address"
| rename t_node_name as "Hostname"
| rename aaa_host_id as "HostID"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<link target="_blank">/app/sandfly_security/sandfly_security__host_details?form.tok_host_id=$row.HostID$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel depends="$rules_panel_show$">
<title>Number of Rules</title>
<single>
<search>
<query>`sandfly_search_whitelist` whitelist_rule.id=$tok_id$
| dedup whitelist_rule.id
| eval num_rules=mvcount('whitelist_rule.rules{}')
| fillnull value=0 num_rules
| search num_rules &gt; 0
| table num_rules</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
<progress>
<condition match="'job.resultCount'&gt; 0">
<set token="rules_panel_show">true</set>
</condition>
<condition>
<unset token="rules_panel_show"></unset>
</condition>
</progress>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel depends="$rules_panel_show$">
<title>Rules Operator</title>
<single>
<search>
<query>`sandfly_search_whitelist` whitelist_rule.id=$tok_id$
| dedup whitelist_rule.id
| eval num_rules=mvcount('whitelist_rule.rules{}')
| fillnull value=0 num_rules
| search num_rules &gt; 0
| table whitelist_rule.rule_op
| rename whitelist_rule.rule_op as rule_op</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel depends="$rules_panel_show$">
<title>Rules</title>
<table>
<search>
<query>`sandfly_search_whitelist` whitelist_rule.id=$tok_id$
| dedup whitelist_rule.id
| eval num_rules=mvcount('whitelist_rule.rules{}')
| fillnull value=0 num_rules
| search num_rules &gt; 0
| table whitelist_rule.rules{}
| rename whitelist_rule.rules{} as "Rules"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<event>
<search>
<query>`sandfly_search_whitelist` whitelist_rule.id=$tok_id$
| dedup whitelist_rule.id</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="list.drilldown">none</option>
</event>
</panel>
</row>
</form>

@ -0,0 +1,147 @@
<form version="1.1" theme="dark">
<label>Sandfly Security - Whitelist Rules</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Total Whitelist Rules</title>
<single>
<search>
<query>`sandfly_search_whitelist`
| dedup whitelist_rule.id
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
<panel>
<title>Active Whitelist Rules</title>
<single>
<search>
<query>`sandfly_search_whitelist` whitelist_rule.active=true
| dedup whitelist_rule.id
| stats count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Whitelist Rules</title>
<input type="dropdown" token="tok_sandfly" searchWhenChanged="true">
<label>Sandfly</label>
<choice value="*">Any</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>t_sandfly</fieldForLabel>
<fieldForValue>t_sandfly</fieldForValue>
<search>
<query>`sandfly_search_whitelist` earliest=$tok_time1.earliest$ latest=$tok_time1.latest$ whitelist_rule.active=$tok_active$ whitelist_rule.all_hosts=$tok_all_hosts$ whitelist_rule.exclude_sandfly=$tok_type$
| dedup whitelist_rule.id
| eval num_host_ids=mvcount('whitelist_rule.host_ids{}')
| fillnull value=0 num_host_ids
| eval num_host_tags=mvcount('whitelist_rule.host_tags{}')
| fillnull value=0 num_host_tags
| eval scope=if(num_host_ids==0 AND num_host_tags==0, "None", "match")
| eval scope=if(num_host_ids&gt;0 AND num_host_tags&gt;0, "Mixed", scope)
| eval scope=if(num_host_ids&gt;0 AND num_host_tags==0, "Match Host IDs", scope)
| eval scope=if(num_host_ids==0 AND num_host_tags&gt;0, "Match By Tags", scope)
| eval scope=if('whitelist_rule.all_hosts'=="true", "All Hosts", scope)
| search scope="$tok_scope$"
| rename whitelist_rule.sandfly as t_sandfly
| dedup t_sandfly
| sort t_sandfly
| table t_sandfly</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="tok_active" searchWhenChanged="true">
<label>Active</label>
<choice value="*">Any</choice>
<choice value="true">True</choice>
<choice value="false">False</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="tok_all_hosts" searchWhenChanged="true">
<label>All Hosts</label>
<choice value="*">Any</choice>
<choice value="true">All Hosts</choice>
<choice value="false">Not All Hosts</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="tok_type" searchWhenChanged="true">
<label>Whitelist Type</label>
<choice value="*">Any</choice>
<choice value="true">Disable Sandfly</choice>
<choice value="false">Match Rules</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="tok_scope" searchWhenChanged="true">
<label>Scope</label>
<choice value="*">Any</choice>
<choice value="All Hosts">All Hosts</choice>
<choice value="Match By Tags">Match By Tags</choice>
<choice value="Match Host IDs">Match Host IDs</choice>
<choice value="Mixed">Mixed</choice>
<choice value="None">None</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<table>
<search>
<query>`sandfly_search_whitelist` whitelist_rule.active=$tok_active$ whitelist_rule.all_hosts=$tok_all_hosts$ whitelist_rule.exclude_sandfly=$tok_type$ whitelist_rule.sandfly="$tok_sandfly$"
| dedup whitelist_rule.id
| eval num_host_ids=mvcount('whitelist_rule.host_ids{}')
| fillnull value=0 num_host_ids
| eval num_host_tags=mvcount('whitelist_rule.host_tags{}')
| fillnull value=0 num_host_tags
| eval scope=if(num_host_ids==0 AND num_host_tags==0, "None", "match")
| eval scope=if(num_host_ids&gt;0 AND num_host_tags&gt;0, "Mixed", scope)
| eval scope=if(num_host_ids&gt;0 AND num_host_tags==0, "Match Host IDs", scope)
| eval scope=if(num_host_ids==0 AND num_host_tags&gt;0, "Match By Tags", scope)
| eval scope=if('whitelist_rule.all_hosts'=="true", "All Hosts", scope)
| search scope="$tok_scope$"
| eval whitelist_type=if('whitelist_rule.exclude_sandfly'=="true", "Disable Sandfly", "Match Rules")
| eval is_active=if('whitelist_rule.active'=="true","True","False")
| table whitelist_rule.id whitelist_rule.sandfly is_active whitelist_type scope whitelist_rule.hosts_covered whitelist_rule.comment
| rename whitelist_rule.id as "ID"
| rename whitelist_rule.sandfly as "Sandfly"
| rename is_active as "Active"
| rename whitelist_type as "Whitelist Type"
| rename scope as "Scope"
| rename whitelist_rule.hosts_covered as "Num Of Hosts"
| rename whitelist_rule.comment as "Comment"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="Active">
<colorPalette type="map">{"False":#DC4E41}</colorPalette>
</format>
<format type="color" field="Num Of Hosts">
<colorPalette type="map">{"0":#DC4E41}</colorPalette>
</format>
<drilldown>
<link target="_blank">/app/sandfly_security/sandfly_security_whitelist_rule_details?form.tok_id=$click.value$</link>
</drilldown>
</table>
</panel>
</row>
</form>

@ -0,0 +1,202 @@
<form version="1.1" theme="light">
<label>SSH Hunter - Security Zone Details</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="tok_zone_id" searchWhenChanged="true">
<label>Security Zone</label>
<fieldForLabel>zone_name</fieldForLabel>
<fieldForValue>zone_id</fieldForValue>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_zone_details
| dedup ssh_zone_details.id
| table ssh_zone_details.id ssh_zone_details.name
| rename ssh_zone_details.id as zone_id
| rename ssh_zone_details.name as zone_name</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<single>
<title>Zone ID</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_zone_details ssh_zone_details.id=$tok_zone_id$
| dedup ssh_zone_details.id
| table ssh_zone_details.id</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<single>
<title>Zone Name</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_zone_details ssh_zone_details.id=$tok_zone_id$
| dedup ssh_zone_details.id
| table ssh_zone_details.name</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
<panel>
<single>
<title>Description</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_zone_details ssh_zone_details.id=$tok_zone_id$
| dedup ssh_zone_details.id
| eval description='ssh_zone_details.description'
| eval description=if(isnull(description) OR len(description)==0, "&lt;none&gt;", description)
| table description</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_zone_details ssh_zone_details.id=$tok_zone_id$
| dedup ssh_zone_details.id
| spath output=aaa_zone path=ssh_zone_details
| mvexpand aaa_zone
| spath input=aaa_zone
| fields - ssh_zone_details
| table create_date modification_date hosts_count permitted_keys_count violation_host_count
| rename hosts_count as "Zone Hosts"
| rename permitted_keys_count as "Permitted Keys"
| rename violation_host_count as "Violation Hosts"
| rename modification_date as "Last Modified"
| rename create_date as "Created Date"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Zone Host Policies</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_zone_details ssh_zone_details.id=$tok_zone_id$
| dedup ssh_zone_details.id
| spath output=aaa_host_policies path=ssh_zone_details.host_policies{}
| mvexpand aaa_host_policies
| fields - ssh_zone_details.*
| spath input=aaa_host_policies
| table mode tags{}
| rename mode as "Host Policy Mode"
| rename tags{} as "Tags"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
<panel>
<table>
<title>Zone Key Policies</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_zone_details ssh_zone_details.id=$tok_zone_id$
| dedup ssh_zone_details.id
| spath output=aaa_key_policies path=ssh_zone_details.key_policies{}
| mvexpand aaa_key_policies
| fields - ssh_zone_details.*
| spath input=aaa_key_policies
| table mode tags{}
| rename mode as "Host Policy Mode"
| rename tags{} as "Tags"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Hosts Included in Zone</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_zone_details ssh_zone_details.id=$tok_zone_id$
| dedup ssh_zone_details.id
| spath output=aaa_hosts path=ssh_zone_details.included_hosts{}
| mvexpand aaa_hosts
| fields - ssh_zone_details.*
| spath input=aaa_hosts
| table hostname last_seen_ip_addr os_info_node active date_last_seen host_id
| rename hostname as "Target Address"
| rename last_seen_ip_addr as "IP Address"
| rename os_info_node as "Hostname"
| rename active as "Active Host"
| rename date_last_seen as "Date Last Seen (UTC)"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="count">5</option>
<option name="drilldown">cell</option>
<fields>["Target Address","IP Address","Hostname","Active Host","Date Last Seen (UTC)"]</fields>
<drilldown>
<link target="_blank">/app/sandfly_security/ssh_hunter__host_summary?form.tok_host_id=$row.host_id$</link>
</drilldown>
</table>
</panel>
<panel>
<table>
<title>Keys Included in Zone</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_zone_details ssh_zone_details.id=$tok_zone_id$
| dedup ssh_zone_details.id
| spath output=aaa_keys path=ssh_zone_details.included_keys{}
| mvexpand aaa_keys
| fields - ssh_zone_details.*
| spath input=aaa_keys
| table key_friendly_name key_type bits num_hosts_current num_users_current last_seen
| rename key_friendly_name as "Friendly Name"
| rename key_type as "Key Type"
| rename bits as "Key Bits"
| rename num_hosts_current as "Hosts Count"
| rename num_users_current as "Users Count"
| rename last_seen as "Date Last Seen (UTC)"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="count">5</option>
<option name="drilldown">cell</option>
<drilldown>
<link target="_blank">/app/sandfly_security/ssh_hunter__key_summary?form.tok_sshkey=$click.value$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<event>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_zone_details ssh_zone_details.id=$tok_zone_id$
| dedup ssh_zone_details.id</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="list.drilldown">none</option>
</event>
</panel>
</row>
</form>

@ -0,0 +1,57 @@
<form version="1.1" theme="light">
<label>SSH Hunter - Security Zones</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_zone_details
| dedup ssh_zone_details.id
| spath output=aaa_zone path=ssh_zone_details
| mvexpand aaa_zone
| spath input=aaa_zone
| fields - ssh_zone_details
| eval description=if(isnull(description) OR len(description)==0, "&lt;none&gt;", description)
| table id name description hosts_count permitted_keys_count violation_host_count modification_date create_date
| sort id
| rename id as "Zone ID"
| rename name as "Zone Name"
| rename description as "Description"
| rename hosts_count as "Zone Hosts"
| rename permitted_keys_count as "Permitted Keys"
| rename violation_host_count as "Violation Hosts"
| rename modification_date as "Last Modified"
| rename create_date as "Created Date"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<link target="_blank">/app/sandfly_security/ssh_hunter_-_security_zone_details?form.tok_zone_id=$click.value$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<event>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_zone_details
| dedup ssh_zone_details.id</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="list.drilldown">none</option>
</event>
</panel>
</row>
</form>

@ -0,0 +1,68 @@
<form version="1.1">
<label>SSH Hunter - Host Investigation</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Host Investigation</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_host_details
| dedup ssh_host_details.host_id
| spath output=aaa_zones path=ssh_host_details.zones{}
| eval aaa_zones_count = if(isnull(aaa_zones), 0, mvcount(aaa_zones))
| table ssh_host_details.node_name ssh_host_details.target_address ssh_host_details.users_current ssh_host_details.users_total ssh_host_details.keys_current ssh_host_details.keys_total aaa_zones_count ssh_host_details.os_info_os_release_pretty_name ssh_host_details.tags{} ssh_host_details.key_first_seen ssh_host_details.key_last_seen ssh_host_details.results_alert ssh_host_details.results_error ssh_host_details.last_seen_ip_addr ssh_host_details.has_duplicate_keys ssh_host_details.host_id
| rename ssh_host_details.node_name as "Hostname"
| rename ssh_host_details.target_address as "Target Address"
| rename ssh_host_details.users_current as "Active Users"
| rename ssh_host_details.users_total as "Total Users"
| rename ssh_host_details.keys_current as "Active Keys"
| rename ssh_host_details.keys_total as "Total Keys"
| rename aaa_zones_count as "Security Zones"
| rename ssh_host_details.os_info_os_release_pretty_name as "OS"
| rename ssh_host_details.tags{} as "Tags"
| rename ssh_host_details.key_first_seen as "Keys First Seen"
| rename ssh_host_details.key_last_seen as "Keys Last Seen"
| rename ssh_host_details.results_alert as "Alerts"
| rename ssh_host_details.results_error as "Errors"
| rename ssh_host_details.last_seen_ip_addr as "Last Seen IP Address"
| rename ssh_host_details.has_duplicate_keys as "Duplicate Keys"
| rename ssh_host_details.host_id as host_id</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="Duplicate Keys">
<colorPalette type="map">{"true":#DC4E41}</colorPalette>
</format>
<fields>["Hostname","Target Address","Active Users","Total Users","Active Keys","Total Keys","Security Zones","OS","Tags","Keys First Seen","Keys Last Seen","Alerts","Errors","Last Seen IP Address","Duplicate Keys"]</fields>
<drilldown>
<link target="_blank">/app/sandfly_security/ssh_hunter__host_summary?form.tok_host_id=$row.host_id$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<event>
<title>Raw Event Details</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_host_details
| dedup ssh_host_details.host_id</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="list.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</event>
</panel>
</row>
</form>

@ -0,0 +1,278 @@
<form version="1.1">
<label>SSH Hunter - Host Summary</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="tok_host_id" searchWhenChanged="true">
<label>Hostname (Target Address)</label>
<fieldForLabel>target_name</fieldForLabel>
<fieldForValue>target_id</fieldForValue>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_host_details earliest=$tok_time1.earliest$ latest=$tok_time1.latest$
| dedup ssh_host_details.host_id
| eval target_id = 'ssh_host_details.host_id'
| eval target_name = 'ssh_host_details.node_name' + " (" + 'ssh_host_details.target_address' + ")"
| table target_id target_name
| sort target_name</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<single>
<title>Active Keys</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_host_details ssh_host_details.host_id="$tok_host_id$"
| dedup ssh_host_details.host_id
| table ssh_host_details.keys_current</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">How many keys can access this host.</option>
<option name="unit">Key(s)</option>
</single>
</panel>
<panel>
<single>
<title>All-Time Keys</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_host_details ssh_host_details.host_id="$tok_host_id$"
| dedup ssh_host_details.host_id
| table ssh_host_details.keys_total</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">How many keys have ever had access to this host.</option>
<option name="unit">Key(s)</option>
</single>
</panel>
<panel>
<single>
<title>Active Users</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_host_details ssh_host_details.host_id="$tok_host_id$"
| dedup ssh_host_details.host_id
| table ssh_host_details.users_current</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">How many users have keys on this host.</option>
<option name="unit">User(s)</option>
</single>
</panel>
<panel>
<single>
<title>All-Time Users</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_host_details ssh_host_details.host_id="$tok_host_id$"
| dedup ssh_host_details.host_id
| table ssh_host_details.users_total</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">How many users have ever had keys on this host.</option>
<option name="unit">User(s)</option>
</single>
</panel>
<panel>
<single>
<title>Security Zones</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_host_details ssh_host_details.host_id="$tok_host_id$"
| dedup ssh_host_details.host_id
| spath output=aaa_zones path=ssh_host_details.zones{}
| eval aaa_zones_count = if(isnull(aaa_zones), 0, mvcount(aaa_zones))
| table aaa_zones_count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">Number of Security Zones for this host.</option>
<option name="unit">Zone(s)</option>
</single>
</panel>
<panel>
<single>
<title>Duplicates</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_host_details ssh_host_details.host_id="$tok_host_id$"
| dedup ssh_host_details.host_id
| eval has_duplicates = if(match('ssh_host_details.has_duplicate_keys',"true"), "Yes", "No")
| table has_duplicates</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0xdc4e41"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">Duplicate key entries found.</option>
<option name="useColors">0</option>
</single>
</panel>
</row>
<row>
<panel>
<table>
<title>Key Last Seen</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_host_details ssh_host_details.host_id="$tok_host_id$"
| dedup ssh_host_details.host_id
| rename ssh_host_details.key_last_seen as date_last_seen
| eval last_seen_epoch = strptime(date_last_seen, "%Y-%m-%dT%H:%M:%S%Z")
| eval local_last_seen = strftime(last_seen_epoch, "%Y-%m-%dT%H:%M:%S %Z")
| eval time_diff = ceiling(now() - last_seen_epoch)
| eval temp_duration = tostring(time_diff, "duration")
| eval key_last_seen=replace(temp_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes")
| table date_last_seen local_last_seen key_last_seen
| rename date_last_seen as "Date Last Seen (UTC)"
| rename local_last_seen as "Date Last Seen (Local Time)"
| rename key_last_seen as "Key Last Seen"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel>
<table>
<title>Security Zones</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_host_details ssh_host_details.host_id="$tok_host_id$"
| dedup ssh_host_details.host_id
| spath output=aaa_zones path=ssh_host_details.zones{}
| eval aaa_zones_count = if(isnull(aaa_zones), 0, mvcount(aaa_zones))
| search aaa_zones_count &gt; 0
| fields ssh_key_details.friendly_name aaa_zones
| mvexpand aaa_zones
| spath input=aaa_zones
| eval description=if(isnull(description) OR len(description)==0, "&lt;none&gt;", description)
| table name description hosts_count permitted_keys_count violation_host_count
| rename name as "Zone"
| rename description as "Description"
| rename hosts_count as "Zone Hosts"
| rename permitted_keys_count as "Permitted Keys"
| rename violation_host_count as "Violation Hosts"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Users With Keys</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_host_details ssh_host_details.host_id="$tok_host_id$"
| dedup ssh_host_details.host_id
| spath output=aaa_users path=ssh_host_details.users{}
| fields ssh_host_details.node_name aaa_users
| mvexpand aaa_users
| eval _raw = aaa_users
| spath
| spath output=aaa_keys path=key_entries{}
| eval aaa_count = mvcount(aaa_keys)
| table username aaa_count first_seen last_seen has_duplicate_keys
| rename username as "Username"
| rename aaa_count as "Key Entries"
| rename first_seen as "First Seen"
| rename last_seen as "Last Seen"
| rename has_duplicate_keys as "Duplicate Keys"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="Duplicate Keys">
<colorPalette type="map">{"true":#DC4E41}</colorPalette>
</format>
<drilldown>
<set token="tok_user">$click.value$</set>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Key Entries ($tok_user$)</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_host_details ssh_host_details.host_id="$tok_host_id$"
| dedup ssh_host_details.host_id
| spath output=aaa_users path=ssh_host_details.users{}
| fields ssh_host_details.node_name aaa_users
| mvexpand aaa_users
| eval _raw = aaa_users
| spath
| search username="$tok_user$"
| spath output=aaa_keys path=key_entries{}
| fields aaa_keys
| mvexpand aaa_keys
| eval _raw = aaa_keys
| spath
| table friendly_name active is_duplicate key_file comment key_type entry_num first_seen last_seen key_file_created key_file_modified hash.sha512
| rename friendly_name as "Friendly Name"
| rename active as "Active"
| rename is_duplicate as "Duplicate Key"
| rename key_file as "File Name"
| rename comment as "Comment"
| rename key_type as "Key Type"
| rename entry_num as "Entry"
| rename first_seen as "First Seen"
| rename last_seen as "Last Seen"
| rename key_file_created as "File Created"
| rename key_file_modified as "File Modified"
| rename hash.sha512 as "sha512 Hash"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="Duplicate Key">
<colorPalette type="map">{"true":#DC4E41}</colorPalette>
</format>
</table>
</panel>
</row>
<row>
<panel>
<event>
<title>Raw Event Details</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_host_details ssh_host_details.host_id="$tok_host_id$"
| dedup ssh_host_details.host_id</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="list.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</event>
</panel>
</row>
</form>

@ -0,0 +1,190 @@
<form version="1.1">
<label>SSH Hunter - Key Details</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="tok_sshkey" searchWhenChanged="true">
<label>SSH Key</label>
<fieldForLabel>ssh_key_details.friendly_name</fieldForLabel>
<fieldForValue>ssh_key_details.friendly_name</fieldForValue>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details
| dedup ssh_key_details.friendly_name
| sort ssh_key_details.friendly_name</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<single>
<title>Friendly Name</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details ssh_key_details.friendly_name="$tok_sshkey$"
| dedup ssh_key_details.friendly_name
| table ssh_key_details.friendly_name</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</single>
</panel>
<panel>
<single>
<title>Banned Key</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details ssh_key_details.friendly_name="$tok_sshkey$"
| dedup ssh_key_details.friendly_name
| spath output=aaa_key_tags path=ssh_key_details.key_tags{}
| eval aaa_is_banned_key = if(isnull(mvfind(aaa_key_tags, "^Banned$")), "false", "true")
| table aaa_is_banned_key
| eval range=if(aaa_is_banned_key=="true", "severe", "low")</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="useColors">0</option>
</single>
</panel>
</row>
<row>
<panel>
<table>
<title>Key Value ($tok_sshkey$)</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details ssh_key_details.friendly_name="$tok_sshkey$"
| dedup ssh_key_details.friendly_name
| table ssh_key_details.friendly_name ssh_key_details.key_type ssh_key_details.key_value
| rename ssh_key_details.friendly_name as "Friendly Name"
| rename ssh_key_details.key_type as "Key Type"
| rename ssh_key_details.key_value as "Pubkey"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<link target="_blank">/app/sandfly_security/ssh_hunter__key_summary?form.tok_sshkey=$click.value$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Key Hashes</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details ssh_key_details.friendly_name="$tok_sshkey$"
| dedup ssh_key_details.friendly_name
| table ssh_key_details.hash.md5 ssh_key_details.hash.sha1 ssh_key_details.hash.sha256 ssh_key_details.hash.sha512
| rename ssh_key_details.hash.md5 as "md5 Hash"
| rename ssh_key_details.hash.sha1 as "sha1 Hash"
| rename ssh_key_details.hash.sha256 as "sha256 Hash"
| rename ssh_key_details.hash.sha512 as "sha512 Hash"
| transpose column_name="Hash Type"
| rename "row 1" as "Hash Value"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Key Meta</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details ssh_key_details.friendly_name="$tok_sshkey$"
| dedup ssh_key_details.friendly_name
| spath output=aaa_key_tags path=ssh_key_details.key_tags{}
| eval is_banned_key = if(isnull(mvfind(aaa_key_tags, "^Banned$")), "false", "true")
| eval aaa_key_tags_list=if(isnull(aaa_key_tags),"&lt;none&gt;",mvjoin(aaa_key_tags,", "))
| eval first_seen_epoch = strptime('ssh_key_details.first_seen', "%Y-%m-%dT%H:%M:%S%Z")
| eval local_first_seen = strftime(first_seen_epoch, "%Y-%m-%dT%H:%M:%S %Z")
| eval first_seen_time_diff = ceiling(now() - first_seen_epoch)
| eval first_seen_duration = tostring(first_seen_time_diff, "duration")
| eval key_first_seen=replace(first_seen_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes")
| eval last_seen_epoch = strptime('ssh_key_details.last_seen', "%Y-%m-%dT%H:%M:%S%Z")
| eval local_last_seen = strftime(last_seen_epoch, "%Y-%m-%dT%H:%M:%S %Z")
| eval last_seen_time_diff = ceiling(now() - last_seen_epoch)
| eval last_seen_duration = tostring(last_seen_time_diff, "duration")
| eval key_last_seen=replace(last_seen_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes")
| table ssh_key_details.first_seen local_first_seen key_first_seen ssh_key_details.last_seen local_last_seen key_last_seen ssh_key_details.num_hosts_current ssh_key_details.num_hosts_total ssh_key_details.num_users_current ssh_key_details.num_users_total is_banned_key aaa_key_tags_list
| rename ssh_key_details.first_seen as "First Seen (UTC)"
| rename local_first_seen as "First Seen (Local Time)"
| rename key_first_seen as "Key First Seen"
| rename ssh_key_details.last_seen as "Last Seen (UTC)"
| rename local_last_seen as "Last Seen (Local Time)"
| rename key_last_seen as "Key Last Seen"
| rename ssh_key_details.num_hosts_current as "Current Hosts"
| rename ssh_key_details.num_hosts_total as "Total Hosts"
| rename ssh_key_details.num_users_current as "Current Users"
| rename ssh_key_details.num_users_total as "Total Users"
| rename is_banned_key as "Banned Key"
| rename aaa_key_tags_list as "Key Tags"
| transpose column_name="Meta Data"
| rename "row 1" as "Meta Value"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="count">12</option>
<option name="drilldown">none</option>
<format type="color" field="Meta Value">
<colorPalette type="map">{"true":#DC4E41}</colorPalette>
</format>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel>
<table>
<title>Key Zones</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details ssh_key_details.friendly_name="$tok_sshkey$"
| dedup ssh_key_details.friendly_name
| spath output=aaa_key_zones path=ssh_key_details.key_zones{}
| mvexpand aaa_key_zones
| eval aaa_key_zones_len = len(aaa_key_zones)
| where aaa_key_zones_len&gt;0
| fields - ssh_key_details.*
| spath input=aaa_key_zones
| eval description=if(isnull(description) OR len(description)==0, "&lt;none&gt;", description)
| table name description hosts_count key_permitted permitted_keys_count violation_host_count
| rename name as "Zone"
| rename description as "Description"
| rename hosts_count as "Zone Hosts"
| rename key_permitted as "Key Permitted"
| rename permitted_keys_count as "Permitted Keys"
| rename violation_host_count as "Violation Hosts"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<event>
<title>Raw Event Details</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details ssh_key_details.friendly_name="$tok_sshkey$"
| dedup ssh_key_details.friendly_name</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="list.drilldown">none</option>
</event>
</panel>
</row>
</form>

@ -0,0 +1,127 @@
<form version="1.1">
<label>SSH Hunter - Key Investigation</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>SSH Keys in Security Zones</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details
| dedup ssh_key_details.friendly_name
| spath output=aaa_zones path=ssh_key_details.key_zones{}
| eval aaa_zones_count = if(isnull(aaa_zones), 0, mvcount(aaa_zones))
| search aaa_zones_count &gt; 0
| table ssh_key_details.friendly_name ssh_key_details.key_type aaa_zones_count ssh_key_details.num_users_current ssh_key_details.num_hosts_current ssh_key_details.num_hosts_with_alerts ssh_key_details.first_seen ssh_key_details.last_seen ssh_key_details.has_duplicate_keys
| sort - ssh_key_details.last_seen
| rename ssh_key_details.has_duplicate_keys as "Duplicate Keys"
| rename ssh_key_details.friendly_name as "Friendly Name"
| rename ssh_key_details.key_type as "Key Type"
| rename ssh_key_details.num_users_current as "Active Users"
| rename ssh_key_details.num_hosts_current as "Active Hosts"
| rename ssh_key_details.num_hosts_with_alerts as "Hosts with Alerts"
| rename aaa_zones_count as "Security Zones"
| rename ssh_key_details.first_seen as "First Seen"
| rename ssh_key_details.last_seen as "Last Seen"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<link target="_blank">/app/sandfly_security/ssh_hunter__key_summary?form.tok_sshkey=$click.value$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>SSH Keys with Active Users and Hosts</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details "ssh_key_details.hosts_deleted"=false
| dedup ssh_key_details.friendly_name
| spath output=aaa_zones path=ssh_key_details.key_zones{}
| eval aaa_zones_count = if(isnull(aaa_zones), 0, mvcount(aaa_zones))
| table ssh_key_details.friendly_name ssh_key_details.key_type aaa_zones_count ssh_key_details.num_users_current ssh_key_details.num_hosts_current ssh_key_details.num_hosts_with_alerts ssh_key_details.first_seen ssh_key_details.last_seen ssh_key_details.has_duplicate_keys
| sort - ssh_key_details.hosts_with_alerts
| rename ssh_key_details.has_duplicate_keys as "Duplicate Keys"
| rename ssh_key_details.friendly_name as "Friendly_Name"
| rename ssh_key_details.key_type as "Key Type"
| rename ssh_key_details.num_users_current as "Active Users"
| rename ssh_key_details.num_hosts_current as "Active Hosts"
| rename ssh_key_details.num_hosts_with_alerts as "Hosts with Alerts"
| rename aaa_zones_count as "Security Zones"
| rename ssh_key_details.first_seen as "First Seen"
| rename ssh_key_details.last_seen as "Last Seen"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="Duplicate Keys">
<colorPalette type="map">{"true":#DC4E41}</colorPalette>
</format>
<drilldown>
<link target="_blank">/app/sandfly_security/ssh_hunter__key_summary?form.tok_sshkey=$click.value$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>SSH Keys with No Active Users or Hosts</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details "ssh_key_details.hosts_deleted"=true
| dedup ssh_key_details.friendly_name
| spath output=aaa_zones path=ssh_key_details.key_zones{}
| eval aaa_zones_count = if(isnull(aaa_zones), 0, mvcount(aaa_zones))
| table ssh_key_details.friendly_name ssh_key_details.key_type aaa_zones_count ssh_key_details.num_users_current ssh_key_details.num_hosts_current ssh_key_details.num_hosts_with_alerts ssh_key_details.first_seen ssh_key_details.last_seen ssh_key_details.has_duplicate_keys
| sort - ssh_key_details.last_seen
| rename ssh_key_details.has_duplicate_keys as "Duplicate Keys"
| rename ssh_key_details.friendly_name as "Friendly Name"
| rename ssh_key_details.key_type as "Key Type"
| rename ssh_key_details.num_users_current as "Active Users"
| rename ssh_key_details.num_hosts_current as "Active Hosts"
| rename ssh_key_details.num_hosts_with_alerts as "Hosts with Alerts"
| rename aaa_zones_count as "Security Zones"
| rename ssh_key_details.first_seen as "First Seen"
| rename ssh_key_details.last_seen as "Last Seen"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="Duplicate Keys">
<colorPalette type="map">{"true":#DC4E41}</colorPalette>
</format>
<drilldown>
<link target="_blank">/app/sandfly_security/ssh_hunter__key_summary?form.tok_sshkey=$click.value$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<event>
<title>Raw Event Details</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details
| dedup ssh_key_details.friendly_name</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="list.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</event>
</panel>
</row>
</form>

@ -0,0 +1,275 @@
<form version="1.1">
<label>SSH Hunter - Key Summary</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="tok_sshkey" searchWhenChanged="true">
<label>SSH Key</label>
<fieldForLabel>ssh_key_details.friendly_name</fieldForLabel>
<fieldForValue>ssh_key_details.friendly_name</fieldForValue>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details
| dedup ssh_key_details.friendly_name
| sort ssh_key_details.friendly_name</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Key Value ($tok_sshkey$)</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details ssh_key_details.friendly_name="$tok_sshkey$"
| dedup ssh_key_details.friendly_name
| table ssh_key_details.friendly_name ssh_key_details.key_type ssh_key_details.key_value
| rename ssh_key_details.friendly_name as "Friendly Name"
| rename ssh_key_details.key_type as "Key Type"
| rename ssh_key_details.key_value as "Pubkey"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<link target="_blank">/app/sandfly_security/ssh_hunter__key_details?form.tok_sshkey=$click.value$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<single>
<title>Hosts with Alerts</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details ssh_key_details.friendly_name="$tok_sshkey$"
| dedup ssh_key_details.friendly_name
| table ssh_key_details.num_hosts_with_alerts</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0xdc4e41"]</option>
<option name="rangeValues">[0]</option>
<option name="underLabel">Hosts with this key that have alerts.</option>
<option name="unit">Host(s)</option>
<option name="useColors">1</option>
</single>
</panel>
<panel>
<single>
<title>Security Zones</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details ssh_key_details.friendly_name="$tok_sshkey$"
| dedup ssh_key_details.friendly_name
| spath output=aaa_zones path=ssh_key_details.key_zones{}
| eval aaa_zones_count = if(isnull(aaa_zones), 0, mvcount(aaa_zones))
| table aaa_zones_count</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">Security Zones with this key.</option>
<option name="unit">Zone(s)</option>
</single>
</panel>
<panel>
<single>
<title>Active Users</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details ssh_key_details.friendly_name="$tok_sshkey$"
| dedup ssh_key_details.friendly_name
| table ssh_key_details.num_users_current</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">Users who have entries with this key.</option>
<option name="unit">User(s)</option>
</single>
</panel>
<panel>
<single>
<title>All-Time Users</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details ssh_key_details.friendly_name="$tok_sshkey$"
| dedup ssh_key_details.friendly_name
| table ssh_key_details.num_users_total</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">Total users who have ever had this key.</option>
<option name="unit">User(s)</option>
</single>
</panel>
<panel>
<single>
<title>Active Hosts</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details ssh_key_details.friendly_name="$tok_sshkey$"
| dedup ssh_key_details.friendly_name
| table ssh_key_details.num_hosts_current</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">Hosts that have this key.</option>
<option name="unit">Host(s)</option>
</single>
</panel>
<panel>
<single>
<title>All-Time Hosts</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details ssh_key_details.friendly_name="$tok_sshkey$"
| dedup ssh_key_details.friendly_name
| table ssh_key_details.num_hosts_total</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">Total hosts that have ever had this key.</option>
<option name="unit">Host(s)</option>
</single>
</panel>
</row>
<row>
<panel>
<table>
<title>Key Last Seen</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details ssh_key_details.friendly_name="$tok_sshkey$"
| dedup ssh_key_details.friendly_name
| rename ssh_key_details.last_seen as date_last_seen
| eval last_seen_epoch = strptime(date_last_seen, "%Y-%m-%dT%H:%M:%S%Z")
| eval local_last_seen = strftime(last_seen_epoch, "%Y-%m-%dT%H:%M:%S %Z")
| eval time_diff = ceiling(now() - last_seen_epoch)
| eval temp_duration = tostring(time_diff, "duration")
| eval key_last_seen=replace(temp_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes")
| table date_last_seen local_last_seen key_last_seen
| rename date_last_seen as "Date Last Seen (UTC)"
| rename local_last_seen as "Date Last Seen (Local Time)"
| rename key_last_seen as "Key Last Seen"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Hosts</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details ssh_key_details.friendly_name="$tok_sshkey$"
| dedup ssh_key_details.friendly_name
| spath output=aaa_hosts path=ssh_key_details.key_hosts{}
| fields ssh_key_details.friendly_name aaa_hosts
| mvexpand aaa_hosts
| spath input=aaa_hosts
| table has_duplicate_keys target_address node_name os_info_os_release_pretty_name tags{} users_with_key results_alert results_error os_info_arch host_id
| rename has_duplicate_keys as "Has Duplicates"
| rename target_address as "Target Address"
| rename node_name as "Hostname"
| rename os_info_os_release_pretty_name as "OS"
| rename tags{} as "Tags"
| rename users_with_key as "Key Users"
| rename results_alert as "Alerts"
| rename results_error as "Errors"
| rename os_info_arch as "Arch"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">cell</option>
<fields>["Has Duplicates","Target Address","Hostname","OS","Tags","Key Users","Alerts","Errors","Arch"]</fields>
<drilldown>
<link target="_blank">/app/sandfly_security/ssh_hunter__host_summary?form.tok_host_id=$row.host_id$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Users</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details ssh_key_details.friendly_name="$tok_sshkey$"
| dedup ssh_key_details.friendly_name
| spath output=aaa_users path=ssh_key_details.key_users{}
| fields ssh_key_details.friendly_name aaa_users
| mvexpand aaa_users
| spath input=aaa_users
| table has_duplicate_keys username hosts_with_key
| rename has_duplicate_keys as "Has Duplicates"
| rename username as "Username"
| rename hosts_with_key as "Hosts"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
<panel>
<table>
<title>Zones</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details ssh_key_details.friendly_name="$tok_sshkey$"
| dedup ssh_key_details.friendly_name
| spath output=aaa_zones path=ssh_key_details.key_zones{}
| eval aaa_zones_count = if(isnull(aaa_zones), 0, mvcount(aaa_zones))
| search aaa_zones_count &gt; 0
| fields ssh_key_details.friendly_name aaa_zones
| mvexpand aaa_zones
| spath input=aaa_zones
| eval description=if(isnull(description) OR len(description)==0, "&lt;none&gt;", description)
| table name description hosts_count key_permitted permitted_keys_count violation_host_count
| rename name as "Zone"
| rename description as "Description"
| rename hosts_count as "Zone Hosts"
| rename key_permitted as "Key Permitted"
| rename permitted_keys_count as "Permitted Keys"
| rename violation_host_count as "Violation Hosts"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<event>
<title>Raw Event Details</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_key_details ssh_key_details.friendly_name="$tok_sshkey$"
| dedup ssh_key_details.friendly_name</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="list.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</event>
</panel>
</row>
</form>

@ -0,0 +1,57 @@
<form version="1.1">
<label>SSH Hunter - User Investigation</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>User Investigation</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_user_details
| dedup ssh_user_details.username
| table ssh_user_details.username ssh_user_details.keys_current ssh_user_details.keys_total ssh_user_details.hosts_current ssh_user_details.hosts_total ssh_user_details.first_seen ssh_user_details.last_seen ssh_user_details.has_duplicate_keys
| sort ssh_user_details.username
| rename ssh_user_details.has_duplicate_keys as "Duplicate Keys"
| rename ssh_user_details.username as "Username"
| rename ssh_user_details.keys_current as "Active Keys"
| rename ssh_user_details.keys_total as "All-Time Keys"
| rename ssh_user_details.hosts_current as "Active Hosts"
| rename ssh_user_details.hosts_total as "All-Time Hosts"
| rename ssh_user_details.first_seen as "First Seen"
| rename ssh_user_details.last_seen as "Last Seen"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">cell</option>
<format type="color" field="Duplicate Keys">
<colorPalette type="map">{"true":#DC4E41}</colorPalette>
</format>
<drilldown>
<link target="_blank">/app/sandfly_security/ssh_hunter__user_summary?form.tok_user=$click.value$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<event>
<title>Raw Event Details</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_user_details
| dedup ssh_user_details.username</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="list.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</event>
</panel>
</row>
</form>

@ -0,0 +1,230 @@
<form version="1.1">
<label>SSH Hunter - User Summary</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="tok_time1" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="tok_user" searchWhenChanged="true">
<label>Username</label>
<fieldForLabel>ssh_user_details.username</fieldForLabel>
<fieldForValue>ssh_user_details.username</fieldForValue>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_user_details
| dedup ssh_user_details.username
| sort ssh_user_details.username</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<single>
<title>Active Keys</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_user_details ssh_user_details.username="$tok_user$"
| dedup ssh_user_details.username
| table ssh_user_details.keys_current</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">Unique keys used by this user.</option>
<option name="unit">Key(s)</option>
</single>
</panel>
<panel>
<single>
<title>All-Time Keys</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_user_details ssh_user_details.username="$tok_user$"
| dedup ssh_user_details.username
| table ssh_user_details.keys_total</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">All keys ever used by this user.</option>
<option name="unit">Key(s)</option>
</single>
</panel>
<panel>
<single>
<title>Active Hosts</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_user_details ssh_user_details.username="$tok_user$"
| dedup ssh_user_details.username
| table ssh_user_details.hosts_current</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">Hosts that have this key.</option>
<option name="unit">Host(s)</option>
</single>
</panel>
<panel>
<single>
<title>All-Time Hosts</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_user_details ssh_user_details.username="$tok_user$"
| dedup ssh_user_details.username
| table ssh_user_details.hosts_total</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">Total hosts that have ever had this key.</option>
<option name="unit">Host(s)</option>
</single>
</panel>
<panel>
<single>
<title>Duplicates</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_user_details ssh_user_details.username="$tok_user$"
| dedup ssh_user_details.username
| eval has_duplicates = if(match('ssh_user_details.has_duplicate_keys',"true"), "Yes", "No")
| table has_duplicates</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="rangeColors">["0x53a051","0xdc4e41"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="underLabel">Duplicate key entries found.</option>
<option name="useColors">0</option>
</single>
</panel>
</row>
<row>
<panel>
<table>
<title>Key Last Seen</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_user_details ssh_user_details.username="$tok_user$"
| dedup ssh_user_details.username
| rename ssh_user_details.last_seen as date_last_seen
| eval last_seen_epoch = strptime(date_last_seen, "%Y-%m-%dT%H:%M:%S%Z")
| eval local_last_seen = strftime(last_seen_epoch, "%Y-%m-%dT%H:%M:%S %Z")
| eval time_diff = ceiling(now() - last_seen_epoch)
| eval temp_duration = tostring(time_diff, "duration")
| eval key_last_seen=replace(temp_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes")
| table date_last_seen local_last_seen key_last_seen
| rename date_last_seen as "Date Last Seen (UTC)"
| rename local_last_seen as "Date Last Seen (Local Time)"
| rename key_last_seen as "Key Last Seen"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>User Hosts</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_user_details ssh_user_details.username="$tok_user$"
| dedup ssh_user_details.username
| spath output=aaa_hosts path=ssh_user_details.hosts{}
| fields ssh_key_details.friendly_name aaa_hosts
| mvexpand aaa_hosts
| eval _raw = aaa_hosts
| spath
| spath output=aaa_keys path=key_entries{}
| eval aaa_count = mvcount(aaa_keys)
| table node_name target_address aaa_count os_info_os_release_pretty_name tags{} has_duplicate_keys
| rename node_name as "Hostname"
| rename target_address as "Target Address"
| rename aaa_count as "Key Entries"
| rename os_info_os_release_pretty_name as "OS"
| rename tags{} as "Tags"
| rename has_duplicate_keys as "Duplicate Keys"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="Duplicate Keys">
<colorPalette type="map">{"true":#DC4E41}</colorPalette>
</format>
<drilldown>
<set token="tok_host">$click.value$</set>
</drilldown>
</table>
</panel>
</row>
<row>
<panel depends="$tok_host$">
<table>
<title>Key Entries ($tok_host$)</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_user_details ssh_user_details.username="$tok_user$"
| dedup ssh_user_details.username
| spath output=aaa_hosts path=ssh_user_details.hosts{}
| fields ssh_key_details.friendly_name aaa_hosts
| mvexpand aaa_hosts
| eval _raw = aaa_hosts
| spath
| search node_name="$tok_host$"
| spath output=aaa_keys path=key_entries{}
| fields aaa_keys
| mvexpand aaa_keys
| eval _raw = aaa_keys
| spath
| table friendly_name active is_duplicate key_file comment key_type entry_num first_seen last_seen key_file_created key_file_modified hash.sha512
| rename friendly_name as "Friendly Name"
| rename active as "Active"
| rename is_duplicate as "Duplicate Key"
| rename key_file as "File Name"
| rename comment as "Comment"
| rename key_type as "Key Type"
| rename entry_num as "Entry"
| rename first_seen as "First Seen"
| rename last_seen as "Last Seen"
| rename key_file_created as "File Created"
| rename key_file_modified as "File Modified"
| rename hash.sha512 as "sha512 Hash"</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="drilldown">none</option>
<format type="color" field="Duplicate Key">
<colorPalette type="map">{"true":#DC4E41}</colorPalette>
</format>
</table>
</panel>
</row>
<row>
<panel>
<event>
<title>Raw Event Details</title>
<search>
<query>`sandfly_search_sshkeys` event_type=ssh_user_details ssh_user_details.username="$tok_user$"
| dedup ssh_user_details.username</query>
<earliest>$tok_time1.earliest$</earliest>
<latest>$tok_time1.latest$</latest>
</search>
<option name="list.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</event>
</panel>
</row>
</form>

@ -0,0 +1,116 @@
[At_Jobs_by_Username]
dataset.type =
[Crontabs_for_All_Users]
dataset.type =
[Intrusion_Detection_High_Entropy_Process]
dataset.type =
[Intrusion_Detection_Immutable_Process_Binary_Running]
dataset.type =
[Intrusion_Detection_Process_Running_As_Sniffer]
dataset.type =
[Intrusion_Detection_Process_Running_From_devshm]
dataset.type =
[Intrusion_Detection_Process_Running_from_Public_HTML_Directory]
acceleration.hunk.dfs_block_size = 0
[Intrusion_Detection_Process_Running_From_Temp_Directory]
dataset.type =
[Logins_by_Username]
dataset.type =
[Operating_System_BIOS_Version]
dataset.type =
[Operating_System_Bogo_MIPS_Rating]
dataset.type =
[Operating_System_CPU_Architecture]
dataset.type =
[Operating_System_CPU_Model_Name]
dataset.type =
[Operating_System_Linux_Kernel_Release_Version]
dataset.type =
[Operating_System_Linux_Version]
dataset.type =
[Operating_System_Machine_Type]
dataset.type =
[Operating_System_Product_Name]
dataset.type =
[Operating_System_Uptime_in_Days]
dataset.type =
[Processes_With_Network_Ports_Listening]
dataset.type =
[Processes_With_Network_Ports_Operating]
dataset.type =
[User_Bad_Logins_Over_Time]
acceleration.hunk.dfs_block_size = 0
[User_Successful_Logins_Over_Time]
dataset.type =
[Username_Bad_Logins_by_Hostname]
dataset.type =
[Username_Logged_In]
dataset.type =
[Username_Login_Shells_In_Use]
dataset.type =
[Username_Password_Hash_Types]
dataset.type =
[Usernames_Bad_Logins_By_Username]
dataset.type =
[Usernames_Bad_Logins_From_Hostname]
dataset.type =
[Usernames_Most_Bad_Logins_Against_Hostname]
acceleration.hunk.dfs_block_size = 0
[Usernames_Present_on_Host]
dataset.type =
[Usernames_Valid_Logins_Against_Hostname]
dataset.type =
[Usernames_Valid_Logins_by_Username]
dataset.type =
[Usernames_Valid_Logins_From_Hostname]
dataset.type =
[Usernames_with_Blank_Password_Fields]
dataset.type =
[Usernames_with_Password_Hash_Present]
dataset.type =
[Usernames_with_SSH_Authorized_Keys_Present]
dataset.type =
[Usernames_Bad_Logins_Against_Hostname]
acceleration.hunk.dfs_block_size = 0
[OS_BIOS_Vendor]
acceleration.hunk.dfs_block_size = 0
[Username_root_UID_But_Not_Root]
acceleration.hunk.dfs_block_size = 0

@ -0,0 +1,63 @@
[sandfly_search]
definition = index="*" sourcetype="sandfly:alarms"
iseval = 0
[sandfly_search_alarms]
definition = index="*" sourcetype="sandfly:alarms"
iseval = 0
[sandfly_search_all]
definition = index="*" sourcetype="sandfly:*"
iseval = 0
[sandfly_search_sshkeys]
definition = index="*" sourcetype="sandfly:ssh:keys"
iseval = 0
[sandfly_search_sandflies]
definition = index="*" sourcetype="sandfly:sandflies"
iseval = 0
[sandfly_search_ssh_hunter]
definition = index="*" sourcetype="sandfly:ssh:keys"
iseval = 0
[sandfly_search_hosts]
definition = index="*" sourcetype="sandfly:hosts"
iseval = 0
[sandfly_search_hosts_details]
definition = index="*" sourcetype="sandfly:hosts" event_type="host_details"
iseval = 0
[sandfly_search_hosts_summary]
definition = index="*" sourcetype="sandfly:hosts" event_type="host_summary"
iseval = 0
[sandfly_search_audit]
definition = index="*" sourcetype="sandfly:logs:audit"
iseval = 0
[sandfly_search_errors]
definition = index="*" sourcetype="sandfly:logs:error"
iseval = 0
[sandfly_search_errors_detailed]
definition = index="*" sourcetype="sandfly:logs:error" log_mode="detailed"
iseval = 0
[sandfly_search_errors_summary]
definition = index="*" sourcetype="sandfly:logs:error" log_mode="summary"
iseval = 0
[sandfly_search_whitelist]
definition = index="*" sourcetype="sandfly:whitelist"
iseval = 0
[sandfly_search_drift]
definition = index="*" sourcetype="sandfly:alarms" "data.status"=alert drift_result=true
iseval = 0
[sandfly_search_results_whitelisted]
definition = index="*" sourcetype="sandfly:alarms" "data.status"=pass whitelisted=true
iseval = 0

File diff suppressed because it is too large Load Diff

@ -0,0 +1,6 @@
[mitre_tactics]
filename = mitre_tactics.csv
[mitre_techniques]
filename = mitre_techniques.csv

@ -0,0 +1,15 @@
id,name,shortname,external_id,description
x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263,Credential Access,credential_access,TA0006,The adversary is trying to steal account names and passwords.
x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5,Execution,execution,TA0002,The adversary is trying to run malicious code.
x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8,Impact,impact,TA0040,"The adversary is trying to manipulate, interrupt, or destroy your systems and data."
x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92,Persistence,persistence,TA0003,The adversary is trying to maintain their foothold.
x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd,Privilege Escalation,privilege_escalation,TA0004,The adversary is trying to gain higher-level permissions.
x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e,Lateral Movement,lateral_movement,TA0008,The adversary is trying to move through your environment.
x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a,Defense Evasion,defense_evasion,TA0005,The adversary is trying to avoid being detected.
x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462,Exfiltration,exfiltration,TA0010,The adversary is trying to steal data.
x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9,Discovery,discovery,TA0007,The adversary is trying to figure out your environment.
x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe,Collection,collection,TA0009,The adversary is trying to gather data of interest to their goal.
x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400,Resource Development,resource_development,TA0042,The adversary is trying to establish resources they can use to support operations.
x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592,Reconnaissance,reconnaissance,TA0043,The adversary is trying to gather information they can use to plan future operations.
x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813,Command and Control,command_and_control,TA0011,The adversary is trying to communicate with compromised systems to control them.
x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca,Initial Access,initial_access,TA0001,The adversary is trying to get into your network.
1 id name shortname external_id description
2 x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263 Credential Access credential_access TA0006 The adversary is trying to steal account names and passwords.
3 x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5 Execution execution TA0002 The adversary is trying to run malicious code.
4 x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8 Impact impact TA0040 The adversary is trying to manipulate, interrupt, or destroy your systems and data.
5 x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92 Persistence persistence TA0003 The adversary is trying to maintain their foothold.
6 x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd Privilege Escalation privilege_escalation TA0004 The adversary is trying to gain higher-level permissions.
7 x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e Lateral Movement lateral_movement TA0008 The adversary is trying to move through your environment.
8 x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a Defense Evasion defense_evasion TA0005 The adversary is trying to avoid being detected.
9 x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462 Exfiltration exfiltration TA0010 The adversary is trying to steal data.
10 x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9 Discovery discovery TA0007 The adversary is trying to figure out your environment.
11 x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe Collection collection TA0009 The adversary is trying to gather data of interest to their goal.
12 x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400 Resource Development resource_development TA0042 The adversary is trying to establish resources they can use to support operations.
13 x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592 Reconnaissance reconnaissance TA0043 The adversary is trying to gather information they can use to plan future operations.
14 x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813 Command and Control command_and_control TA0011 The adversary is trying to communicate with compromised systems to control them.
15 x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca Initial Access initial_access TA0001 The adversary is trying to get into your network.

@ -0,0 +1,638 @@
id,name,external_id,tactics,description
attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298,Extra Window Memory Injection,T1055.011,defense_evasion|privilege_escalation,Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9,Scheduled Task,T1053.005,execution|persistence|privilege_escalation,"Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task."
attack-pattern--005cc321-08ce-4d17-b1ea-cb5275926520,Socket Filters,T1205.002,defense_evasion|persistence|command_and_control,"Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell."
attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662,Archive via Utility,T1560.001,collection,"Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport."
attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b,VNC,T1021.005,lateral_movement,"Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computers display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)"
attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055,Windows Management Instrumentation,T1047,execution,Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688,Screen Capture,T1113,collection,"Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)"
attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939,Fileless Storage,T1027.011,defense_evasion,"Adversaries may store data in ""fileless"" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless)"
attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334,Boot or Logon Initialization Scripts,T1037,persistence|privilege_escalation,"Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.(Citation: Mandiant APT29 Eye Spy Email Nov 22)(Citation: Anomali Rocke March 2019) Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely."
attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d,Adversary-in-the-Middle,T1557,credential_access|collection,"Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)"
attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104,System Owner/User Discovery,T1033,discovery,"Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions."
attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2,Acquire Infrastructure,T1583,resource_development,"Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase."
attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5,Rundll32,T1218.011,defense_evasion,"Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: <code>rundll32.exe {DLLname, DLLfunction}</code>)."
attack-pattern--0470e792-32f8-46b0-a351-652bc35e9336,Container and Resource Discovery,T1613,discovery,"Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster."
attack-pattern--04a5a8ab-3bc8-4c83-95c9-55274a89786d,Serverless,T1583.007,resource_development,"Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them."
attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c,Standard Encoding,T1132.001,command_and_control,"Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip."
attack-pattern--0533ab23-3f7d-463f-9bd8-634d27e4dee1,Embedded Payloads,T1027.009,defense_evasion,"Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to [Subvert Trust Controls](https://attack.mitre.org/techniques/T1553) by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs)"
attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771,Pluggable Authentication Modules,T1556.003,credential_access|defense_evasion|persistence,"Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)"
attack-pattern--0708ae90-d0eb-4938-9a76-d0fc94f6eec1,Revert Cloud Instance,T1578.004,defense_evasion,"An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs."
attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f,Gather Victim Host Information,T1592,reconnaissance,"Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.)."
attack-pattern--0979abf9-4e26-43ec-9b6e-54efc4e70fca,Digital Certificates,T1596.003,reconnaissance,"Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location."
attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4,Keylogging,T1056.001,collection|credential_access,"Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)"
attack-pattern--09b008a9-b4eb-462a-a751-a0eb58050cd9,File/Path Exclusions,T1564.012,defense_evasion,"Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)"
attack-pattern--09b130a2-a77e-4af0-a361-f46f9aad1345,Linux and Mac File and Directory Permissions Modification,T1222.002,defense_evasion,"Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.)."
attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119,Password Guessing,T1110.001,credential_access,"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts."
attack-pattern--09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58,PubPrn,T1216.001,defense_evasion,"Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via <code>Cscript.exe</code>. For example, the following code publishes a printer within the specified domain: <code>cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com</code>.(Citation: pubprn)"
attack-pattern--0a241b6c-7bb2-48f9-98f7-128145b4d27f,Purchase Technical Data,T1597.002,reconnaissance,"Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets."
attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22,OS Credential Dumping,T1003,credential_access,"Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information."
attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65,Shared Modules,T1129,execution,"Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106))."
attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74,Data from Configuration Repository,T1602,collection,"Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices."
attack-pattern--0af0ca99-357d-4ba1-805f-674fdfb7bef9,Disk Structure Wipe,T1561.002,impact,Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.
attack-pattern--0bda01d5-4c1d-4062-8ee2-6872334383c3,Direct Network Flood,T1498.001,impact,Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.
attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32,Path Interception by PATH Environment Variable,T1574.007,persistence|privilege_escalation|defense_evasion,Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line.
attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a,Sharepoint,T1213.002,collection,"Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:"
attack-pattern--0c8ab3eb-df48-4b9c-ace7-beacaac81cc5,Direct Volume Access,T1006,defense_evasion,Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)
attack-pattern--0cc222f5-c3ff-48e6-9f52-3314baf9d37e,Artificial Intelligence,T1588.007,resource_development,"Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)"
attack-pattern--0cf55441-b176-4332-89e7-2c4c7799d0ff,Email Hiding Rules,T1564.008,defense_evasion,"Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)"
attack-pattern--0cfe31a7-81fc-472c-bc45-e2808d1066a3,External Defacement,T1491.002,impact,"An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. [External Defacement](https://attack.mitre.org/techniques/T1491/002) may ultimately cause users to distrust the systems and to question/discredit the systems integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) [External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement)"
attack-pattern--0d91b3c0-5e50-47c3-949a-2a796f04d144,Encrypted/Encoded File,T1027.013,defense_evasion,"Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use."
attack-pattern--0dda99f0-4701-48ca-9774-8504922e92d3,IP Addresses,T1590.005,reconnaissance,"Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted."
attack-pattern--0df05477-c572-4ed6-88a9-47c581f548f7,OS Exhaustion Flood,T1499.001,impact,Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.
attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b,Rootkit,T1014,defense_evasion,"Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)"
attack-pattern--0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3,PowerShell Profile,T1546.013,privilege_escalation|persistence,Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) starts and can be used as a logon script to customize user environments.
attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d,JavaScript,T1059.007,execution,"Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)"
attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea,DNS,T1590.002,reconnaissance,"Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a targets subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)"
attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967,Audio Capture,T1123,collection,"An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)"
attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5,Create or Modify System Process,T1543,persistence|privilege_escalation,"Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.(Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons)"
attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d,External Remote Services,T1133,persistence|initial_access,"Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)"
attack-pattern--10ff21b9-5a01-4268-a1b5-3b55015f1847,LC_LOAD_DYLIB Addition,T1546.006,privilege_escalation|persistence,Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
attack-pattern--10ffac09-e42d-4f56-ab20-db94c67d76ff,Steal Web Session Cookie,T1539,credential_access,An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
attack-pattern--1126cab1-c700-412f-a510-61f4937bb096,Container Orchestration Job,T1053.007,execution|persistence|privilege_escalation,"Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster."
attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd,Domain Generation Algorithms,T1568.002,command_and_control,"Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)"
attack-pattern--11f29a39-0942-4d62-92b6-fe236cf3066e,Double File Extension,T1036.007,defense_evasion,"Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: <code>File.txt.exe</code> may render in some views as just <code>File.txt</code>). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the systems policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension)"
attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073,Bypass User Account Control,T1548.002,privilege_escalation|defense_evasion,"Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)"
attack-pattern--132d5b37-aac5-4378-a8dc-3127b18a73dc,Internet Connection Discovery,T1016.001,discovery,"Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites."
attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0,Sudo and Sudo Caching,T1548.003,privilege_escalation|defense_evasion,Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b,Archive via Custom Method,T1560.003,collection,"An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)"
attack-pattern--144e007b-e638-431d-a894-45d90c54ab90,Modify Cloud Compute Infrastructure,T1578,defense_evasion,"An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots."
attack-pattern--149b477f-f364-4824-b1b5-aa1d56115869,Network Devices,T1584.008,resource_development,"Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting."
attack-pattern--155207c0-7f53-4f13-a06b-0a9907ef5096,Malvertising,T1583.008,resource_development,"Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements.(Citation: spamhaus-malvertising) Purchased ads may also target specific audiences using the advertising networks capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites."
attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce,Permission Groups Discovery,T1069,discovery,"Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions."
attack-pattern--1608f3e1-598a-42f4-a01a-2e252e81728f,Email Collection,T1114,collection,"Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients."
attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011,Security Account Manager,T1003.002,credential_access,"Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access."
attack-pattern--166de1c6-2814-4fe5-8438-4e80f76b169f,WHOIS,T1596.002,reconnaissance,"Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)"
attack-pattern--16ab6452-c3c1-497c-a47d-206018ca1ada,System Firmware,T1542.001,persistence|defense_evasion,Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.(Citation: Wikipedia BIOS)(Citation: Wikipedia UEFI)(Citation: About UEFI)
attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26,Search Victim-Owned Websites,T1594,reconnaissance,"Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)"
attack-pattern--16e94db9-b5b1-4cd0-b851-f38fbd0a70f2,Cloud Groups,T1069.003,discovery,"Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group."
attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c,Services Registry Permissions Weakness,T1574.011,persistence|privilege_escalation|defense_evasion,"Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)"
attack-pattern--17fd695c-b88c-455a-a3d1-43b6cb728532,DNS/Passive DNS,T1596.001,reconnaissance,"Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a targets subdomains, mail servers, and other hosts."
attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9,Application Exhaustion Flood,T1499.003,impact,"Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.(Citation: Arbor AnnualDoSreport Jan 2018)"
attack-pattern--191cc6af-1bb2-4344-ab5f-28e496638720,Compromise Software Dependencies and Development Tools,T1195.001,initial_access,Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise)
attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421,Digital Certificates,T1588.004,resource_development,"Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner."
attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81,DNS Server,T1583.002,resource_development,"Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations."
attack-pattern--1988cc35-ced8-4dad-b2d1-7628488fa967,Disk Wipe,T1561,impact,"Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted."
attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72,DNS,T1071.004,command_and_control,"Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server."
attack-pattern--19bf235b-8620-4997-b5b4-94e0659ed7c3,Cloud Instance Metadata API,T1552.005,credential_access,Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
attack-pattern--1a80d097-54df-41d8-9d33-34e755ec5e72,Securityd Memory,T1555.002,credential_access,"An adversary with root access may gather credentials by reading `securityd`s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the users logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)"
attack-pattern--1b20efbf-8063-4fc3-a07d-b575318a301b,Group Policy Discovery,T1615,discovery,"Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)"
attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba,Bootkit,T1542.003,persistence|defense_evasion,Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec,Data from Removable Media,T1025,collection,"Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information."
attack-pattern--1bae753e-8e52-4055-a66d-2ead90303ca9,Mavinject,T1218.013,defense_evasion,"Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)"
attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c,Local Data Staging,T1074.001,collection,"Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location."
attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2,Match Legitimate Name or Location,T1036.005,defense_evasion,"Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous."
attack-pattern--1cec9319-743b-4840-bb65-431547bce82a,Digital Certificates,T1587.003,resource_development,"Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA)."
attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292,Stored Data Manipulation,T1565.001,impact,"Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making."
attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d,Password Cracking,T1110.002,credential_access,"Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) can be used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Further, adversaries may leverage [Data from Configuration Repository](https://attack.mitre.org/techniques/T1602) in order to obtain hashed credentials for network devices.(Citation: US-CERT-TA18-106A)"
attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004,Local Email Collection,T1114.001,collection,"Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files."
attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3,Keychain,T1555.001,credential_access,"Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apples iCloud service."
attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf,Boot or Logon Autostart Execution,T1547,persistence|privilege_escalation,"Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel."
attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc,LSA Secrets,T1003.004,credential_access,"Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)"
attack-pattern--1f9012ef-1e10-4e48-915e-e03563435fe8,Weaken Encryption,T1600,defense_evasion,Adversaries may compromise a network devices encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)
attack-pattern--1f9c2bae-b441-4f66-a8af-b65946ee72f2,SAML Tokens,T1606.002,credential_access,"An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)"
attack-pattern--208884f1-7b83-4473-ac22-4e1cf6c41471,Masquerade File Type,T1036.008,defense_evasion,"Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the files signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a files signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the files type. For example, the header of a JPEG file, is <code> 0xFF 0xD8</code> and the file extension is either `.JPE`, `.JPEG` or `.JPG`."
attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b,Service Stop,T1489,impact,Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster)
attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0,Malware,T1587.001,resource_development,"Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)"
attack-pattern--215d9700-5881-48b8-8265-6449dbb7195d,Device Driver Discovery,T1652,discovery,"Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068))."
attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af,Domain Account,T1087.002,discovery,Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
attack-pattern--22522668-ddf6-470b-a027-9d6866679f67,Active Setup,T1547.014,persistence|privilege_escalation,Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8,Hide Artifacts,T1564,defense_evasion,"Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)"
attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d,Dynamic Data Exchange,T1559.002,execution,"Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution."
attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e,Malicious File,T1204.002,execution,"An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl."
attack-pattern--2339cf19-8f1e-48f7-8a91-0262ba547b6f,Identify Business Tempo,T1591.003,reconnaissance,"Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organizations business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victims hardware and software resources."
attack-pattern--24286c33-d4a4-4419-85c2-1d094a896c26,Hardware,T1592.001,reconnaissance,"Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.)."
attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c,Taint Shared Content,T1080,lateral_movement,
attack-pattern--24769ab5-14bd-4f4e-a752-cfb185da53ee,Trust Modification,T1484.002,defense_evasion|privilege_escalation,"Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains."
attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41,Symmetric Cryptography,T1573.001,command_and_control,"Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4."
attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e,Local Account,T1087.001,discovery,Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
attack-pattern--274770e0-2612-4ccf-a678-ef8e7bad365d,Social Media Accounts,T1586.001,resource_development,"Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001)), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona."
attack-pattern--28170e17-8384-415c-8486-2e6b294cb803,Safe Mode Boot,T1562.009,defense_evasion,Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)
attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4,TFTP Boot,T1542.005,defense_evasion|persistence,"Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images."
attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32,Windows Service,T1543.003,persistence|privilege_escalation,"Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry."
attack-pattern--29ba5a15-3b7b-4732-b817-65ea8f6468e6,Fast Flux DNS,T1568.001,command_and_control,"Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)"
attack-pattern--29be378d-262d-4e99-b00d-852d573628e6,System Checks,T1497.001,defense_evasion|discovery,"Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)"
attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c,Cron,T1053.003,execution|persistence|privilege_escalation,Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.
attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c,Domain Groups,T1069.002,discovery,"Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators."
attack-pattern--2b5aa86b-a0df-4382-848d-30abea443327,Vulnerabilities,T1588.006,resource_development,"Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)"
attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7,Spearphishing Link,T1566.002,initial_access,"Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source."
attack-pattern--2bce5b30-7014-4a5d-ade7-12913fe6ac36,Clear Linux or Mac System Logs,T1070.002,defense_evasion,"Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)"
attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0,Application or System Exploitation,T1499.004,impact,"Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition."
attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53,Office Application Startup,T1137,persistence,Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
attack-pattern--2cd950a6-16c4-404a-aa01-044322395107,InstallUtil,T1218.004,defense_evasion,Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.
attack-pattern--2d3f5b3c-54ca-4f4d-bb1f-849346d31230,Spearphishing Link,T1598.003,reconnaissance,"Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages."
attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6,SSH,T1021.004,lateral_movement,Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
attack-pattern--2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3,Additional Cloud Roles,T1098.003,persistence|privilege_escalation,"An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)"
attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad,Print Processors,T1547.012,persistence|privilege_escalation,"Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.(Citation: Microsoft Intro Print Processors)"
attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597,Spearphishing Attachment,T1566.001,initial_access,"Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source."
attack-pattern--2f41939b-54c3-41d6-8f8b-35f1ec18ed97,Stripped Payloads,T1027.008,defense_evasion,"Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating systems `linker` when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.(Citation: Mandiant golang stripped binaries explanation)(Citation: intezer stripped binaries elf files 2018)"
attack-pattern--2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64,Component Object Model,T1559.001,execution,"Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)"
attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34,DLL Search Order Hijacking,T1574.001,persistence|privilege_escalation|defense_evasion,Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619,Automated Collection,T1119,collection,"Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals."
attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f,Clipboard Data,T1115,collection,Adversaries may collect data stored in the clipboard from users copying information within or between applications.
attack-pattern--3120b9fa-23b8-4500-ae73-09494f607b7d,Proc Filesystem,T1003.007,credential_access,"Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the processs virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the processs virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)"
attack-pattern--31225cd3-cd46-4575-b287-c2c14011c074,Botnet,T1583.005,resource_development,"Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)"
attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21,Password Managers,T1555.005,credential_access,"Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)"
attack-pattern--31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e,Gatekeeper Bypass,T1553.001,defense_evasion,"Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apples security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )"
attack-pattern--31fe0ba2-62fd-4fd9-9293-4043d84f7fe9,Drive-by Target,T1608.004,resource_development,"Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584))."
attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa,System Service Discovery,T1007,discovery,"Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>."
attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529,Network Sniffing,T1040,credential_access|discovery,"Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data."
attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082,Code Signing,T1553.002,defense_evasion,"Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature."
attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7,Data from Cloud Storage,T1530,collection,Adversaries may access data from cloud storage.
attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490,Runtime Data Manipulation,T1565.003,impact,"Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making."
attack-pattern--341e222a-a6e3-4f6f-b69c-831d792b1580,Credentials in Registry,T1552.002,credential_access,Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f,Network Share Discovery,T1135,discovery,Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643,Peripheral Device Discovery,T1120,discovery,"Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions."
attack-pattern--34a80bc4-80f2-46e6-94ff-f3265a4b657c,Break Process Trees,T1036.009,defense_evasion,"An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the “parent-child"" relationship for detection, breaking this relationship could result in the adversarys behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs.(Citation: 3OHA double-fork 2022)"
attack-pattern--34ab90a3-05f6-4259-8f21-621081fdaba5,Network Topology,T1590.004,reconnaissance,"Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure."
attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf,Code Signing Certificates,T1587.002,resource_development,Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee,Windows File and Directory Permissions Modification,T1222.001,defense_evasion,"Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.)."
attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d,Add-ins,T1137.006,persistence,"Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)"
attack-pattern--35187df2-31ed-43b6-a1f5-2f1d3d58d3f1,Transport Agent,T1505.002,persistence,"Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks."
attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1,System Information Discovery,T1082,discovery,"An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions."
attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6,Application Layer Protocol,T1071,command_and_control,"Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server."
attack-pattern--356662f7-e315-4759-86c9-6214e2a50ff8,AppDomainManager,T1574.014,persistence|privilege_escalation|defense_evasion,Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code.(Citation: Microsoft App Domains)
attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0,Remote Data Staging,T1074.002,collection,"Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location."
attack-pattern--35d30338-5bfa-41b0-a170-ec06dfd75f64,Additional Container Cluster Roles,T1098.006,persistence|privilege_escalation,"An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account.(Citation: Kubernetes RBAC)(Citation: Aquasec Kubernetes Attack 2023) Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions.(Citation: Kuberentes ABAC)"
attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9,Scheduled Task/Job,T1053,execution|persistence|privilege_escalation,"Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)"
attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336,Msiexec,T1218.007,defense_evasion,Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
attack-pattern--36aa137f-5166-41f8-b2f0-a4cfa1b4133e,Network Trust Dependencies,T1590.003,reconnaissance,"Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access."
attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01,Reflection Amplification,T1498.002,impact,"Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network."
attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42,Password Filter DLL,T1556.002,credential_access|defense_evasion|persistence,Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.
attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8,Terminal Services DLL,T1505.005,persistence,"Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)"
attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb,AppleScript,T1059.002,execution,"Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely."
attack-pattern--389735f1-f21c-4208-b8f0-f8031e7169b8,Browser Extensions,T1176,persistence,Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)
attack-pattern--38eb0c22-6caf-46ce-8869-5964bd735858,Service Exhaustion Flood,T1499.002,impact,"Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service."
attack-pattern--39131305-9282-45e4-ac3b-591d2d4fc3ef,Compromise Hardware Supply Chain,T1195.003,initial_access,"Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals."
attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670,Native API,T1106,execution,"Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations."
attack-pattern--3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc,Clear Network Connection History and Configurations,T1070.007,defense_evasion,"Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries."
attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b,AS-REP Roasting,T1558.004,credential_access,Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017)
attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0,Virtual Private Server,T1584.003,resource_development,"Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)"
attack-pattern--3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5,AutoHotKey & AutoIT,T1059.010,execution,"Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)"
attack-pattern--3a40f208-a9c1-4efa-a598-4003c3681fb8,Reduce Key Space,T1600.001,defense_evasion,Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)
attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a,Clear Command History,T1070.003,defense_evasion,"In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done."
attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e,Indirect Command Execution,T1202,defense_evasion,"Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)"
attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4,Replication Through Removable Media,T1091,lateral_movement|initial_access,"Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself."
attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5,Data from Local System,T1005,collection,"Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration."
attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c,Deobfuscate/Decode Files or Information,T1140,defense_evasion,Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44,Outlook Rules,T1137.005,persistence,"Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)"
attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529,Impair Defenses,T1562,defense_evasion,"Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators."
attack-pattern--3d52e51e-f6db-4719-813c-48002a99f43a,Cloud Accounts,T1586.003,resource_development,"Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)"
attack-pattern--3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b,Email Accounts,T1586.002,resource_development,"Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001))."
attack-pattern--3ee16395-03f0-4690-a32e-69ce9ada0f9e,Upload Malware,T1608.001,resource_development,"Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server."
attack-pattern--3f18edba-28f4-4bb9-82c3-8aa60dcac5f7,Supply Chain Compromise,T1195,initial_access,Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.
attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c,Exploit Public-Facing Application,T1190,initial_access,"Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration."
attack-pattern--3fc01293-ef5e-41c6-86ce-61f10706b64a,Steal or Forge Kerberos Tickets,T1558,credential_access,"Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access."
attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0,Credentials from Password Stores,T1555,credential_access,"Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information."
attack-pattern--40597f16-0963-4249-bf4c-ac93b7fb9807,Exfiltration Over Web Service,T1567,exfiltration,"Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services."
attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7,Remote Access Software,T1219,command_and_control,"An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)"
attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3,Domains,T1583.001,resource_development,"Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free."
attack-pattern--41868330-6ee2-4d0f-b743-9f2294c3c9b6,Archive via Library,T1560.002,collection,"An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data."
attack-pattern--41d9846c-f6af-4302-a654-24bba2729bc6,Thread Execution Hijacking,T1055.003,defense_evasion|privilege_escalation,Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.
attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0,Masquerading,T1036,defense_evasion,"Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names."
attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83,Application Shimming,T1546.011,privilege_escalation|persistence,"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017)"
attack-pattern--435dfb86-2697-4867-85b5-2fef496c0517,Unsecured Credentials,T1552,credential_access,"Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).(Citation: Brining MimiKatz to Unix)"
attack-pattern--43881e51-ac74-445b-b4c6-f9f9e9bf23fe,Port Monitors,T1547.010,persistence|privilege_escalation,"Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in <code>C:\Windows\System32</code> and will be loaded and run by the print spooler service, `spoolsv.exe`, under SYSTEM level permissions on boot.(Citation: Bloxham)"
attack-pattern--438c967d-3996-4870-bfc2-3954752a1927,Clear Mailbox Data,T1070.008,defense_evasion,"Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests."
attack-pattern--43ba2b05-cf72-4b6c-8243-03a4aba41ee0,Login Hook,T1037.002,persistence|privilege_escalation,Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the <code>/Library/Preferences/com.apple.loginwindow.plist</code> file and can be modified using the <code>defaults</code> command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev)
attack-pattern--43c9bc06-715b-42db-972f-52d25c09a20c,Content Injection,T1659,initial_access|command_and_control,"Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) followed by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and other data to already compromised systems.(Citation: ESET MoustachedBouncer)"
attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d,Process Injection,T1055,defense_evasion|privilege_escalation,"Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process."
attack-pattern--43f2776f-b4bd-4118-94b8-fee47e69676d,Exfiltration Over Webhook,T1567.004,exfiltration,"Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.(Citation: RedHat Webhooks) Many public and commercial services, such as Discord, Slack, and `webhook.site`, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.(Citation: Discord Intro to Webhooks) When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application."
attack-pattern--451a9977-d255-43c9-b431-66de80130c8c,Traffic Signaling,T1205,defense_evasion|persistence|command_and_control,"Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software."
attack-pattern--45241b9e-9bbc-4826-a2cc-78855e51ca09,Direct Cloud VM Connections,T1021.008,lateral_movement,"Adversaries may leverage [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the [Cloud API](https://attack.mitre.org/techniques/T1059/009), such as Azure Serial Console(Citation: Azure Serial Console), AWS EC2 Instance Connect(Citation: EC2 Instance Connect)(Citation: lucr-3: Getting SaaS-y in the cloud), and AWS System Manager.(Citation: AWS System Manager)."
attack-pattern--457c7820-d331-465a-915e-42f85500ccc4,System Binary Proxy Execution,T1218,defense_evasion,"Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands."
attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611,Timestomp,T1070.006,defense_evasion,"Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools."
attack-pattern--4933e63b-9b77-476e-ab29-761bc5b7d15a,Reflective Code Loading,T1620,defense_evasion,"Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., [Shared Modules](https://attack.mitre.org/techniques/T1129))."
attack-pattern--494ab9f0-36e0-4b06-b10d-57285b040a06,Wi-Fi Discovery,T1016.002,discovery,"Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns."
attack-pattern--4a2975db-414e-4c0c-bd92-775987514b4b,Ignore Process Interrupts,T1564.011,defense_evasion,"Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.(Citation: Linux Signal Man) These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes."
attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665,Escape to Host,T1611,privilege_escalation,"Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)"
attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179,Shortcut Modification,T1547.009,persistence|privilege_escalation,Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830,Application Window Discovery,T1010,discovery,"Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)"
attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470,Email Account,T1087.003,discovery,Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)
attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0,Time Based Evasion,T1497.003,defense_evasion|discovery,"Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time."
attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49,CMSTP,T1218.003,defense_evasion,Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
attack-pattern--4d2a5b3e-340d-4600-9123-309dd63c9bf8,SSH Hijacking,T1563.001,lateral_movement,"Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair."
attack-pattern--4eb28bed-d11a-4641-9863-c2ac017d910a,Disable Windows Event Logging,T1562.002,defense_evasion,"Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections."
attack-pattern--4eeaf8a9-c86b-4954-a663-9555fb406466,Scheduled Transfer,T1029,exfiltration,Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541,SMB/Windows Admin Shares,T1021.002,lateral_movement,Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
attack-pattern--4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f,Implant Internal Image,T1525,persistence,"Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victims environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)"
attack-pattern--4fe28b27-b13c-453e-a386-c2ef362a573b,Protocol Tunneling,T1572,command_and_control,"Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet."
attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f,Control Panel,T1218.002,defense_evasion,"Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings."
attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de,Network Address Translation Traversal,T1599.001,defense_evasion,Adversaries may bridge network boundaries by modifying a network devices Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.
attack-pattern--506f6f49-7045-4156-9007-7474cb44ad6d,Upload Tool,T1608.002,resource_development,"Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server."
attack-pattern--5095a853-299c-4876-abd7-ac0050fb5462,Security Support Provider,T1547.005,persistence|privilege_escalation,"Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs."
attack-pattern--51a14c76-dd3b-440b-9c20-2bf91d25a814,Use Alternate Authentication Material,T1550,defense_evasion|lateral_movement,"Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls."
attack-pattern--51e54974-a541-4fb6-a61b-0518e4c6de41,Threat Intel Vendors,T1597.001,reconnaissance,"Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)"
attack-pattern--51ea26b1-ff1e-4faa-b1a0-1114cd298c87,Exfiltration Over Other Network Medium,T1011,exfiltration,"Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel."
attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd,Network Device Configuration Dump,T1602.002,collection,"Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use."
attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4,Gather Victim Identity Information,T1589,reconnaissance,"Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations."
attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b,Disable or Modify System Firewall,T1562.004,defense_evasion,"Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel."
attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a,Archive Collected Data,T1560,collection,An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.(Citation: DOJ GRU Indictment Jul 2018) Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
attack-pattern--543fceb5-cb92-40cb-aacf-6913d4db58bc,SIP and Trust Provider Hijacking,T1553.003,defense_evasion,"Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)"
attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47,Browser Session Hijacking,T1185,collection,"Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)"
attack-pattern--54a649ff-439a-41a4-9856-8d144a2551ba,Remote Services,T1021,lateral_movement,"Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user."
attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b,Mail Protocols,T1071.003,command_and_control,"Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server."
attack-pattern--54ca26f3-c172-4231-93e5-ccebcac2161f,Hybrid Identity,T1556.007,credential_access|defense_evasion|persistence,"Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts."
attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4,Vulnerability Scanning,T1595.002,reconnaissance,Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
attack-pattern--55bb4471-ff1f-43b4-88c1-c9384ec47abf,Cloud API,T1059.009,execution,"Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: Microsoft - Azure PowerShell), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006)."
attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0,Search Open Technical Databases,T1596,reconnaissance,"Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)"
attack-pattern--561ae9aa-c28a-4144-9eec-e7027a14c8c3,Electron Applications,T1218.015,defense_evasion,"Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams.(Citation: Electron 2) Originally developed by GitHub, Electron is a cross-platform desktop application development framework that employs web technologies like JavaScript, HTML, and CSS.(Citation: Electron 3) The Chromium engine is used to display web content and Node.js runs the backend code.(Citation: Electron 1)"
attack-pattern--562e9b64-7239-493d-80f4-2bff900d9054,Disable or Modify Linux Audit System,T1562.012,defense_evasion,"Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules."
attack-pattern--564998d8-ab3e-4123-93fb-eccaa6b9714a,Rogue Domain Controller,T1207,defense_evasion,"Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys."
attack-pattern--565275d5-fcc3-4b66-b4e7-928e4cac6b8c,Code Signing Policy Modification,T1553.006,defense_evasion,"Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system."
attack-pattern--56e0d8b8-3e25-49dd-9050-3aa252f5aa92,Deploy Container,T1610,defense_evasion|execution,"Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)"
attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4,Modify Registry,T1112,defense_evasion,"Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution."
attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba,Launch Daemon,T1543.004,persistence|privilege_escalation,"Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)"
attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d,Cloud Infrastructure Discovery,T1580,discovery,"An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services."
attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8,Credentials from Web Browsers,T1555.003,credential_access,"Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers."
attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2,Path Interception by Search Order Hijacking,T1574.008,persistence|privilege_escalation|defense_evasion,"Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program."
attack-pattern--5909f20f-3c39-4795-be06-ef1ea40d350b,Defacement,T1491,impact,"Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491) in order to cause user discomfort, or to pressure compliance with accompanying messages."
attack-pattern--59bd0dec-f8b2-4b9a-9141-37a1e6899761,Unused/Unsupported Cloud Regions,T1535,defense_evasion,Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.
attack-pattern--59ff91cd-1430-4075-8563-e6f15f4f9ff5,DHCP Spoofing,T1557.003,credential_access|collection,"Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)."
attack-pattern--5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5,Remote Service Session Hijacking,T1563,lateral_movement,"Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service."
attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5,Binary Padding,T1027.001,defense_evasion,"Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations."
attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb,Web Shell,T1505.003,persistence,Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)
attack-pattern--5d2be8b9-d24c-4e98-83bf-2f5f79477163,Group Policy Modification,T1484.001,defense_evasion|privilege_escalation,"Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)"
attack-pattern--5e4a2073-9643-44cb-a0b5-e7f4048446c7,Browser Information Discovery,T1217,discovery,"Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)"
attack-pattern--60b508a1-6a5e-46b1-821a-9f7b78752abf,Private Keys,T1552.004,credential_access,"Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc."
attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337,Server,T1583.004,resource_development,"Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, such as watering hole operations in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), enabling [Phishing](https://attack.mitre.org/techniques/T1566) operations, or facilitating [Command and Control](https://attack.mitre.org/tactics/TA0011). Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused.(Citation: Free Trial PurpleUrchin)(Citation: Freejacked)"
attack-pattern--60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65,Windows Remote Management,T1021.006,lateral_movement,Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
attack-pattern--613d08bc-e8f4-4791-80b0-c8b974340dfd,Exfiltration Over Bluetooth,T1011.001,exfiltration,"Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel."
attack-pattern--6151cbea-819b-455a-9fa6-99a1cc58797d,Default Accounts,T1078.001,defense_evasion|persistence|privilege_escalation|initial_access,"Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)"
attack-pattern--61afc315-860c-4364-825d-0d62b2e91edc,Time Providers,T1547.003,persistence|privilege_escalation,Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.(Citation: Microsoft TimeProvider)
attack-pattern--63220765-d418-44de-8fae-694b3912317d,Trap,T1546.005,privilege_escalation|persistence,Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825,Dynamic Linker Hijacking,T1574.006,persistence|privilege_escalation|defense_evasion,"Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT_LIBRARIES</code> on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)"
attack-pattern--635cbe30-392d-4e27-978e-66774357c762,Local Account,T1136.001,persistence,"Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service."
attack-pattern--64196062-5210-42c3-9a02-563a0d1797ef,Communication Through Removable Media,T1092,command_and_control,"Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.(Citation: ESET Sednit USBStealer 2014) Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access."
attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2,Clear Windows Event Logs,T1070.001,defense_evasion,"Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit."
attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a,Email Accounts,T1585.002,resource_development,"Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Establishing email accounts may also allow adversaries to abuse free services such as trial periods to [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) for follow-on purposes.(Citation: Free Trial PurpleUrchin)"
attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e,LLMNR/NBT-NS Poisoning and SMB Relay,T1557.001,credential_access|collection,"By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials."
attack-pattern--65917ae0-b854-4139-83fe-bf2441cf0196,File and Directory Permissions Modification,T1222,defense_evasion,"Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.)."
attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90,LSASS Memory,T1003.001,credential_access,"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)."
attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b,Active Scanning,T1595,reconnaissance,"Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction."
attack-pattern--67720091-eee3-4d2d-ae16-8264567f6f5b,Abuse Elevation Control Mechanism,T1548,privilege_escalation|defense_evasion,Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)
attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf,Create Process with Token,T1134.002,defense_evasion|privilege_escalation,Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
attack-pattern--6831414d-bb70-42b7-8030-d4e06b2660c9,Setuid and Setgid,T1548.001,privilege_escalation|defense_evasion,"An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) users context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current users context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges."
attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35,Winlogon Helper DLL,T1547.004,persistence|privilege_escalation,Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon.(Citation: Cylance Reg Persistence Sept 2013)
attack-pattern--68a0c5ed-bee2-4513-830d-5b0d650139bd,Distributed Component Object Model,T1021.003,lateral_movement,Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.
attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c,Password Spraying,T1110.003,credential_access,"Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)"
attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3,External Proxy,T1090.002,command_and_control,"Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion."
attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e,Web Portal Capture,T1056.003,collection|credential_access,"Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service."
attack-pattern--69f897fd-12a9-4c89-ad6a-46d2f3c38262,Email Addresses,T1589.002,reconnaissance,"Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees."
attack-pattern--6a5d222a-a7e0-4656-b110-782c33098289,Spearphishing Voice,T1598.004,reconnaissance,"Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient."
attack-pattern--6add2ab5-2711-4e9d-87c8-7a0be8531530,Cached Domain Credentials,T1003.005,credential_access,Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)
attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4,SSH Authorized Keys,T1098.004,persistence|privilege_escalation,Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code>&lt;user-home&gt;/.ssh/authorized_keys</code>.(Citation: SSH Authorized Keys) Users may edit the systems SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>.
attack-pattern--6c2957f9-502a-478c-b1dd-d626c0659413,Network Security Appliances,T1590.006,reconnaissance,"Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations."
attack-pattern--6d4a7fb3-5a24-42be-ae61-6728a2b581f6,Image File Execution Options Injection,T1546.012,privilege_escalation|persistence,"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an applications IFEO will be prepended to the applications name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)"
attack-pattern--6e3bd510-6b33-41a4-af80-2d80f3ee0071,Odbcconf,T1218.008,defense_evasion,Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The Odbcconf.exe binary may be digitally signed by Microsoft.
attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968,Search Engines,T1593.002,reconnaissance,Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
attack-pattern--6ee2dc99-91ad-4534-a7d8-a649358c331f,Business Relationships,T1591.002,reconnaissance,"Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organizations business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victims hardware and software resources."
attack-pattern--6fa224c7-5091-4595-bf15-3fc9fe2f2c7c,Temporary Elevated Cloud Access,T1548.005,privilege_escalation|defense_evasion,"Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own."
attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf,Video Capture,T1125,collection,"An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files."
attack-pattern--7007935a-a8a7-4c0b-bd98-4e85be8ed197,Process Doppelgänging,T1055.013,defense_evasion|privilege_escalation,Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.
attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0,System Network Configuration Discovery,T1016,discovery,"Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103)."
attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4,Delete Cloud Instance,T1578.003,defense_evasion,An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
attack-pattern--70910fbd-58dc-4c1c-8c48-814d11fcd022,Code Repositories,T1593.003,reconnaissance,"Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git."
attack-pattern--70d81154-b187-45f9-8ec5-295d01255979,Executable Installer File Permissions Weakness,T1574.005,persistence|privilege_escalation|defense_evasion,"Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM."
attack-pattern--70e52b04-2a0c-4cea-9d18-7149f1df9dc5,Accessibility Features,T1546.008,privilege_escalation|persistence,Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08,Account Discovery,T1087,discovery,"Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078))."
attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea,Proxy,T1090,command_and_control,"Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic."
attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830,Command and Scripting Interpreter,T1059,execution,"Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)."
attack-pattern--74d2a63f-3c7b-4852-92da-02d8fbab16da,Indicator Blocking,T1562.006,defense_evasion,"An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)."
attack-pattern--7610cada-1499-41a4-b3dd-46467b68d177,Domain Account,T1136.002,persistence,"Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.(Citation: Savill 1999)"
attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156,Employee Names,T1589.003,reconnaissance,Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.
attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0,Domain Trust Discovery,T1482,discovery,"Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)"
attack-pattern--768dce68-8d0d-477a-b01d-0eea98b963a1,Golden Ticket,T1558.001,credential_access,"Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU Golden Ticket Protection)"
attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9,Automated Exfiltration,T1020,exfiltration,"Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020)"
attack-pattern--774ad5bb-2366-4c13-a8a9-65e50b292e7c,Client Configurations,T1592.004,reconnaissance,"Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone."
attack-pattern--77532a55-c283-4cd2-bc5d-2d0b65e9d88c,Disable or Modify Cloud Firewall,T1562.007,defense_evasion,Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004).
attack-pattern--77eae145-55db-4519-8ae5-77b0c7215d69,Right-to-Left Override,T1036.002,defense_evasion,"Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)"
attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970,Malware,T1588.001,resource_development,"Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors."
attack-pattern--791481f8-e96a-41be-b089-a088763083d4,Component Firmware,T1542.002,persistence|defense_evasion,Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69,Indicator Removal,T1070,defense_evasion,"Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversarys actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform."
attack-pattern--79a4052e-1a89-4b09-aea6-51f1d11fe19c,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,T1048.001,exfiltration,Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21,Office Template Macros,T1137.001,persistence,Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)
attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795,Virtual Private Server,T1583.003,resource_development,"Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure."
attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc,Confluence,T1213.001,collection,
attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926,Pass the Ticket,T1550.003,defense_evasion|lateral_movement,"Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system."
attack-pattern--7b50a1d3-4ca7-45d1-989d-a6503f04bfe1,Container Administration Command,T1609,execution,"Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)"
attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18,File and Directory Discovery,T1083,discovery,"Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions."
attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b,Dynamic Resolution,T1568,command_and_control,"Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control."
attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c,Masquerade Task or Service,T1036.004,defense_evasion,Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.
attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605,Asynchronous Procedure Call,T1055.004,defense_evasion|privilege_escalation,Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.
attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1,Traffic Duplication,T1020.001,exfiltration,"Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)"
attack-pattern--7d20fff9-8751-404e-badd-ccd71bda0236,Plist File Modification,T1647,defense_evasion,"Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the <code>info.plist</code> file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.(Citation: fileinfo plist file description)"
attack-pattern--7d57b371-10c2-45e5-b3cc-83a8fb380e4c,AppCert DLLs,T1546.009,privilege_escalation|persistence,"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppCertDLLs</code> Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions <code>CreateProcess</code>, <code>CreateProcessAsUser</code>, <code>CreateProcessWithLoginW</code>, <code>CreateProcessWithTokenW</code>, or <code>WinExec</code>. (Citation: Elastic Process Injection July 2017)"
attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0,Email Forwarding Rule,T1114.003,collection,"Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victims organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)"
attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e,Data Staged,T1074,collection,"Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)"
attack-pattern--7de1f7ac-5d0c-4c9c-8873-627202205331,Steal or Forge Authentication Certificates,T1649,credential_access,"Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)"
attack-pattern--7decb26c-715c-40cf-b7e0-026f7d7cc215,Device Registration,T1098.005,persistence|privilege_escalation,"Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance."
attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475,System Network Connections Discovery,T1049,discovery,Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9,Compromise Infrastructure,T1584,resource_development,"Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage."
attack-pattern--7e7c2fba-7cca-486c-9582-4c1bb2851961,Mark-of-the-Web Bypass,T1553.005,defense_evasion,"Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named <code>Zone.Identifier</code> with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file is not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)"
attack-pattern--7efba77e-3bc4-4ca5-8292-d8201dcd64b5,Disable Crypto Hardware,T1600.002,defense_evasion,"Adversaries disable a network devices dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data."
attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e,Pre-OS Boot,T1542,defense_evasion|persistence,"Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)"
attack-pattern--800f9819-7007-4540-a520-40e655876800,Build Image on Host,T1612,defense_evasion,"Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)"
attack-pattern--806a49c4-970d-43f9-9acc-ac0ee11e6662,Portable Executable Injection,T1055.002,defense_evasion|privilege_escalation,Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.
attack-pattern--808e6329-ca91-4b87-ac2d-8eadc5f8f327,Verclsid,T1218.012,defense_evasion,Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)
attack-pattern--81033c3b-16a4-46e4-8fed-9b030dd03c4a,Compromise Accounts,T1586,resource_development,"Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona."
attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d,Launchctl,T1569.001,execution,"Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)"
attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3,Botnet,T1584.005,resource_development,"Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems.(Citation: Imperva DDoS for Hire) Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS)."
attack-pattern--818302b2-d640-477b-bf88-873120ce85c4,Network Device CLI,T1059.008,execution,"Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands."
attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3,Bash History,T1552.003,credential_access,"Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the ""history"" utility. Once a user logs out, the history is flushed to the users <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the users last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)"
attack-pattern--824add00-99a1-4b15-9a2d-6c5683b7b497,Downgrade Attack,T1562.010,defense_evasion,"Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a systems backward compatibility to force it into less secure modes of operation."
attack-pattern--8252f135-ed26-4ce1-ae61-f26e94429a19,XPC Services,T1559.003,execution,"Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)"
attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d,Virtualization/Sandbox Evasion,T1497,defense_evasion|discovery,"Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)"
attack-pattern--830c9528-df21-472c-8c14-a036bf17d665,Web Service,T1102,command_and_control,"Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection."
attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc,Credentials In Files,T1552.001,credential_access,"Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords."
attack-pattern--83a766f8-1501-4b3a-a2de-2e2849e8dfc1,DNS Calculation,T1568.003,command_and_control,"Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)"
attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade,Mshta,T1218.005,defense_evasion,Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017)
attack-pattern--84601337-6a55-4ad7-9c35-79e0d1ea2ab3,Login Items,T1547.015,persistence|privilege_escalation,"Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>."
attack-pattern--84771bc3-f6a0-403e-b144-01af70e5fda0,Stage Capabilities,T1608,resource_development,"Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](https://attack.mitre.org/techniques/T1587)) or obtained ([Obtain Capabilities](https://attack.mitre.org/techniques/T1588)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.(Citation: Volexity Ocean Lotus November 2020)(Citation: Dragos Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)"
attack-pattern--84ae8255-b4f4-4237-b5c5-e717405a9701,Link Target,T1608.005,resource_development,"Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link."
attack-pattern--84e02621-8fdf-470f-bd58-993bb6a89d91,Multi-Stage Channels,T1104,command_and_control,Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
attack-pattern--851e071f-208d-4c79-adc6-5974c85c78f3,Financial Theft,T1657,impact,"Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) ""pig butchering,""(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin)"
attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852,Execution Guardrails,T1480,defense_evasion,"Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversarys campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)"
attack-pattern--8565825b-21c8-4518-b75e-cbc4c717a156,Cloud Storage Object Discovery,T1619,discovery,"Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure."
attack-pattern--861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a,Web Cookies,T1606.001,credential_access,Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.
attack-pattern--866d0d6d-02c6-42bd-aa2f-02907fdc0969,Log Enumeration,T1654,discovery,"Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018))."
attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d,Token Impersonation/Theft,T1134.001,defense_evasion|privilege_escalation,"Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread."
attack-pattern--86a96bf6-cf8b-411c-aaeb-8959944d64f7,Exfiltration to Code Repository,T1567.001,exfiltration,"Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection."
attack-pattern--8861073d-d1b8-4941-82ce-dce621d398f0,Cloud Services,T1021.007,lateral_movement,Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user.
attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd,Port Knocking,T1205.001,defense_evasion|persistence|command_and_control,"Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software."
attack-pattern--887274fc-2d63-4bdc-82f3-fae56d1d5fdc,LNK Icon Smuggling,T1027.012,defense_evasion,"Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory."
attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54,Web Services,T1583.006,resource_development,"Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: FireEye APT29) By utilizing a web service, adversaries can make it difficult to physically tie back operations to them."
attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a,Steal Application Access Token,T1528,credential_access,Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc,Spearphishing Attachment,T1598.002,reconnaissance,"Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages."
attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd,Additional Cloud Credentials,T1098.001,persistence|privilege_escalation,Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5,User Execution,T1204,execution,"An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566)."
attack-pattern--8c41090b-aa47-4331-986b-8c9a51a91103,Internal Defacement,T1491.001,impact,"An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)"
attack-pattern--8c4aef43-48d5-49aa-b2af-c0cd58d30c3d,Hidden Users,T1564.002,defense_evasion,Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
attack-pattern--8cdeb020-e31e-4f88-a582-f53dcfbda819,Make and Impersonate Token,T1134.003,defense_evasion|privilege_escalation,"Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function.(Citation: LogonUserW function) The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread."
attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e,Group Policy Preferences,T1552.006,credential_access,Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)
attack-pattern--8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,T1048.002,exfiltration,Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe,Cloud Account,T1087.004,discovery,"Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application."
attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580,Process Discovery,T1057,discovery,"Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions."
attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59,Impair Command History Logging,T1562.003,defense_evasion,Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
attack-pattern--90c4a591-d02d-490b-92aa-619d9701ac04,Network Provider DLL,T1556.008,credential_access|defense_evasion|persistence,"Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.(Citation: Network Provider API) During the logon process, Winlogon (the interactive logon module) sends credentials to the local `mpnotify.exe` process via RPC. The `mpnotify.exe` process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.(Citation: NPPSPY - Huntress)(Citation: NPPSPY Video)(Citation: NPLogonNotify)"
attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58,Windows Management Instrumentation Event Subscription,T1546.003,privilege_escalation|persistence,"Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.(Citation: Mandiant M-Trends 2015)"
attack-pattern--91177e6d-b616-4a03-ba4b-f3b32f7dda75,CDNs,T1596.004,reconnaissance,"Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestors geographical region."
attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938,User Activity Based Checks,T1497.002,defense_evasion|discovery,"Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)"
attack-pattern--926d8cfd-1d0d-4da2-ab49-3ca10ec3f3b5,Cloud Accounts,T1585.003,resource_development,"Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)"
attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414,Software Deployment Tools,T1072,execution|lateral_movement,"Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager."
attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d,Exfiltration Over C2 Channel,T1041,exfiltration,Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a,Parent PID Spoofing,T1134.004,defense_evasion|privilege_escalation,"Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context.(Citation: Microsoft UAC Nov 2018)"
attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23,Gather Victim Org Information,T1591,reconnaissance,"Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees."
attack-pattern--94cb00a4-b295-4d06-aa2b-5653b9c1be9c,Forge Web Credentials,T1606,credential_access,"Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access."
attack-pattern--954a1639-f2d6-407d-aef3-4917622ca493,Multi-Factor Authentication Request Generation,T1621,credential_access,Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
attack-pattern--960c3c86-1480-4d72-b4e0-8c242e84a5c5,Compromise Host Software Binary,T1554,persistence,"Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications."
attack-pattern--9664ad0e-789e-40ac-82e2-d7b17fbe8fb3,Chat Messages,T1552.008,credential_access,"Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels."
attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736,PowerShell,T1059.001,execution,"Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems)."
attack-pattern--98034fef-d9fb-4667-8dc4-2eab6231724c,Change Default File Association,T1546.001,privilege_escalation|persistence,"Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility.(Citation: Microsoft Change Default Programs)(Citation: Microsoft File Handlers)(Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened."
attack-pattern--98be40f2-c86b-4ade-b6fc-4964932040e5,VDSO Hijacking,T1055.014,defense_evasion|privilege_escalation,Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.
attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b,File Transfer Protocols,T1071.002,command_and_control,"Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server."
attack-pattern--9c306d8d-cde7-4b4c-b6e8-d0bb16caca36,Exploitation for Credential Access,T1212,credential_access,"Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code."
attack-pattern--9c45eaa3-8604-4780-8988-b5074dbb9ecd,Emond,T1546.014,privilege_escalation|persistence,"Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at <code>/sbin/emond</code> will load any rules from the <code>/etc/emond.d/rules/</code> directory and take action once an explicitly defined event takes place."
attack-pattern--9c99724c-a483-4d60-ad9d-7f004e42e8e8,One-Way Communication,T1102.003,command_and_control,"Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response."
attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109,Gather Victim Network Information,T1590,reconnaissance,"Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations."
attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82,Exploitation of Remote Services,T1210,lateral_movement,"Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system."
attack-pattern--9e7452df-5144-4b6e-b04a-b66dd4016747,Internal Spearphishing,T1534,lateral_movement,"After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP)"
attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd,Services File Permissions Weakness,T1574.010,persistence|privilege_escalation|defense_evasion,"Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM."
attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279,Registry Run Keys / Startup Folder,T1547.001,persistence|privilege_escalation,"Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the ""run keys"" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level."
attack-pattern--9fa07bef-9c81-421e-a8e5-ad4366c5a925,Trusted Relationship,T1199,initial_access,Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
attack-pattern--a009cb25-4801-4116-9105-80a91cf15c1b,Cloud Account,T1136.003,persistence,"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)"
attack-pattern--a01bf75f-00b2-4568-a58f-565ff9bf202b,Local Groups,T1069.001,discovery,"Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group."
attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365,Search Open Websites/Domains,T1593,reconnaissance,"Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)"
attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27,Account Manipulation,T1098,persistence|privilege_escalation,"Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials."
attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776,Exfiltration Over Alternative Protocol,T1048,exfiltration,Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6,Kernel Modules and Extensions,T1547.006,persistence|privilege_escalation,"Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming)"
attack-pattern--a2029942-0a85-4947-b23c-ca434698171d,GUI Input Capture,T1056.002,collection|credential_access,"Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002))."
attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0,Tool,T1588.002,resource_development,"Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)"
attack-pattern--a3e1e6c5-9c74-4fc0-a16c-a9d228c17829,Exfiltration over USB,T1052.001,exfiltration,"Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems."
attack-pattern--a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde,KernelCallbackTable,T1574.013,persistence|privilege_escalation|defense_evasion,Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4,Search Closed Sources,T1597,reconnaissance,"Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)"
attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21,Systemd Timers,T1053.006,execution|persistence|privilege_escalation,"Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)"
attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b,Phishing,T1566,initial_access,"Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns."
attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc,ROMMONkit,T1542.004,defense_evasion|persistence,Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
attack-pattern--a6937325-9321-4e2e-bb2b-3ed2d40b2a9d,Compiled HTML File,T1218.001,defense_evasion,"Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)"
attack-pattern--a750a9f6-0bde-4bb3-9aae-1e2786e9780c,Network Share Connection Removal,T1070.005,defense_evasion,Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the <code>net use \\system\share /delete</code> command. (Citation: Technet Net Use)
attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d,Multi-hop Proxy,T1090.003,command_and_control,"Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source."
attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd,Brute Force,T1110,credential_access,"Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes."
attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56,Unix Shell,T1059.004,execution,"Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges."
attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634,Outlook Forms,T1137.003,persistence,Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)
attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579,Disable or Modify Tools,T1562.001,defense_evasion,"Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)"
attack-pattern--ac9e6b22-11bf-45d7-9181-c1cb08360931,Data Manipulation,T1565,impact,"Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: Sygnia Elephant Beetle Jan 2022) By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making."
attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d,Inter-Process Communication,T1559,execution,"Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern."
attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842,Data Obfuscation,T1001,command_and_control,"Adversaries may obfuscate command and control traffic to make it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November 2020) Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols."
attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c,Data from Network Shared Drive,T1039,collection,"Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information."
attack-pattern--ae797531-3219-49a4-bccf-324ad7a4c7b2,Web Services,T1584.006,resource_development,"Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains."
attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754,Modify System Image,T1601,defense_evasion,"Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file."
attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6,Hijack Execution Flow,T1574,persistence|privilege_escalation|defense_evasion,"Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution."
attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92,Indicator Removal from Tools,T1027.005,defense_evasion,"Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems."
attack-pattern--b0c74ef9-c61e-4986-88cb-78da98a355ec,Malicious Image,T1204.003,execution,"Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)"
attack-pattern--b0e54bf7-835e-4f44-bd8e-62f431b9b76a,Container Service,T1543.005,persistence|privilege_escalation,"Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may be able to achieve persistence or escalate their privileges on a host."
attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81,Valid Accounts,T1078,defense_evasion|persistence|privilege_escalation|initial_access,"Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence."
attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18,Non-Standard Port,T1571,command_and_control,"Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data."
attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928,Social Media Accounts,T1585.001,resource_development,"Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)"
attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4,Process Hollowing,T1055.012,defense_evasion|privilege_escalation,Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.
attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839,Exploitation for Privilege Escalation,T1068,privilege_escalation,"Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions."
attack-pattern--b22e5153-ac28-4cc6-865c-2054e36285cb,Resource Forking,T1564.009,defense_evasion,"Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a files extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)"
attack-pattern--b24e2a20-3b3d-4bf0-823b-1ed765398fb0,Account Access Removal,T1531,impact,"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)"
attack-pattern--b2d03cea-aec1-45ca-9744-9ee583c1e1cc,Credential Stuffing,T1110.004,credential_access,"Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts."
attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a,Obfuscated Files or Information,T1027,defense_evasion,"Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses."
attack-pattern--b4409cd8-0da9-46e1-a401-a241afd4d1cc,Multi-Factor Authentication,T1556.006,credential_access|defense_evasion|persistence,Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.
attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a,Remote Email Collection,T1114.002,collection,"Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific keywords."
attack-pattern--b46a801b-fd98-491c-a25a-bca25d6e3001,IIS Components,T1505.004,persistence,"Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)"
attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52,Invalid Code Signature,T1036.001,defense_evasion,"Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)"
attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d,Run Virtual Instance,T1564.006,defense_evasion,"Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)"
attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5,Password Policy Discovery,T1201,discovery,"Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts)."
attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db,Event Triggered Execution,T1546,privilege_escalation|persistence,Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)
attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2,Unix Shell Configuration Modification,T1546.004,privilege_escalation|persistence,"Adversaries may establish persistence through executing malicious commands triggered by a users shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (<code>/etc</code>) and the users home directory (<code>~/</code>) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the users environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately."
attack-pattern--b77cf5f3-6060-475d-bd60-40ccbf28fdc2,Forced Authentication,T1187,credential_access,Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
attack-pattern--b7dc639b-24cd-482d-a7f1-8897eda21023,SID-History Injection,T1134.005,defense_evasion|privilege_escalation,"Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens)."
attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166,Network Boundary Bridging,T1599,defense_evasion,Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.
attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0,Data Encrypted for Impact,T1486,impact,Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018)
attack-pattern--b83e166d-13d7-4b52-8677-dff90c548fd7,Subvert Trust Controls,T1553,defense_evasion,"Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site."
attack-pattern--b84903f0-c7d5-435d-a69e-de47cc3578c0,Elevated Execution with Prompt,T1548.004,privilege_escalation|defense_evasion,"Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified."
attack-pattern--b85f6ce5-81e8-4f36-aff2-3df9d02a9c9d,Firmware,T1592.003,reconnaissance,"Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.)."
attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118,Encrypted Channel,T1573,command_and_control,"Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files."
attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec,Authentication Package,T1547.002,persistence|privilege_escalation,Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab,Regsvr32,T1218.010,defense_evasion,"Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)"
attack-pattern--ba04e672-da86-4e69-aa15-0eca5db25f43,Exfiltration to Text Storage Sites,T1567.003,exfiltration,"Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as <code>pastebin[.]com</code>, are commonly used by developers to share code and other information."
attack-pattern--baf60e1a-afe5-4d31-830f-1b1ba2351884,Software,T1592.002,reconnaissance,"Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.)."
attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2,Input Capture,T1056,collection|credential_access,"Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003))."
attack-pattern--bb5e59c4-abe7-40c7-8196-e373cb1e5974,Spearphishing Voice,T1566.004,initial_access,"Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient."
attack-pattern--bbc3cba7-84ae-410d-b18b-16750731dfa2,Exploits,T1587.004,resource_development,"Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)"
attack-pattern--bbe5b322-e2af-4a5e-9625-a4e62bf84ed3,Social Media,T1593.001,reconnaissance,"Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff."
attack-pattern--bc0f5e80-91c0-4e04-9fbb-e4e332c85dae,Component Object Model Hijacking,T1546.015,privilege_escalation|persistence,Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.(Citation: Microsoft Component Object Model) References to various COM objects are stored in the Registry.
attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161,Credentials,T1589.001,reconnaissance,Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.
attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00,Compromise Software Supply Chain,T1195.002,initial_access,"Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version."
attack-pattern--bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b,Rename System Utilities,T1036.003,defense_evasion,Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename <code>rundll32.exe</code>). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)
attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4,Bidirectional Communication,T1102.002,command_and_control,"Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet."
attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63,Exploitation for Client Execution,T1203,execution,"Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility."
attack-pattern--bed04f7d-e48a-4e76-bd0f-4c57fe31fc46,Wordlist Scanning,T1595.003,reconnaissance,"Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to [Brute Force](https://attack.mitre.org/techniques/T1110), its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591), or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594))."
attack-pattern--bef8aaee-961d-4359-a308-4c2182bcedff,Spoof Security Alerting,T1562.011,defense_evasion,"Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident."
attack-pattern--bf147104-abf9-4221-95d1-e81585859441,Outlook Home Page,T1137.004,persistence,Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada,Asymmetric Cryptography,T1573.002,command_and_control,"Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receivers public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal."
attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b,Exfiltration to Cloud Storage,T1567.002,exfiltration,"Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet."
attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5,Lateral Tool Transfer,T1570,lateral_movement,"Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation."
attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b,Path Interception by Unquoted Path,T1574.009,persistence|privilege_escalation|defense_evasion,"Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch."
attack-pattern--c071d8c1-3b3a-4f22-9407-ca4e96921069,Install Digital Certificate,T1608.003,resource_development,"Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.(Citation: DigiCert Install SSL Cert)"
attack-pattern--c0dfe7b0-b873-4618-9ff8-53e31f70907f,Startup Items,T1037.005,persistence|privilege_escalation,Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.(Citation: Startup Items)
attack-pattern--c1b68a96-3c48-49ea-a6c0-9b27359f9c19,System Language Discovery,T1614.001,discovery,"Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)"
attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b,Non-Application Layer Protocol,T1095,command_and_control,"Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL)."
attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916,Steganography,T1027.003,defense_evasion,"Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files."
attack-pattern--c2f59d25-87fe-44aa-8f83-e8e59d077bf5,DNS Server,T1584.002,resource_development,"Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations."
attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc,Protocol Impersonation,T1001.003,command_and_control,"Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic."
attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896,Query Registry,T1012,discovery,"Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software."
attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd,Data Transfer Size Limits,T1030,exfiltration,An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
attack-pattern--c3c8c916-2f3c-4e71-94b2-240bdfc996f0,Web Session Cookie,T1550.004,defense_evasion|lateral_movement,Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f,Domain Accounts,T1078.002,defense_evasion|persistence|privilege_escalation|initial_access,"Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)"
attack-pattern--c48a67ee-b657-45c1-91bf-6cdbe27205f8,Regsvcs/Regasm,T1218.009,defense_evasion,Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
attack-pattern--c615231b-f253-4f58-9d47-d5b4cbdb6839,Install Root Certificate,T1553.004,defense_evasion,"Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website."
attack-pattern--c63a348e-ffc2-486a-b9d9-d7f11ec54d99,Network Logon Script,T1037.003,persistence|privilege_escalation,"Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.(Citation: Petri Logon Script AD) These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems."
attack-pattern--c675646d-e204-4aa8-978d-e3d6d65885c4,Endpoint Denial of Service,T1499,impact,"Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)"
attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617,Compile After Delivery,T1027.004,defense_evasion,Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979,System Location Discovery,T1614,discovery,
attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b,VBA Stomping,T1564.007,defense_evasion,Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)
attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7,BITS Jobs,T1197,defense_evasion|persistence,"Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations."
attack-pattern--c92e3d68-2349-49e4-a341-7edca2deff96,MSBuild,T1127.001,defense_evasion,Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)
attack-pattern--c9e0c59e-162e-40a4-b8b1-78fab4329ada,Impersonation,T1656,defense_evasion,"Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversarys ultimate goals, possibly against multiple victims."
attack-pattern--ca00366b-83a1-4c7b-a0ce-8ff950a7c87f,Modify Cloud Compute Configurations,T1578.005,defense_evasion,"Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victims compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim."
attack-pattern--ca9d3402-ada3-484d-876a-d717bd6e05f2,Domain Fronting,T1090.004,command_and_control,"Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, ""domainless"" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored)."
attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213,ARP Cache Poisoning,T1557.002,credential_access|collection,Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).
attack-pattern--cacc40da-4c9e-462c-80d5-fd70a178b12d,Disable or Modify Cloud Logs,T1562.008,defense_evasion,"An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities."
attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384,Security Software Discovery,T1518.001,discovery,"Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions."
attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0,Hidden Window,T1564.003,defense_evasion,"Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks."
attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1,Python,T1059.006,execution,"Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)"
attack-pattern--cc723aff-ec88-40e3-a224-5af9fd983cc4,Identify Roles,T1591.004,reconnaissance,"Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to."
attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f,Data Encoding,T1132,command_and_control,"Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip."
attack-pattern--cc89ecbd-3d33-4a41-bcca-001e702d18fd,AppInit DLLs,T1546.010,privilege_escalation|persistence,"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppInit_DLLs</code> value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017)"
attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a,Phishing for Information,T1598,reconnaissance,"Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code."
attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783,Resource Hijacking,T1496,impact,"Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability."
attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8,Establish Accounts,T1585,resource_development,"Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)"
attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1,Obtain Capabilities,T1588,resource_development,"Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle."
attack-pattern--ce4b7013-640e-48a9-b501-d0025a95f4bf,Screensaver,T1546.002,privilege_escalation|persistence,"Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations."
attack-pattern--ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae,Conditional Access Policies,T1556.009,credential_access|defense_evasion|persistence,Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.
attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c,Create Cloud Instance,T1578.002,defense_evasion,"An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)"
attack-pattern--cfb525cc-5494-401d-a82b-2539ca46a561,Cloud Secrets Management Stores,T1555.006,credential_access,"Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault."
attack-pattern--cff94884-3b1c-4987-a70b-6d5643c621c3,Code Repositories,T1213.003,collection,"Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git."
attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6,Transmitted Data Manipulation,T1565.002,impact,"Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making."
attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4,/etc/passwd and /etc/shadow,T1003.008,credential_access,"Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)"
attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584,Launch Agent,T1543.001,persistence|privilege_escalation,"Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks."
attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253,System Services,T1569,execution,"Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence ([Create or Modify System Process](https://attack.mitre.org/techniques/T1543)), but adversaries can also abuse services for one-time or temporary execution."
attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62,Windows Command Shell,T1059.003,execution,"Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)"
attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591,Proc Memory,T1055.009,defense_evasion|privilege_escalation,Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process.
attack-pattern--d21bb61f-08ad-4dc1-b001-81ca6cb79954,Acquire Access,T1650,resource_development,"Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems.(Citation: Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)(Citation: Krebs Access Brokers Fortune 500) In some cases, adversary groups may form partnerships to share compromised systems with each other.(Citation: CISA Karakurt 2022)"
attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f,Patch System Image,T1601.001,defense_evasion,"Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime."
attack-pattern--d273434a-448e-4598-8e14-607f4a0d5e27,Silver Ticket,T1558.002,credential_access,"Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)"
attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416,Data from Information Repositories,T1213,collection,"Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization."
attack-pattern--d2c4e5ea-dbdf-4113-805a-b1e2a337fb33,Clear Persistence,T1070.009,defense_evasion,"Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)"
attack-pattern--d336b553-5da9-46ca-98a8-0b23f49fb447,Windows Credential Manager,T1555.004,credential_access,"Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)"
attack-pattern--d40239b3-05ff-46d8-9bdd-b46d13463ef9,Hardware Additions,T1200,initial_access,"Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused."
attack-pattern--d456de47-a16f-4e46-8980-e67478a12dcb,Server Software Component,T1505,persistence,Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.(Citation: volexity_0day_sophos_FW)
attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c,Data Destruction,T1485,impact,"Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure."
attack-pattern--d467bc38-284b-4a00-96ac-125f447799fc,Non-Standard Encoding,T1132.002,command_and_control,"Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding)"
attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605,Domain Controller Authentication,T1556.001,credential_access|defense_evasion|persistence,Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.
attack-pattern--d4bdbdea-eaec-4071-b4f9-5105e12ea4b6,Transfer Data to Cloud Account,T1537,exfiltration,"Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service."
attack-pattern--d4dc46e3-5ba5-45b9-8204-010867cacfcb,HTML Smuggling,T1027.006,defense_evasion,"Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)"
attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48,Reversible Encryption,T1556.005,credential_access|defense_evasion|persistence,An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
attack-pattern--d511a6f6-4a33-41d5-bc95-c343875d1377,Command Obfuscation,T1027.010,defense_evasion,"Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)"
attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c,File Deletion,T1070.004,defense_evasion,"Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint."
attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6,Drive-by Compromise,T1189,initial_access,"Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001)."
attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab,Network Denial of Service,T1498,impact,"Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)"
attack-pattern--d94b3ae9-8059-4989-8e9f-ea0f601f80a7,Cloud Administration Command,T1651,execution,"Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)"
attack-pattern--da051493-ae9c-4b1b-9760-c009c46c9b56,Installer Packages,T1546.016,privilege_escalation|persistence,"Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)"
attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120,Scanning IP Blocks,T1595.001,reconnaissance,"Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses."
attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534,Template Injection,T1221,defense_evasion,"Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsofts Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)"
attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211,RC Scripts,T1037.004,persistence|privilege_escalation,Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like systems startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.
attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48,Access Token Manipulation,T1134,defense_evasion|privilege_escalation,"Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token."
attack-pattern--dd43c543-bb85-4a6f-aa6e-160d90d06a49,Multi-Factor Authentication Interception,T1111,credential_access,"Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms."
attack-pattern--deb98323-e13f-4b0c-8d94-175379069062,Software Packing,T1027.002,defense_evasion,Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)
attack-pattern--df1bc34d-1634-4c93-b89e-8120994fce77,Serverless,T1584.007,resource_development,"Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them."
attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161,Web Protocols,T1071.001,command_and_control,"Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server."
attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67,Visual Basic,T1059.005,execution,"Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)"
attack-pattern--dfebc3b7-d19d-450b-81c7-6dafe4184c04,Hidden File System,T1564.005,defense_evasion,"Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)"
attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b,Systemd Service,T1543.002,persistence|privilege_escalation,"Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible."
attack-pattern--e0033c16-a07e-48aa-8204-7c3ca669998c,RDP Hijacking,T1563.002,lateral_movement,Adversaries may hijack a legitimate users remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)
attack-pattern--e01be9c5-e763-4caf-aeb7-000b416aef67,Create Account,T1136,persistence,"Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system."
attack-pattern--e0232cb0-ded5-4c2e-9dc7-2893142a5c11,XDG Autostart Entries,T1547.013,persistence|privilege_escalation,"Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a users desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the users desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.(Citation: Free Desktop Application Autostart Feb 2006)(Citation: Free Desktop Entry Keys)"
attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5,Server,T1584.004,resource_development,"Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control.(Citation: TrendMicro EarthLusca 2022) Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations."
attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db,Cloud Service Discovery,T1526,discovery,"An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs."
attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735,Remote System Discovery,T1018,discovery,"Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or <code>net view</code> using [Net](https://attack.mitre.org/software/S0039)."
attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88,Network Service Discovery,T1046,discovery,"Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)"
attack-pattern--e3b168bd-fcd7-439e-9382-2e6c2f63514d,Domain Properties,T1590.001,reconnaissance,"Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers."
attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58,Software Discovery,T1518,discovery,"Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions."
attack-pattern--e49920b0-6c54-40c1-9571-73723653205f,Cloud Service Dashboard,T1538,discovery,"An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)"
attack-pattern--e49ee9d2-0d98-44ef-85e5-5d3100065744,Thread Local Storage,T1055.005,defense_evasion|privilege_escalation,Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.
attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391,Debugger Evasion,T1622,defense_evasion|discovery,Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)
attack-pattern--e51137a5-1cdc-499e-911a-abaedaa5ac86,Space after Filename,T1036.006,defense_evasion,"Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system."
attack-pattern--e5cc9e7a-e61a-46a1-b869-55fb6eab058e,Re-opened Applications,T1547.007,persistence|privilege_escalation,"Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to ""Reopen windows when logging back in"".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the users next logon."
attack-pattern--e5d550f3-2202-4634-85f2-4a200a1d49b3,SEO Poisoning,T1608.006,resource_development,Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the sites ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)
attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e,Pass the Hash,T1550.002,defense_evasion|lateral_movement,"Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash."
attack-pattern--e6415f09-df0e-48de-9aba-928c902b7549,Exfiltration Over Physical Medium,T1052,exfiltration,"Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems."
attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b,DLL Side-Loading,T1574.002,persistence|privilege_escalation|defense_evasion,"Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s)."
attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add,Ingress Tool Transfer,T1105,command_and_control,"Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570))."
attack-pattern--e6f19759-dde3-47fc-99cc-d9f5fa4ade60,SyncAppvPublishingServer,T1216.002,defense_evasion,"Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands. SyncAppvPublishingServer.vbs is a Visual Basic script associated with how Windows virtualizes applications (Microsoft Application Virtualization, or App-V).(Citation: 1 - appv) For example, Windows may render Win32 applications to users as virtual applications, allowing users to launch and interact with them as if they were installed locally.(Citation: 2 - appv)(Citation: 3 - appv)"
attack-pattern--e74de37c-a829-446c-937d-56a44f0e9306,Additional Email Delegate Permissions,T1098.002,persistence|privilege_escalation,Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.
attack-pattern--e7cbc1de-1f79-48ee-abfd-da1241c65a15,Code Signing Certificates,T1588.003,resource_development,Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
attack-pattern--e848506b-8484-4410-8017-3d235a52f5b3,Serverless Execution,T1648,execution,"Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers."
attack-pattern--e8a0a025-3601-4755-abfb-8d08283329fb,TCC Manipulation,T1548.006,defense_evasion|privilege_escalation,"Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to execute malicious applications with elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA)."
attack-pattern--ea016b56-ae0e-47fe-967a-cc0ad51af67f,Ptrace System Calls,T1055.008,defense_evasion|privilege_escalation,Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process.
attack-pattern--ea071aa0-8f17-416f-ab0d-2bab7e79003d,Power Settings,T1653,persistence,"Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)"
attack-pattern--ea4c2f9c-9df1-477c-8c42-6da1118f2ac4,Dynamic API Resolution,T1027.007,defense_evasion,"Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts."
attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf,Remote Desktop Protocol,T1021.001,lateral_movement,Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3,Logon Script (Windows),T1037.001,persistence|privilege_escalation,Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key.(Citation: Hexacorn Logon Scripts)
attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99,ListPlanting,T1055.015,defense_evasion|privilege_escalation,Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.
attack-pattern--eb897572-8979-4242-a089-56f294f4c91d,Hide Infrastructure,T1665,command_and_control,"Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished in various ways including by identifying and filtering traffic from defensive tools,(Citation: TA571) masking malicious domains to obfuscate the true destination from both automated scanning tools and security researchers,(Citation: Schema-abuse)(Citation: Facad1ng)(Citation: Browser-updates) and otherwise hiding malicious artifacts to delay discovery and prolong the effectiveness of adversary infrastructure that could otherwise be identified, blocked, or taken down entirely."
attack-pattern--ebb42bbe-62d7-47d7-a55f-3b08b61d792d,Domain or Tenant Policy Modification,T1484,defense_evasion|privilege_escalation,"Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation."
attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3,XSL Script Processing,T1220,defense_evasion,"Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)"
attack-pattern--ec4be82f-940c-4dcb-87fe-2bbdd17c692f,Scan Databases,T1596.005,reconnaissance,"Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)"
attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d,Hidden Files and Directories,T1564.001,defense_evasion,"Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a hidden file. These files dont show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls a</code> for Linux and macOS)."
attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1,Create Snapshot,T1578.001,defense_evasion,"An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence."
attack-pattern--ed730f20-0e44-48b9-85f8-0e2adeb76867,Determine Physical Locations,T1591.001,reconnaissance,"Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within."
attack-pattern--ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a,Office Test,T1137.002,persistence,"Adversaries may abuse the Microsoft Office ""Office Test"" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)"
attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf,Develop Capabilities,T1587,resource_development,"Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)"
attack-pattern--edf91964-b26e-4b4a-9600-ccacd7d7df24,NTDS,T1003.003,credential_access,"Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)"
attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5,SNMP (MIB Dump),T1602.001,collection,Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).
attack-pattern--eec23884-3fa1-4d8a-ac50-6f104d51e235,Steganography,T1001.002,command_and_control,"Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control."
attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9,Malicious Link,T1204.001,execution,An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).
attack-pattern--f005e783-57d4-4837-88ad-dbe7faee1c51,Application Access Token,T1550.001,defense_evasion|lateral_movement,"Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials."
attack-pattern--f0589bc3-a6ae-425a-a3d5-5659bfee07f4,LSASS Driver,T1547.008,persistence|privilege_escalation,"Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)"
attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4,Service Execution,T1569.002,execution,Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).
attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65,Cloud Accounts,T1078.004,defense_evasion|persistence|privilege_escalation|initial_access,"Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)"
attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995,Environmental Keying,T1480.001,defense_evasion,Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)
attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433,Fallback Channels,T1008,command_and_control,Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.
attack-pattern--f2857333-11d4-45bf-b064-2c28d8525be5,NTFS File Attributes,T1564.004,defense_evasion,"Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)"
attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee,Kerberoasting,T1558.003,credential_access,Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015)
attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163,DCSync,T1003.006,credential_access,Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077,System Time Discovery,T1124,discovery,"An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or <code>systemsetup</code> on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time)"
attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0,At,T1053.002,execution|persistence|privilege_escalation,"Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group."
attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945,Dynamic-link Library Injection,T1055.001,defense_evasion|privilege_escalation,Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.
attack-pattern--f4b843c1-7e92-4701-8fed-ce82f8be2636,Exploits,T1588.005,resource_development,"Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)"
attack-pattern--f4c1826f-a322-41cd-9557-562100848c84,Modify Authentication Process,T1556,credential_access|defense_evasion|persistence,"Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6,Credential API Hooking,T1056.004,collection|credential_access,"Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001), this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:"
attack-pattern--f5bb433e-bdf6-4781-84bc-35e97e43be89,Firmware Corruption,T1495,impact,"Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards."
attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a,Inhibit System Recovery,T1490,impact,Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
attack-pattern--f63fe421-b1d1-45c0-b8a7-02cd16ff2bed,Netsh Helper DLL,T1546.007,privilege_escalation|persistence,Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317,Spearphishing via Service,T1566.003,initial_access,Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.
attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755,Internal Proxy,T1090.001,command_and_control,"Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment."
attack-pattern--f6fe9070-7a65-49ea-ae72-76292f42cebe,System Script Proxy Execution,T1216,defense_evasion,"Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files.(Citation: LOLBAS Project) This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)"
attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7,Dead Drop Resolver,T1102.001,command_and_control,"Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers."
attack-pattern--f7c0689c-4dbd-489b-81be-7cb7c7079ade,Junk Data,T1001.001,command_and_control,"Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: FireEye SUNBURST Backdoor December 2020) By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters."
attack-pattern--f870408c-b1cd-49c7-a5c7-0ef0fc496cc6,Spearphishing Service,T1598.001,reconnaissance,"Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages."
attack-pattern--f8ef3a62-3f44-40a4-abca-761ab235c436,Container API,T1552.007,credential_access,"Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)"
attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba,Domains,T1584.001,resource_development,Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)
attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a,SQL Stored Procedures,T1505.001,persistence,Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).
attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd,Network Device Authentication,T1556.004,credential_access|defense_evasion|persistence,"Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices."
attack-pattern--fb640c43-aa6b-431e-a961-a279010424ac,Disk Content Wipe,T1561.001,impact,Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.
attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b,Exfiltration Over Unencrypted Non-C2 Protocol,T1048.003,exfiltration,Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)
attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490,Dylib Hijacking,T1574.004,persistence|privilege_escalation|defense_evasion,"Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added."
attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d,Downgrade System Image,T1601.002,defense_evasion,"Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)"
attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2,Local Accounts,T1078.003,defense_evasion|persistence|privilege_escalation|initial_access,"Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service."
attack-pattern--fe926152-f431-4baf-956c-4ad3cb0bf23b,Exploitation for Defense Evasion,T1211,defense_evasion,"Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them."
attack-pattern--ff25900d-76d5-449b-a351-8824e62fc81b,Trusted Developer Utilities Proxy Execution,T1127,defense_evasion,"Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions."
attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc,System Shutdown/Reboot,T1529,impact,"Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)"
attack-pattern--ffbcfdb0-de22-4106-9ed3-fc23c8a01407,MMC,T1218.014,defense_evasion,"Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)"
attack-pattern--ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1,Process Argument Spoofing,T1564.010,defense_evasion,"Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)"
attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335,COR_PROFILER,T1574.012,persistence|privilege_escalation|defense_evasion,"Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)"
1 id name external_id tactics description
2 attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298 Extra Window Memory Injection T1055.011 defense_evasion|privilege_escalation Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
3 attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9 Scheduled Task T1053.005 execution|persistence|privilege_escalation Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.
4 attack-pattern--005cc321-08ce-4d17-b1ea-cb5275926520 Socket Filters T1205.002 defense_evasion|persistence|command_and_control Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
5 attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662 Archive via Utility T1560.001 collection Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.
6 attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b VNC T1021.005 lateral_movement Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
7 attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055 Windows Management Instrumentation T1047 execution Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
8 attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688 Screen Capture T1113 collection Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)
9 attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939 Fileless Storage T1027.011 defense_evasion Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless)
10 attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334 Boot or Logon Initialization Scripts T1037 persistence|privilege_escalation Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.(Citation: Mandiant APT29 Eye Spy Email Nov 22)(Citation: Anomali Rocke March 2019) Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.
11 attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d Adversary-in-the-Middle T1557 credential_access|collection Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)
12 attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104 System Owner/User Discovery T1033 discovery Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
13 attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2 Acquire Infrastructure T1583 resource_development Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.
14 attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5 Rundll32 T1218.011 defense_evasion Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: <code>rundll32.exe {DLLname, DLLfunction}</code>).
15 attack-pattern--0470e792-32f8-46b0-a351-652bc35e9336 Container and Resource Discovery T1613 discovery Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.
16 attack-pattern--04a5a8ab-3bc8-4c83-95c9-55274a89786d Serverless T1583.007 resource_development Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
17 attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c Standard Encoding T1132.001 command_and_control Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.
18 attack-pattern--0533ab23-3f7d-463f-9bd8-634d27e4dee1 Embedded Payloads T1027.009 defense_evasion Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to [Subvert Trust Controls](https://attack.mitre.org/techniques/T1553) by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs)
19 attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771 Pluggable Authentication Modules T1556.003 credential_access|defense_evasion|persistence Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
20 attack-pattern--0708ae90-d0eb-4938-9a76-d0fc94f6eec1 Revert Cloud Instance T1578.004 defense_evasion An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.
21 attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f Gather Victim Host Information T1592 reconnaissance Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
22 attack-pattern--0979abf9-4e26-43ec-9b6e-54efc4e70fca Digital Certificates T1596.003 reconnaissance Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.
23 attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4 Keylogging T1056.001 collection|credential_access Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)
24 attack-pattern--09b008a9-b4eb-462a-a751-a0eb58050cd9 File/Path Exclusions T1564.012 defense_evasion Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)
25 attack-pattern--09b130a2-a77e-4af0-a361-f46f9aad1345 Linux and Mac File and Directory Permissions Modification T1222.002 defense_evasion Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
26 attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119 Password Guessing T1110.001 credential_access Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
27 attack-pattern--09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58 PubPrn T1216.001 defense_evasion Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via <code>Cscript.exe</code>. For example, the following code publishes a printer within the specified domain: <code>cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com</code>.(Citation: pubprn)
28 attack-pattern--0a241b6c-7bb2-48f9-98f7-128145b4d27f Purchase Technical Data T1597.002 reconnaissance Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.
29 attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22 OS Credential Dumping T1003 credential_access Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
30 attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65 Shared Modules T1129 execution Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).
31 attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74 Data from Configuration Repository T1602 collection Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.
32 attack-pattern--0af0ca99-357d-4ba1-805f-674fdfb7bef9 Disk Structure Wipe T1561.002 impact Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.
33 attack-pattern--0bda01d5-4c1d-4062-8ee2-6872334383c3 Direct Network Flood T1498.001 impact Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.
34 attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32 Path Interception by PATH Environment Variable T1574.007 persistence|privilege_escalation|defense_evasion Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line.
35 attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a Sharepoint T1213.002 collection Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
36 attack-pattern--0c8ab3eb-df48-4b9c-ace7-beacaac81cc5 Direct Volume Access T1006 defense_evasion Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)
37 attack-pattern--0cc222f5-c3ff-48e6-9f52-3314baf9d37e Artificial Intelligence T1588.007 resource_development Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)
38 attack-pattern--0cf55441-b176-4332-89e7-2c4c7799d0ff Email Hiding Rules T1564.008 defense_evasion Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
39 attack-pattern--0cfe31a7-81fc-472c-bc45-e2808d1066a3 External Defacement T1491.002 impact An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. [External Defacement](https://attack.mitre.org/techniques/T1491/002) may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) [External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement)
40 attack-pattern--0d91b3c0-5e50-47c3-949a-2a796f04d144 Encrypted/Encoded File T1027.013 defense_evasion Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use.
41 attack-pattern--0dda99f0-4701-48ca-9774-8504922e92d3 IP Addresses T1590.005 reconnaissance Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.
42 attack-pattern--0df05477-c572-4ed6-88a9-47c581f548f7 OS Exhaustion Flood T1499.001 impact Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.
43 attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b Rootkit T1014 defense_evasion Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)
44 attack-pattern--0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3 PowerShell Profile T1546.013 privilege_escalation|persistence Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) starts and can be used as a logon script to customize user environments.
45 attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d JavaScript T1059.007 execution Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
46 attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea DNS T1590.002 reconnaissance Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
47 attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967 Audio Capture T1123 collection An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)
48 attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5 Create or Modify System Process T1543 persistence|privilege_escalation Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.(Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons)
49 attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d External Remote Services T1133 persistence|initial_access Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
50 attack-pattern--10ff21b9-5a01-4268-a1b5-3b55015f1847 LC_LOAD_DYLIB Addition T1546.006 privilege_escalation|persistence Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
51 attack-pattern--10ffac09-e42d-4f56-ab20-db94c67d76ff Steal Web Session Cookie T1539 credential_access An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
52 attack-pattern--1126cab1-c700-412f-a510-61f4937bb096 Container Orchestration Job T1053.007 execution|persistence|privilege_escalation Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
53 attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd Domain Generation Algorithms T1568.002 command_and_control Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
54 attack-pattern--11f29a39-0942-4d62-92b6-fe236cf3066e Double File Extension T1036.007 defense_evasion Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: <code>File.txt.exe</code> may render in some views as just <code>File.txt</code>). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension)
55 attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073 Bypass User Account Control T1548.002 privilege_escalation|defense_evasion Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
56 attack-pattern--132d5b37-aac5-4378-a8dc-3127b18a73dc Internet Connection Discovery T1016.001 discovery Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.
57 attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0 Sudo and Sudo Caching T1548.003 privilege_escalation|defense_evasion Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
58 attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b Archive via Custom Method T1560.003 collection An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)
59 attack-pattern--144e007b-e638-431d-a894-45d90c54ab90 Modify Cloud Compute Infrastructure T1578 defense_evasion An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
60 attack-pattern--149b477f-f364-4824-b1b5-aa1d56115869 Network Devices T1584.008 resource_development Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting.
61 attack-pattern--155207c0-7f53-4f13-a06b-0a9907ef5096 Malvertising T1583.008 resource_development Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements.(Citation: spamhaus-malvertising) Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites.
62 attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce Permission Groups Discovery T1069 discovery Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.
63 attack-pattern--1608f3e1-598a-42f4-a01a-2e252e81728f Email Collection T1114 collection Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
64 attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011 Security Account Manager T1003.002 credential_access Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.
65 attack-pattern--166de1c6-2814-4fe5-8438-4e80f76b169f WHOIS T1596.002 reconnaissance Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)
66 attack-pattern--16ab6452-c3c1-497c-a47d-206018ca1ada System Firmware T1542.001 persistence|defense_evasion Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.(Citation: Wikipedia BIOS)(Citation: Wikipedia UEFI)(Citation: About UEFI)
67 attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26 Search Victim-Owned Websites T1594 reconnaissance Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)
68 attack-pattern--16e94db9-b5b1-4cd0-b851-f38fbd0a70f2 Cloud Groups T1069.003 discovery Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
69 attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c Services Registry Permissions Weakness T1574.011 persistence|privilege_escalation|defense_evasion Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
70 attack-pattern--17fd695c-b88c-455a-a3d1-43b6cb728532 DNS/Passive DNS T1596.001 reconnaissance Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
71 attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9 Application Exhaustion Flood T1499.003 impact Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.(Citation: Arbor AnnualDoSreport Jan 2018)
72 attack-pattern--191cc6af-1bb2-4344-ab5f-28e496638720 Compromise Software Dependencies and Development Tools T1195.001 initial_access Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise)
73 attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421 Digital Certificates T1588.004 resource_development Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.
74 attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81 DNS Server T1583.002 resource_development Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.
75 attack-pattern--1988cc35-ced8-4dad-b2d1-7628488fa967 Disk Wipe T1561 impact Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
76 attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72 DNS T1071.004 command_and_control Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
77 attack-pattern--19bf235b-8620-4997-b5b4-94e0659ed7c3 Cloud Instance Metadata API T1552.005 credential_access Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
78 attack-pattern--1a80d097-54df-41d8-9d33-34e755ec5e72 Securityd Memory T1555.002 credential_access An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)
79 attack-pattern--1b20efbf-8063-4fc3-a07d-b575318a301b Group Policy Discovery T1615 discovery Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
80 attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba Bootkit T1542.003 persistence|defense_evasion Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
81 attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec Data from Removable Media T1025 collection Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.
82 attack-pattern--1bae753e-8e52-4055-a66d-2ead90303ca9 Mavinject T1218.013 defense_evasion Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)
83 attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c Local Data Staging T1074.001 collection Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
84 attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2 Match Legitimate Name or Location T1036.005 defense_evasion Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
85 attack-pattern--1cec9319-743b-4840-bb65-431547bce82a Digital Certificates T1587.003 resource_development Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).
86 attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292 Stored Data Manipulation T1565.001 impact Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
87 attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d Password Cracking T1110.002 credential_access Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) can be used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Further, adversaries may leverage [Data from Configuration Repository](https://attack.mitre.org/techniques/T1602) in order to obtain hashed credentials for network devices.(Citation: US-CERT-TA18-106A)
88 attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004 Local Email Collection T1114.001 collection Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
89 attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3 Keychain T1555.001 credential_access Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.
90 attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf Boot or Logon Autostart Execution T1547 persistence|privilege_escalation Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
91 attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc LSA Secrets T1003.004 credential_access Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
92 attack-pattern--1f9012ef-1e10-4e48-915e-e03563435fe8 Weaken Encryption T1600 defense_evasion Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)
93 attack-pattern--1f9c2bae-b441-4f66-a8af-b65946ee72f2 SAML Tokens T1606.002 credential_access An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)
94 attack-pattern--208884f1-7b83-4473-ac22-4e1cf6c41471 Masquerade File Type T1036.008 defense_evasion Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is <code> 0xFF 0xD8</code> and the file extension is either `.JPE`, `.JPEG` or `.JPG`.
95 attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b Service Stop T1489 impact Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster)
96 attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0 Malware T1587.001 resource_development Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)
97 attack-pattern--215d9700-5881-48b8-8265-6449dbb7195d Device Driver Discovery T1652 discovery Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).
98 attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af Domain Account T1087.002 discovery Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
99 attack-pattern--22522668-ddf6-470b-a027-9d6866679f67 Active Setup T1547.014 persistence|privilege_escalation Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
100 attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8 Hide Artifacts T1564 defense_evasion Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
101 attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d Dynamic Data Exchange T1559.002 execution Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.
102 attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e Malicious File T1204.002 execution An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
103 attack-pattern--2339cf19-8f1e-48f7-8a91-0262ba547b6f Identify Business Tempo T1591.003 reconnaissance Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.
104 attack-pattern--24286c33-d4a4-4419-85c2-1d094a896c26 Hardware T1592.001 reconnaissance Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).
105 attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c Taint Shared Content T1080 lateral_movement
106 attack-pattern--24769ab5-14bd-4f4e-a752-cfb185da53ee Trust Modification T1484.002 defense_evasion|privilege_escalation Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.
107 attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41 Symmetric Cryptography T1573.001 command_and_control Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.
108 attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e Local Account T1087.001 discovery Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
109 attack-pattern--274770e0-2612-4ccf-a678-ef8e7bad365d Social Media Accounts T1586.001 resource_development Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001)), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.
110 attack-pattern--28170e17-8384-415c-8486-2e6b294cb803 Safe Mode Boot T1562.009 defense_evasion Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)
111 attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4 TFTP Boot T1542.005 defense_evasion|persistence Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
112 attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32 Windows Service T1543.003 persistence|privilege_escalation Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
113 attack-pattern--29ba5a15-3b7b-4732-b817-65ea8f6468e6 Fast Flux DNS T1568.001 command_and_control Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)
114 attack-pattern--29be378d-262d-4e99-b00d-852d573628e6 System Checks T1497.001 defense_evasion|discovery Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
115 attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c Cron T1053.003 execution|persistence|privilege_escalation Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.
116 attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c Domain Groups T1069.002 discovery Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
117 attack-pattern--2b5aa86b-a0df-4382-848d-30abea443327 Vulnerabilities T1588.006 resource_development Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)
118 attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7 Spearphishing Link T1566.002 initial_access Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
119 attack-pattern--2bce5b30-7014-4a5d-ade7-12913fe6ac36 Clear Linux or Mac System Logs T1070.002 defense_evasion Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
120 attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0 Application or System Exploitation T1499.004 impact Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.
121 attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53 Office Application Startup T1137 persistence Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
122 attack-pattern--2cd950a6-16c4-404a-aa01-044322395107 InstallUtil T1218.004 defense_evasion Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.
123 attack-pattern--2d3f5b3c-54ca-4f4d-bb1f-849346d31230 Spearphishing Link T1598.003 reconnaissance Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
124 attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6 SSH T1021.004 lateral_movement Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
125 attack-pattern--2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3 Additional Cloud Roles T1098.003 persistence|privilege_escalation An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)
126 attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad Print Processors T1547.012 persistence|privilege_escalation Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.(Citation: Microsoft Intro Print Processors)
127 attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597 Spearphishing Attachment T1566.001 initial_access Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
128 attack-pattern--2f41939b-54c3-41d6-8f8b-35f1ec18ed97 Stripped Payloads T1027.008 defense_evasion Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s `linker` when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.(Citation: Mandiant golang stripped binaries explanation)(Citation: intezer stripped binaries elf files 2018)
129 attack-pattern--2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64 Component Object Model T1559.001 execution Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)
130 attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34 DLL Search Order Hijacking T1574.001 persistence|privilege_escalation|defense_evasion Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
131 attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619 Automated Collection T1119 collection Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals.
132 attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f Clipboard Data T1115 collection Adversaries may collect data stored in the clipboard from users copying information within or between applications.
133 attack-pattern--3120b9fa-23b8-4500-ae73-09494f607b7d Proc Filesystem T1003.007 credential_access Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
134 attack-pattern--31225cd3-cd46-4575-b287-c2c14011c074 Botnet T1583.005 resource_development Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)
135 attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21 Password Managers T1555.005 credential_access Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
136 attack-pattern--31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e Gatekeeper Bypass T1553.001 defense_evasion Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )
137 attack-pattern--31fe0ba2-62fd-4fd9-9293-4043d84f7fe9 Drive-by Target T1608.004 resource_development Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).
138 attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa System Service Discovery T1007 discovery Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.
139 attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529 Network Sniffing T1040 credential_access|discovery Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
140 attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082 Code Signing T1553.002 defense_evasion Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.
141 attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7 Data from Cloud Storage T1530 collection Adversaries may access data from cloud storage.
142 attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490 Runtime Data Manipulation T1565.003 impact Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
143 attack-pattern--341e222a-a6e3-4f6f-b69c-831d792b1580 Credentials in Registry T1552.002 credential_access Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
144 attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f Network Share Discovery T1135 discovery Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
145 attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643 Peripheral Device Discovery T1120 discovery Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
146 attack-pattern--34a80bc4-80f2-46e6-94ff-f3265a4b657c Break Process Trees T1036.009 defense_evasion An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the “parent-child" relationship for detection, breaking this relationship could result in the adversary’s behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs.(Citation: 3OHA double-fork 2022)
147 attack-pattern--34ab90a3-05f6-4259-8f21-621081fdaba5 Network Topology T1590.004 reconnaissance Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.
148 attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf Code Signing Certificates T1587.002 resource_development Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
149 attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee Windows File and Directory Permissions Modification T1222.001 defense_evasion Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
150 attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d Add-ins T1137.006 persistence Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)
151 attack-pattern--35187df2-31ed-43b6-a1f5-2f1d3d58d3f1 Transport Agent T1505.002 persistence Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.
152 attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1 System Information Discovery T1082 discovery An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
153 attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6 Application Layer Protocol T1071 command_and_control Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
154 attack-pattern--356662f7-e315-4759-86c9-6214e2a50ff8 AppDomainManager T1574.014 persistence|privilege_escalation|defense_evasion Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code.(Citation: Microsoft App Domains)
155 attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0 Remote Data Staging T1074.002 collection Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
156 attack-pattern--35d30338-5bfa-41b0-a170-ec06dfd75f64 Additional Container Cluster Roles T1098.006 persistence|privilege_escalation An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account.(Citation: Kubernetes RBAC)(Citation: Aquasec Kubernetes Attack 2023) Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions.(Citation: Kuberentes ABAC)
157 attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 Scheduled Task/Job T1053 execution|persistence|privilege_escalation Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
158 attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336 Msiexec T1218.007 defense_evasion Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
159 attack-pattern--36aa137f-5166-41f8-b2f0-a4cfa1b4133e Network Trust Dependencies T1590.003 reconnaissance Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.
160 attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01 Reflection Amplification T1498.002 impact Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.
161 attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42 Password Filter DLL T1556.002 credential_access|defense_evasion|persistence Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.
162 attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8 Terminal Services DLL T1505.005 persistence Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)
163 attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb AppleScript T1059.002 execution Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
164 attack-pattern--389735f1-f21c-4208-b8f0-f8031e7169b8 Browser Extensions T1176 persistence Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)
165 attack-pattern--38eb0c22-6caf-46ce-8869-5964bd735858 Service Exhaustion Flood T1499.002 impact Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.
166 attack-pattern--39131305-9282-45e4-ac3b-591d2d4fc3ef Compromise Hardware Supply Chain T1195.003 initial_access Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.
167 attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670 Native API T1106 execution Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
168 attack-pattern--3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc Clear Network Connection History and Configurations T1070.007 defense_evasion Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.
169 attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b AS-REP Roasting T1558.004 credential_access Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017)
170 attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0 Virtual Private Server T1584.003 resource_development Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)
171 attack-pattern--3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5 AutoHotKey & AutoIT T1059.010 execution Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
172 attack-pattern--3a40f208-a9c1-4efa-a598-4003c3681fb8 Reduce Key Space T1600.001 defense_evasion Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)
173 attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a Clear Command History T1070.003 defense_evasion In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
174 attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e Indirect Command Execution T1202 defense_evasion Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
175 attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4 Replication Through Removable Media T1091 lateral_movement|initial_access Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
176 attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5 Data from Local System T1005 collection Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
177 attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c Deobfuscate/Decode Files or Information T1140 defense_evasion Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
178 attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44 Outlook Rules T1137.005 persistence Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
179 attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529 Impair Defenses T1562 defense_evasion Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
180 attack-pattern--3d52e51e-f6db-4719-813c-48002a99f43a Cloud Accounts T1586.003 resource_development Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
181 attack-pattern--3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b Email Accounts T1586.002 resource_development Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).
182 attack-pattern--3ee16395-03f0-4690-a32e-69ce9ada0f9e Upload Malware T1608.001 resource_development Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.
183 attack-pattern--3f18edba-28f4-4bb9-82c3-8aa60dcac5f7 Supply Chain Compromise T1195 initial_access Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.
184 attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c Exploit Public-Facing Application T1190 initial_access Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
185 attack-pattern--3fc01293-ef5e-41c6-86ce-61f10706b64a Steal or Forge Kerberos Tickets T1558 credential_access Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
186 attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0 Credentials from Password Stores T1555 credential_access Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
187 attack-pattern--40597f16-0963-4249-bf4c-ac93b7fb9807 Exfiltration Over Web Service T1567 exfiltration Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
188 attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7 Remote Access Software T1219 command_and_control An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)
189 attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3 Domains T1583.001 resource_development Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
190 attack-pattern--41868330-6ee2-4d0f-b743-9f2294c3c9b6 Archive via Library T1560.002 collection An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.
191 attack-pattern--41d9846c-f6af-4302-a654-24bba2729bc6 Thread Execution Hijacking T1055.003 defense_evasion|privilege_escalation Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.
192 attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0 Masquerading T1036 defense_evasion Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
193 attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83 Application Shimming T1546.011 privilege_escalation|persistence Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017)
194 attack-pattern--435dfb86-2697-4867-85b5-2fef496c0517 Unsecured Credentials T1552 credential_access Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).(Citation: Brining MimiKatz to Unix)
195 attack-pattern--43881e51-ac74-445b-b4c6-f9f9e9bf23fe Port Monitors T1547.010 persistence|privilege_escalation Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in <code>C:\Windows\System32</code> and will be loaded and run by the print spooler service, `spoolsv.exe`, under SYSTEM level permissions on boot.(Citation: Bloxham)
196 attack-pattern--438c967d-3996-4870-bfc2-3954752a1927 Clear Mailbox Data T1070.008 defense_evasion Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests.
197 attack-pattern--43ba2b05-cf72-4b6c-8243-03a4aba41ee0 Login Hook T1037.002 persistence|privilege_escalation Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the <code>/Library/Preferences/com.apple.loginwindow.plist</code> file and can be modified using the <code>defaults</code> command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev)
198 attack-pattern--43c9bc06-715b-42db-972f-52d25c09a20c Content Injection T1659 initial_access|command_and_control Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) followed by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and other data to already compromised systems.(Citation: ESET MoustachedBouncer)
199 attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d Process Injection T1055 defense_evasion|privilege_escalation Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
200 attack-pattern--43f2776f-b4bd-4118-94b8-fee47e69676d Exfiltration Over Webhook T1567.004 exfiltration Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.(Citation: RedHat Webhooks) Many public and commercial services, such as Discord, Slack, and `webhook.site`, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.(Citation: Discord Intro to Webhooks) When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application.
201 attack-pattern--451a9977-d255-43c9-b431-66de80130c8c Traffic Signaling T1205 defense_evasion|persistence|command_and_control Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
202 attack-pattern--45241b9e-9bbc-4826-a2cc-78855e51ca09 Direct Cloud VM Connections T1021.008 lateral_movement Adversaries may leverage [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the [Cloud API](https://attack.mitre.org/techniques/T1059/009), such as Azure Serial Console(Citation: Azure Serial Console), AWS EC2 Instance Connect(Citation: EC2 Instance Connect)(Citation: lucr-3: Getting SaaS-y in the cloud), and AWS System Manager.(Citation: AWS System Manager).
203 attack-pattern--457c7820-d331-465a-915e-42f85500ccc4 System Binary Proxy Execution T1218 defense_evasion Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.
204 attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611 Timestomp T1070.006 defense_evasion Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
205 attack-pattern--4933e63b-9b77-476e-ab29-761bc5b7d15a Reflective Code Loading T1620 defense_evasion Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., [Shared Modules](https://attack.mitre.org/techniques/T1129)).
206 attack-pattern--494ab9f0-36e0-4b06-b10d-57285b040a06 Wi-Fi Discovery T1016.002 discovery Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.
207 attack-pattern--4a2975db-414e-4c0c-bd92-775987514b4b Ignore Process Interrupts T1564.011 defense_evasion Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.(Citation: Linux Signal Man) These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes.
208 attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665 Escape to Host T1611 privilege_escalation Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)
209 attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179 Shortcut Modification T1547.009 persistence|privilege_escalation Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
210 attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830 Application Window Discovery T1010 discovery Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
211 attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470 Email Account T1087.003 discovery Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)
212 attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0 Time Based Evasion T1497.003 defense_evasion|discovery Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
213 attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49 CMSTP T1218.003 defense_evasion Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
214 attack-pattern--4d2a5b3e-340d-4600-9123-309dd63c9bf8 SSH Hijacking T1563.001 lateral_movement Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
215 attack-pattern--4eb28bed-d11a-4641-9863-c2ac017d910a Disable Windows Event Logging T1562.002 defense_evasion Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.
216 attack-pattern--4eeaf8a9-c86b-4954-a663-9555fb406466 Scheduled Transfer T1029 exfiltration Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
217 attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541 SMB/Windows Admin Shares T1021.002 lateral_movement Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
218 attack-pattern--4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f Implant Internal Image T1525 persistence Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
219 attack-pattern--4fe28b27-b13c-453e-a386-c2ef362a573b Protocol Tunneling T1572 command_and_control Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.
220 attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f Control Panel T1218.002 defense_evasion Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
221 attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de Network Address Translation Traversal T1599.001 defense_evasion Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.
222 attack-pattern--506f6f49-7045-4156-9007-7474cb44ad6d Upload Tool T1608.002 resource_development Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.
223 attack-pattern--5095a853-299c-4876-abd7-ac0050fb5462 Security Support Provider T1547.005 persistence|privilege_escalation Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
224 attack-pattern--51a14c76-dd3b-440b-9c20-2bf91d25a814 Use Alternate Authentication Material T1550 defense_evasion|lateral_movement Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.
225 attack-pattern--51e54974-a541-4fb6-a61b-0518e4c6de41 Threat Intel Vendors T1597.001 reconnaissance Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)
226 attack-pattern--51ea26b1-ff1e-4faa-b1a0-1114cd298c87 Exfiltration Over Other Network Medium T1011 exfiltration Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.
227 attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd Network Device Configuration Dump T1602.002 collection Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.
228 attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4 Gather Victim Identity Information T1589 reconnaissance Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.
229 attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b Disable or Modify System Firewall T1562.004 defense_evasion Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
230 attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a Archive Collected Data T1560 collection An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.(Citation: DOJ GRU Indictment Jul 2018) Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
231 attack-pattern--543fceb5-cb92-40cb-aacf-6913d4db58bc SIP and Trust Provider Hijacking T1553.003 defense_evasion Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)
232 attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47 Browser Session Hijacking T1185 collection Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)
233 attack-pattern--54a649ff-439a-41a4-9856-8d144a2551ba Remote Services T1021 lateral_movement Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
234 attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b Mail Protocols T1071.003 command_and_control Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
235 attack-pattern--54ca26f3-c172-4231-93e5-ccebcac2161f Hybrid Identity T1556.007 credential_access|defense_evasion|persistence Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.
236 attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4 Vulnerability Scanning T1595.002 reconnaissance Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
237 attack-pattern--55bb4471-ff1f-43b4-88c1-c9384ec47abf Cloud API T1059.009 execution Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: Microsoft - Azure PowerShell), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006).
238 attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0 Search Open Technical Databases T1596 reconnaissance Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)
239 attack-pattern--561ae9aa-c28a-4144-9eec-e7027a14c8c3 Electron Applications T1218.015 defense_evasion Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams.(Citation: Electron 2) Originally developed by GitHub, Electron is a cross-platform desktop application development framework that employs web technologies like JavaScript, HTML, and CSS.(Citation: Electron 3) The Chromium engine is used to display web content and Node.js runs the backend code.(Citation: Electron 1)
240 attack-pattern--562e9b64-7239-493d-80f4-2bff900d9054 Disable or Modify Linux Audit System T1562.012 defense_evasion Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.
241 attack-pattern--564998d8-ab3e-4123-93fb-eccaa6b9714a Rogue Domain Controller T1207 defense_evasion Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
242 attack-pattern--565275d5-fcc3-4b66-b4e7-928e4cac6b8c Code Signing Policy Modification T1553.006 defense_evasion Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system.
243 attack-pattern--56e0d8b8-3e25-49dd-9050-3aa252f5aa92 Deploy Container T1610 defense_evasion|execution Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
244 attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4 Modify Registry T1112 defense_evasion Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
245 attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba Launch Daemon T1543.004 persistence|privilege_escalation Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
246 attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d Cloud Infrastructure Discovery T1580 discovery An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
247 attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8 Credentials from Web Browsers T1555.003 credential_access Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
248 attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2 Path Interception by Search Order Hijacking T1574.008 persistence|privilege_escalation|defense_evasion Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
249 attack-pattern--5909f20f-3c39-4795-be06-ef1ea40d350b Defacement T1491 impact Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491) in order to cause user discomfort, or to pressure compliance with accompanying messages.
250 attack-pattern--59bd0dec-f8b2-4b9a-9141-37a1e6899761 Unused/Unsupported Cloud Regions T1535 defense_evasion Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.
251 attack-pattern--59ff91cd-1430-4075-8563-e6f15f4f9ff5 DHCP Spoofing T1557.003 credential_access|collection Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).
252 attack-pattern--5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5 Remote Service Session Hijacking T1563 lateral_movement Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.
253 attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5 Binary Padding T1027.001 defense_evasion Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.
254 attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb Web Shell T1505.003 persistence Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)
255 attack-pattern--5d2be8b9-d24c-4e98-83bf-2f5f79477163 Group Policy Modification T1484.001 defense_evasion|privilege_escalation Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
256 attack-pattern--5e4a2073-9643-44cb-a0b5-e7f4048446c7 Browser Information Discovery T1217 discovery Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)
257 attack-pattern--60b508a1-6a5e-46b1-821a-9f7b78752abf Private Keys T1552.004 credential_access Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.
258 attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337 Server T1583.004 resource_development Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, such as watering hole operations in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), enabling [Phishing](https://attack.mitre.org/techniques/T1566) operations, or facilitating [Command and Control](https://attack.mitre.org/tactics/TA0011). Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused.(Citation: Free Trial PurpleUrchin)(Citation: Freejacked)
259 attack-pattern--60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65 Windows Remote Management T1021.006 lateral_movement Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
260 attack-pattern--613d08bc-e8f4-4791-80b0-c8b974340dfd Exfiltration Over Bluetooth T1011.001 exfiltration Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.
261 attack-pattern--6151cbea-819b-455a-9fa6-99a1cc58797d Default Accounts T1078.001 defense_evasion|persistence|privilege_escalation|initial_access Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
262 attack-pattern--61afc315-860c-4364-825d-0d62b2e91edc Time Providers T1547.003 persistence|privilege_escalation Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.(Citation: Microsoft TimeProvider)
263 attack-pattern--63220765-d418-44de-8fae-694b3912317d Trap T1546.005 privilege_escalation|persistence Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
264 attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825 Dynamic Linker Hijacking T1574.006 persistence|privilege_escalation|defense_evasion Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT_LIBRARIES</code> on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)
265 attack-pattern--635cbe30-392d-4e27-978e-66774357c762 Local Account T1136.001 persistence Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
266 attack-pattern--64196062-5210-42c3-9a02-563a0d1797ef Communication Through Removable Media T1092 command_and_control Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.(Citation: ESET Sednit USBStealer 2014) Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.
267 attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2 Clear Windows Event Logs T1070.001 defense_evasion Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
268 attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a Email Accounts T1585.002 resource_development Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Establishing email accounts may also allow adversaries to abuse free services – such as trial periods – to [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) for follow-on purposes.(Citation: Free Trial PurpleUrchin)
269 attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e LLMNR/NBT-NS Poisoning and SMB Relay T1557.001 credential_access|collection By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.
270 attack-pattern--65917ae0-b854-4139-83fe-bf2441cf0196 File and Directory Permissions Modification T1222 defense_evasion Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
271 attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90 LSASS Memory T1003.001 credential_access Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
272 attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b Active Scanning T1595 reconnaissance Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
273 attack-pattern--67720091-eee3-4d2d-ae16-8264567f6f5b Abuse Elevation Control Mechanism T1548 privilege_escalation|defense_evasion Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)
274 attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf Create Process with Token T1134.002 defense_evasion|privilege_escalation Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
275 attack-pattern--6831414d-bb70-42b7-8030-d4e06b2660c9 Setuid and Setgid T1548.001 privilege_escalation|defense_evasion An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
276 attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35 Winlogon Helper DLL T1547.004 persistence|privilege_escalation Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon.(Citation: Cylance Reg Persistence Sept 2013)
277 attack-pattern--68a0c5ed-bee2-4513-830d-5b0d650139bd Distributed Component Object Model T1021.003 lateral_movement Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.
278 attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c Password Spraying T1110.003 credential_access Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
279 attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3 External Proxy T1090.002 command_and_control Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.
280 attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e Web Portal Capture T1056.003 collection|credential_access Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
281 attack-pattern--69f897fd-12a9-4c89-ad6a-46d2f3c38262 Email Addresses T1589.002 reconnaissance Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.
282 attack-pattern--6a5d222a-a7e0-4656-b110-782c33098289 Spearphishing Voice T1598.004 reconnaissance Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.
283 attack-pattern--6add2ab5-2711-4e9d-87c8-7a0be8531530 Cached Domain Credentials T1003.005 credential_access Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)
284 attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4 SSH Authorized Keys T1098.004 persistence|privilege_escalation Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code>&lt;user-home&gt;/.ssh/authorized_keys</code>.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>.
285 attack-pattern--6c2957f9-502a-478c-b1dd-d626c0659413 Network Security Appliances T1590.006 reconnaissance Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.
286 attack-pattern--6d4a7fb3-5a24-42be-ae61-6728a2b581f6 Image File Execution Options Injection T1546.012 privilege_escalation|persistence Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
287 attack-pattern--6e3bd510-6b33-41a4-af80-2d80f3ee0071 Odbcconf T1218.008 defense_evasion Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The Odbcconf.exe binary may be digitally signed by Microsoft.
288 attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968 Search Engines T1593.002 reconnaissance Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
289 attack-pattern--6ee2dc99-91ad-4534-a7d8-a649358c331f Business Relationships T1591.002 reconnaissance Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.
290 attack-pattern--6fa224c7-5091-4595-bf15-3fc9fe2f2c7c Temporary Elevated Cloud Access T1548.005 privilege_escalation|defense_evasion Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own.
291 attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf Video Capture T1125 collection An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.
292 attack-pattern--7007935a-a8a7-4c0b-bd98-4e85be8ed197 Process Doppelgänging T1055.013 defense_evasion|privilege_escalation Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.
293 attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0 System Network Configuration Discovery T1016 discovery Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).
294 attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4 Delete Cloud Instance T1578.003 defense_evasion An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
295 attack-pattern--70910fbd-58dc-4c1c-8c48-814d11fcd022 Code Repositories T1593.003 reconnaissance Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
296 attack-pattern--70d81154-b187-45f9-8ec5-295d01255979 Executable Installer File Permissions Weakness T1574.005 persistence|privilege_escalation|defense_evasion Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
297 attack-pattern--70e52b04-2a0c-4cea-9d18-7149f1df9dc5 Accessibility Features T1546.008 privilege_escalation|persistence Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
298 attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08 Account Discovery T1087 discovery Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
299 attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea Proxy T1090 command_and_control Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
300 attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830 Command and Scripting Interpreter T1059 execution Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
301 attack-pattern--74d2a63f-3c7b-4852-92da-02d8fbab16da Indicator Blocking T1562.006 defense_evasion An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).
302 attack-pattern--7610cada-1499-41a4-b3dd-46467b68d177 Domain Account T1136.002 persistence Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.(Citation: Savill 1999)
303 attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156 Employee Names T1589.003 reconnaissance Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.
304 attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0 Domain Trust Discovery T1482 discovery Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)
305 attack-pattern--768dce68-8d0d-477a-b01d-0eea98b963a1 Golden Ticket T1558.001 credential_access Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU Golden Ticket Protection)
306 attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9 Automated Exfiltration T1020 exfiltration Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020)
307 attack-pattern--774ad5bb-2366-4c13-a8a9-65e50b292e7c Client Configurations T1592.004 reconnaissance Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.
308 attack-pattern--77532a55-c283-4cd2-bc5d-2d0b65e9d88c Disable or Modify Cloud Firewall T1562.007 defense_evasion Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004).
309 attack-pattern--77eae145-55db-4519-8ae5-77b0c7215d69 Right-to-Left Override T1036.002 defense_evasion Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)
310 attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970 Malware T1588.001 resource_development Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
311 attack-pattern--791481f8-e96a-41be-b089-a088763083d4 Component Firmware T1542.002 persistence|defense_evasion Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
312 attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69 Indicator Removal T1070 defense_evasion Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
313 attack-pattern--79a4052e-1a89-4b09-aea6-51f1d11fe19c Exfiltration Over Symmetric Encrypted Non-C2 Protocol T1048.001 exfiltration Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
314 attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21 Office Template Macros T1137.001 persistence Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)
315 attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795 Virtual Private Server T1583.003 resource_development Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.
316 attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc Confluence T1213.001 collection
317 attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926 Pass the Ticket T1550.003 defense_evasion|lateral_movement Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
318 attack-pattern--7b50a1d3-4ca7-45d1-989d-a6503f04bfe1 Container Administration Command T1609 execution Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
319 attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18 File and Directory Discovery T1083 discovery Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
320 attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b Dynamic Resolution T1568 command_and_control Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
321 attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c Masquerade Task or Service T1036.004 defense_evasion Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.
322 attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605 Asynchronous Procedure Call T1055.004 defense_evasion|privilege_escalation Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.
323 attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1 Traffic Duplication T1020.001 exfiltration Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)
324 attack-pattern--7d20fff9-8751-404e-badd-ccd71bda0236 Plist File Modification T1647 defense_evasion Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the <code>info.plist</code> file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.(Citation: fileinfo plist file description)
325 attack-pattern--7d57b371-10c2-45e5-b3cc-83a8fb380e4c AppCert DLLs T1546.009 privilege_escalation|persistence Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppCertDLLs</code> Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions <code>CreateProcess</code>, <code>CreateProcessAsUser</code>, <code>CreateProcessWithLoginW</code>, <code>CreateProcessWithTokenW</code>, or <code>WinExec</code>. (Citation: Elastic Process Injection July 2017)
326 attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0 Email Forwarding Rule T1114.003 collection Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)
327 attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e Data Staged T1074 collection Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
328 attack-pattern--7de1f7ac-5d0c-4c9c-8873-627202205331 Steal or Forge Authentication Certificates T1649 credential_access Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
329 attack-pattern--7decb26c-715c-40cf-b7e0-026f7d7cc215 Device Registration T1098.005 persistence|privilege_escalation Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.
330 attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475 System Network Connections Discovery T1049 discovery Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
331 attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9 Compromise Infrastructure T1584 resource_development Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
332 attack-pattern--7e7c2fba-7cca-486c-9582-4c1bb2851961 Mark-of-the-Web Bypass T1553.005 defense_evasion Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named <code>Zone.Identifier</code> with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file is not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)
333 attack-pattern--7efba77e-3bc4-4ca5-8292-d8201dcd64b5 Disable Crypto Hardware T1600.002 defense_evasion Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.
334 attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e Pre-OS Boot T1542 defense_evasion|persistence Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)
335 attack-pattern--800f9819-7007-4540-a520-40e655876800 Build Image on Host T1612 defense_evasion Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)
336 attack-pattern--806a49c4-970d-43f9-9acc-ac0ee11e6662 Portable Executable Injection T1055.002 defense_evasion|privilege_escalation Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.
337 attack-pattern--808e6329-ca91-4b87-ac2d-8eadc5f8f327 Verclsid T1218.012 defense_evasion Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)
338 attack-pattern--81033c3b-16a4-46e4-8fed-9b030dd03c4a Compromise Accounts T1586 resource_development Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.
339 attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d Launchctl T1569.001 execution Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
340 attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3 Botnet T1584.005 resource_development Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems.(Citation: Imperva DDoS for Hire) Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).
341 attack-pattern--818302b2-d640-477b-bf88-873120ce85c4 Network Device CLI T1059.008 execution Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands.
342 attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3 Bash History T1552.003 credential_access Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)
343 attack-pattern--824add00-99a1-4b15-9a2d-6c5683b7b497 Downgrade Attack T1562.010 defense_evasion Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.
344 attack-pattern--8252f135-ed26-4ce1-ae61-f26e94429a19 XPC Services T1559.003 execution Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
345 attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d Virtualization/Sandbox Evasion T1497 defense_evasion|discovery Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
346 attack-pattern--830c9528-df21-472c-8c14-a036bf17d665 Web Service T1102 command_and_control Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
347 attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc Credentials In Files T1552.001 credential_access Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
348 attack-pattern--83a766f8-1501-4b3a-a2de-2e2849e8dfc1 DNS Calculation T1568.003 command_and_control Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)
349 attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade Mshta T1218.005 defense_evasion Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017)
350 attack-pattern--84601337-6a55-4ad7-9c35-79e0d1ea2ab3 Login Items T1547.015 persistence|privilege_escalation Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
351 attack-pattern--84771bc3-f6a0-403e-b144-01af70e5fda0 Stage Capabilities T1608 resource_development Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](https://attack.mitre.org/techniques/T1587)) or obtained ([Obtain Capabilities](https://attack.mitre.org/techniques/T1588)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.(Citation: Volexity Ocean Lotus November 2020)(Citation: Dragos Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)
352 attack-pattern--84ae8255-b4f4-4237-b5c5-e717405a9701 Link Target T1608.005 resource_development Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link.
353 attack-pattern--84e02621-8fdf-470f-bd58-993bb6a89d91 Multi-Stage Channels T1104 command_and_control Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
354 attack-pattern--851e071f-208d-4c79-adc6-5974c85c78f3 Financial Theft T1657 impact Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) "pig butchering,"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin)
355 attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852 Execution Guardrails T1480 defense_evasion Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
356 attack-pattern--8565825b-21c8-4518-b75e-cbc4c717a156 Cloud Storage Object Discovery T1619 discovery Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.
357 attack-pattern--861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a Web Cookies T1606.001 credential_access Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.
358 attack-pattern--866d0d6d-02c6-42bd-aa2f-02907fdc0969 Log Enumeration T1654 discovery Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).
359 attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d Token Impersonation/Theft T1134.001 defense_evasion|privilege_escalation Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.
360 attack-pattern--86a96bf6-cf8b-411c-aaeb-8959944d64f7 Exfiltration to Code Repository T1567.001 exfiltration Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.
361 attack-pattern--8861073d-d1b8-4941-82ce-dce621d398f0 Cloud Services T1021.007 lateral_movement Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user.
362 attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd Port Knocking T1205.001 defense_evasion|persistence|command_and_control Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
363 attack-pattern--887274fc-2d63-4bdc-82f3-fae56d1d5fdc LNK Icon Smuggling T1027.012 defense_evasion Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory.
364 attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54 Web Services T1583.006 resource_development Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: FireEye APT29) By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.
365 attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a Steal Application Access Token T1528 credential_access Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
366 attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc Spearphishing Attachment T1598.002 reconnaissance Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
367 attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd Additional Cloud Credentials T1098.001 persistence|privilege_escalation Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
368 attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5 User Execution T1204 execution An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).
369 attack-pattern--8c41090b-aa47-4331-986b-8c9a51a91103 Internal Defacement T1491.001 impact An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)
370 attack-pattern--8c4aef43-48d5-49aa-b2af-c0cd58d30c3d Hidden Users T1564.002 defense_evasion Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
371 attack-pattern--8cdeb020-e31e-4f88-a582-f53dcfbda819 Make and Impersonate Token T1134.003 defense_evasion|privilege_escalation Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function.(Citation: LogonUserW function) The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.
372 attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e Group Policy Preferences T1552.006 credential_access Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)
373 attack-pattern--8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1048.002 exfiltration Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
374 attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe Cloud Account T1087.004 discovery Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.
375 attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580 Process Discovery T1057 discovery Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
376 attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59 Impair Command History Logging T1562.003 defense_evasion Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
377 attack-pattern--90c4a591-d02d-490b-92aa-619d9701ac04 Network Provider DLL T1556.008 credential_access|defense_evasion|persistence Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.(Citation: Network Provider API) During the logon process, Winlogon (the interactive logon module) sends credentials to the local `mpnotify.exe` process via RPC. The `mpnotify.exe` process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.(Citation: NPPSPY - Huntress)(Citation: NPPSPY Video)(Citation: NPLogonNotify)
378 attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58 Windows Management Instrumentation Event Subscription T1546.003 privilege_escalation|persistence Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.(Citation: Mandiant M-Trends 2015)
379 attack-pattern--91177e6d-b616-4a03-ba4b-f3b32f7dda75 CDNs T1596.004 reconnaissance Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.
380 attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938 User Activity Based Checks T1497.002 defense_evasion|discovery Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
381 attack-pattern--926d8cfd-1d0d-4da2-ab49-3ca10ec3f3b5 Cloud Accounts T1585.003 resource_development Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
382 attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414 Software Deployment Tools T1072 execution|lateral_movement Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.
383 attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d Exfiltration Over C2 Channel T1041 exfiltration Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
384 attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a Parent PID Spoofing T1134.004 defense_evasion|privilege_escalation Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context.(Citation: Microsoft UAC Nov 2018)
385 attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23 Gather Victim Org Information T1591 reconnaissance Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.
386 attack-pattern--94cb00a4-b295-4d06-aa2b-5653b9c1be9c Forge Web Credentials T1606 credential_access Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.
387 attack-pattern--954a1639-f2d6-407d-aef3-4917622ca493 Multi-Factor Authentication Request Generation T1621 credential_access Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
388 attack-pattern--960c3c86-1480-4d72-b4e0-8c242e84a5c5 Compromise Host Software Binary T1554 persistence Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
389 attack-pattern--9664ad0e-789e-40ac-82e2-d7b17fbe8fb3 Chat Messages T1552.008 credential_access Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.
390 attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736 PowerShell T1059.001 execution Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
391 attack-pattern--98034fef-d9fb-4667-8dc4-2eab6231724c Change Default File Association T1546.001 privilege_escalation|persistence Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility.(Citation: Microsoft Change Default Programs)(Citation: Microsoft File Handlers)(Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
392 attack-pattern--98be40f2-c86b-4ade-b6fc-4964932040e5 VDSO Hijacking T1055.014 defense_evasion|privilege_escalation Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.
393 attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b File Transfer Protocols T1071.002 command_and_control Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
394 attack-pattern--9c306d8d-cde7-4b4c-b6e8-d0bb16caca36 Exploitation for Credential Access T1212 credential_access Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.
395 attack-pattern--9c45eaa3-8604-4780-8988-b5074dbb9ecd Emond T1546.014 privilege_escalation|persistence Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at <code>/sbin/emond</code> will load any rules from the <code>/etc/emond.d/rules/</code> directory and take action once an explicitly defined event takes place.
396 attack-pattern--9c99724c-a483-4d60-ad9d-7f004e42e8e8 One-Way Communication T1102.003 command_and_control Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.
397 attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109 Gather Victim Network Information T1590 reconnaissance Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.
398 attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82 Exploitation of Remote Services T1210 lateral_movement Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
399 attack-pattern--9e7452df-5144-4b6e-b04a-b66dd4016747 Internal Spearphishing T1534 lateral_movement After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP)
400 attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd Services File Permissions Weakness T1574.010 persistence|privilege_escalation|defense_evasion Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
401 attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279 Registry Run Keys / Startup Folder T1547.001 persistence|privilege_escalation Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
402 attack-pattern--9fa07bef-9c81-421e-a8e5-ad4366c5a925 Trusted Relationship T1199 initial_access Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
403 attack-pattern--a009cb25-4801-4116-9105-80a91cf15c1b Cloud Account T1136.003 persistence Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
404 attack-pattern--a01bf75f-00b2-4568-a58f-565ff9bf202b Local Groups T1069.001 discovery Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
405 attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365 Search Open Websites/Domains T1593 reconnaissance Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
406 attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27 Account Manipulation T1098 persistence|privilege_escalation Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.
407 attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776 Exfiltration Over Alternative Protocol T1048 exfiltration Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
408 attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6 Kernel Modules and Extensions T1547.006 persistence|privilege_escalation Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming)
409 attack-pattern--a2029942-0a85-4947-b23c-ca434698171d GUI Input Capture T1056.002 collection|credential_access Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).
410 attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0 Tool T1588.002 resource_development Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)
411 attack-pattern--a3e1e6c5-9c74-4fc0-a16c-a9d228c17829 Exfiltration over USB T1052.001 exfiltration Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
412 attack-pattern--a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde KernelCallbackTable T1574.013 persistence|privilege_escalation|defense_evasion Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
413 attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4 Search Closed Sources T1597 reconnaissance Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
414 attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21 Systemd Timers T1053.006 execution|persistence|privilege_escalation Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
415 attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b Phishing T1566 initial_access Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
416 attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc ROMMONkit T1542.004 defense_evasion|persistence Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
417 attack-pattern--a6937325-9321-4e2e-bb2b-3ed2d40b2a9d Compiled HTML File T1218.001 defense_evasion Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)
418 attack-pattern--a750a9f6-0bde-4bb3-9aae-1e2786e9780c Network Share Connection Removal T1070.005 defense_evasion Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the <code>net use \\system\share /delete</code> command. (Citation: Technet Net Use)
419 attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d Multi-hop Proxy T1090.003 command_and_control Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
420 attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd Brute Force T1110 credential_access Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
421 attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56 Unix Shell T1059.004 execution Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
422 attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634 Outlook Forms T1137.003 persistence Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)
423 attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579 Disable or Modify Tools T1562.001 defense_evasion Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)
424 attack-pattern--ac9e6b22-11bf-45d7-9181-c1cb08360931 Data Manipulation T1565 impact Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: Sygnia Elephant Beetle Jan 2022) By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
425 attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d Inter-Process Communication T1559 execution Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern.
426 attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842 Data Obfuscation T1001 command_and_control Adversaries may obfuscate command and control traffic to make it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November 2020) Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.
427 attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c Data from Network Shared Drive T1039 collection Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.
428 attack-pattern--ae797531-3219-49a4-bccf-324ad7a4c7b2 Web Services T1584.006 resource_development Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains.
429 attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754 Modify System Image T1601 defense_evasion Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
430 attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6 Hijack Execution Flow T1574 persistence|privilege_escalation|defense_evasion Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.
431 attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92 Indicator Removal from Tools T1027.005 defense_evasion Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
432 attack-pattern--b0c74ef9-c61e-4986-88cb-78da98a355ec Malicious Image T1204.003 execution Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)
433 attack-pattern--b0e54bf7-835e-4f44-bd8e-62f431b9b76a Container Service T1543.005 persistence|privilege_escalation Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may be able to achieve persistence or escalate their privileges on a host.
434 attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81 Valid Accounts T1078 defense_evasion|persistence|privilege_escalation|initial_access Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
435 attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18 Non-Standard Port T1571 command_and_control Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
436 attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928 Social Media Accounts T1585.001 resource_development Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)
437 attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4 Process Hollowing T1055.012 defense_evasion|privilege_escalation Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.
438 attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839 Exploitation for Privilege Escalation T1068 privilege_escalation Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
439 attack-pattern--b22e5153-ac28-4cc6-865c-2054e36285cb Resource Forking T1564.009 defense_evasion Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)
440 attack-pattern--b24e2a20-3b3d-4bf0-823b-1ed765398fb0 Account Access Removal T1531 impact Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)
441 attack-pattern--b2d03cea-aec1-45ca-9744-9ee583c1e1cc Credential Stuffing T1110.004 credential_access Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
442 attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a Obfuscated Files or Information T1027 defense_evasion Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
443 attack-pattern--b4409cd8-0da9-46e1-a401-a241afd4d1cc Multi-Factor Authentication T1556.006 credential_access|defense_evasion|persistence Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.
444 attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a Remote Email Collection T1114.002 collection Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific keywords.
445 attack-pattern--b46a801b-fd98-491c-a25a-bca25d6e3001 IIS Components T1505.004 persistence Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)
446 attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52 Invalid Code Signature T1036.001 defense_evasion Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)
447 attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d Run Virtual Instance T1564.006 defense_evasion Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
448 attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5 Password Policy Discovery T1201 discovery Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
449 attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db Event Triggered Execution T1546 privilege_escalation|persistence Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)
450 attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2 Unix Shell Configuration Modification T1546.004 privilege_escalation|persistence Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (<code>/etc</code>) and the user’s home directory (<code>~/</code>) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
451 attack-pattern--b77cf5f3-6060-475d-bd60-40ccbf28fdc2 Forced Authentication T1187 credential_access Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
452 attack-pattern--b7dc639b-24cd-482d-a7f1-8897eda21023 SID-History Injection T1134.005 defense_evasion|privilege_escalation Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
453 attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166 Network Boundary Bridging T1599 defense_evasion Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.
454 attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0 Data Encrypted for Impact T1486 impact Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018)
455 attack-pattern--b83e166d-13d7-4b52-8677-dff90c548fd7 Subvert Trust Controls T1553 defense_evasion Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.
456 attack-pattern--b84903f0-c7d5-435d-a69e-de47cc3578c0 Elevated Execution with Prompt T1548.004 privilege_escalation|defense_evasion Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.
457 attack-pattern--b85f6ce5-81e8-4f36-aff2-3df9d02a9c9d Firmware T1592.003 reconnaissance Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).
458 attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118 Encrypted Channel T1573 command_and_control Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
459 attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec Authentication Package T1547.002 persistence|privilege_escalation Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
460 attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab Regsvr32 T1218.010 defense_evasion Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)
461 attack-pattern--ba04e672-da86-4e69-aa15-0eca5db25f43 Exfiltration to Text Storage Sites T1567.003 exfiltration Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as <code>pastebin[.]com</code>, are commonly used by developers to share code and other information.
462 attack-pattern--baf60e1a-afe5-4d31-830f-1b1ba2351884 Software T1592.002 reconnaissance Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
463 attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2 Input Capture T1056 collection|credential_access Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).
464 attack-pattern--bb5e59c4-abe7-40c7-8196-e373cb1e5974 Spearphishing Voice T1566.004 initial_access Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.
465 attack-pattern--bbc3cba7-84ae-410d-b18b-16750731dfa2 Exploits T1587.004 resource_development Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)
466 attack-pattern--bbe5b322-e2af-4a5e-9625-a4e62bf84ed3 Social Media T1593.001 reconnaissance Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.
467 attack-pattern--bc0f5e80-91c0-4e04-9fbb-e4e332c85dae Component Object Model Hijacking T1546.015 privilege_escalation|persistence Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.(Citation: Microsoft Component Object Model) References to various COM objects are stored in the Registry.
468 attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161 Credentials T1589.001 reconnaissance Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.
469 attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00 Compromise Software Supply Chain T1195.002 initial_access Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
470 attack-pattern--bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b Rename System Utilities T1036.003 defense_evasion Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename <code>rundll32.exe</code>). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)
471 attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4 Bidirectional Communication T1102.002 command_and_control Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet.
472 attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63 Exploitation for Client Execution T1203 execution Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
473 attack-pattern--bed04f7d-e48a-4e76-bd0f-4c57fe31fc46 Wordlist Scanning T1595.003 reconnaissance Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to [Brute Force](https://attack.mitre.org/techniques/T1110), its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591), or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).
474 attack-pattern--bef8aaee-961d-4359-a308-4c2182bcedff Spoof Security Alerting T1562.011 defense_evasion Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.
475 attack-pattern--bf147104-abf9-4221-95d1-e81585859441 Outlook Home Page T1137.004 persistence Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
476 attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada Asymmetric Cryptography T1573.002 command_and_control Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.
477 attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b Exfiltration to Cloud Storage T1567.002 exfiltration Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.
478 attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5 Lateral Tool Transfer T1570 lateral_movement Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.
479 attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b Path Interception by Unquoted Path T1574.009 persistence|privilege_escalation|defense_evasion Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
480 attack-pattern--c071d8c1-3b3a-4f22-9407-ca4e96921069 Install Digital Certificate T1608.003 resource_development Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.(Citation: DigiCert Install SSL Cert)
481 attack-pattern--c0dfe7b0-b873-4618-9ff8-53e31f70907f Startup Items T1037.005 persistence|privilege_escalation Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.(Citation: Startup Items)
482 attack-pattern--c1b68a96-3c48-49ea-a6c0-9b27359f9c19 System Language Discovery T1614.001 discovery Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)
483 attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b Non-Application Layer Protocol T1095 command_and_control Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
484 attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916 Steganography T1027.003 defense_evasion Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.
485 attack-pattern--c2f59d25-87fe-44aa-8f83-e8e59d077bf5 DNS Server T1584.002 resource_development Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.
486 attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc Protocol Impersonation T1001.003 command_and_control Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.
487 attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896 Query Registry T1012 discovery Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
488 attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd Data Transfer Size Limits T1030 exfiltration An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
489 attack-pattern--c3c8c916-2f3c-4e71-94b2-240bdfc996f0 Web Session Cookie T1550.004 defense_evasion|lateral_movement Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
490 attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f Domain Accounts T1078.002 defense_evasion|persistence|privilege_escalation|initial_access Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
491 attack-pattern--c48a67ee-b657-45c1-91bf-6cdbe27205f8 Regsvcs/Regasm T1218.009 defense_evasion Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
492 attack-pattern--c615231b-f253-4f58-9d47-d5b4cbdb6839 Install Root Certificate T1553.004 defense_evasion Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
493 attack-pattern--c63a348e-ffc2-486a-b9d9-d7f11ec54d99 Network Logon Script T1037.003 persistence|privilege_escalation Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.(Citation: Petri Logon Script AD) These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems.
494 attack-pattern--c675646d-e204-4aa8-978d-e3d6d65885c4 Endpoint Denial of Service T1499 impact Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
495 attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617 Compile After Delivery T1027.004 defense_evasion Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
496 attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979 System Location Discovery T1614 discovery
497 attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b VBA Stomping T1564.007 defense_evasion Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)
498 attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7 BITS Jobs T1197 defense_evasion|persistence Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
499 attack-pattern--c92e3d68-2349-49e4-a341-7edca2deff96 MSBuild T1127.001 defense_evasion Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)
500 attack-pattern--c9e0c59e-162e-40a4-b8b1-78fab4329ada Impersonation T1656 defense_evasion Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.
501 attack-pattern--ca00366b-83a1-4c7b-a0ce-8ff950a7c87f Modify Cloud Compute Configurations T1578.005 defense_evasion Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.
502 attack-pattern--ca9d3402-ada3-484d-876a-d717bd6e05f2 Domain Fronting T1090.004 command_and_control Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).
503 attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213 ARP Cache Poisoning T1557.002 credential_access|collection Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).
504 attack-pattern--cacc40da-4c9e-462c-80d5-fd70a178b12d Disable or Modify Cloud Logs T1562.008 defense_evasion An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
505 attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384 Security Software Discovery T1518.001 discovery Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
506 attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0 Hidden Window T1564.003 defense_evasion Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.
507 attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1 Python T1059.006 execution Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)
508 attack-pattern--cc723aff-ec88-40e3-a224-5af9fd983cc4 Identify Roles T1591.004 reconnaissance Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.
509 attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f Data Encoding T1132 command_and_control Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.
510 attack-pattern--cc89ecbd-3d33-4a41-bcca-001e702d18fd AppInit DLLs T1546.010 privilege_escalation|persistence Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppInit_DLLs</code> value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017)
511 attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a Phishing for Information T1598 reconnaissance Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.
512 attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783 Resource Hijacking T1496 impact Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.
513 attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8 Establish Accounts T1585 resource_development Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)
514 attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1 Obtain Capabilities T1588 resource_development Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
515 attack-pattern--ce4b7013-640e-48a9-b501-d0025a95f4bf Screensaver T1546.002 privilege_escalation|persistence Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations.
516 attack-pattern--ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae Conditional Access Policies T1556.009 credential_access|defense_evasion|persistence Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.
517 attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c Create Cloud Instance T1578.002 defense_evasion An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)
518 attack-pattern--cfb525cc-5494-401d-a82b-2539ca46a561 Cloud Secrets Management Stores T1555.006 credential_access Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.
519 attack-pattern--cff94884-3b1c-4987-a70b-6d5643c621c3 Code Repositories T1213.003 collection Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
520 attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6 Transmitted Data Manipulation T1565.002 impact Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
521 attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4 /etc/passwd and /etc/shadow T1003.008 credential_access Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
522 attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584 Launch Agent T1543.001 persistence|privilege_escalation Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.
523 attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253 System Services T1569 execution Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence ([Create or Modify System Process](https://attack.mitre.org/techniques/T1543)), but adversaries can also abuse services for one-time or temporary execution.
524 attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62 Windows Command Shell T1059.003 execution Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)
525 attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591 Proc Memory T1055.009 defense_evasion|privilege_escalation Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process.
526 attack-pattern--d21bb61f-08ad-4dc1-b001-81ca6cb79954 Acquire Access T1650 resource_development Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems.(Citation: Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)(Citation: Krebs Access Brokers Fortune 500) In some cases, adversary groups may form partnerships to share compromised systems with each other.(Citation: CISA Karakurt 2022)
527 attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f Patch System Image T1601.001 defense_evasion Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.
528 attack-pattern--d273434a-448e-4598-8e14-607f4a0d5e27 Silver Ticket T1558.002 credential_access Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)
529 attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416 Data from Information Repositories T1213 collection Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.
530 attack-pattern--d2c4e5ea-dbdf-4113-805a-b1e2a337fb33 Clear Persistence T1070.009 defense_evasion Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)
531 attack-pattern--d336b553-5da9-46ca-98a8-0b23f49fb447 Windows Credential Manager T1555.004 credential_access Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)
532 attack-pattern--d40239b3-05ff-46d8-9bdd-b46d13463ef9 Hardware Additions T1200 initial_access Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.
533 attack-pattern--d456de47-a16f-4e46-8980-e67478a12dcb Server Software Component T1505 persistence Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.(Citation: volexity_0day_sophos_FW)
534 attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c Data Destruction T1485 impact Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
535 attack-pattern--d467bc38-284b-4a00-96ac-125f447799fc Non-Standard Encoding T1132.002 command_and_control Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding)
536 attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605 Domain Controller Authentication T1556.001 credential_access|defense_evasion|persistence Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.
537 attack-pattern--d4bdbdea-eaec-4071-b4f9-5105e12ea4b6 Transfer Data to Cloud Account T1537 exfiltration Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.
538 attack-pattern--d4dc46e3-5ba5-45b9-8204-010867cacfcb HTML Smuggling T1027.006 defense_evasion Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
539 attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48 Reversible Encryption T1556.005 credential_access|defense_evasion|persistence An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
540 attack-pattern--d511a6f6-4a33-41d5-bc95-c343875d1377 Command Obfuscation T1027.010 defense_evasion Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)
541 attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c File Deletion T1070.004 defense_evasion Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
542 attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6 Drive-by Compromise T1189 initial_access Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).
543 attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab Network Denial of Service T1498 impact Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
544 attack-pattern--d94b3ae9-8059-4989-8e9f-ea0f601f80a7 Cloud Administration Command T1651 execution Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
545 attack-pattern--da051493-ae9c-4b1b-9760-c009c46c9b56 Installer Packages T1546.016 privilege_escalation|persistence Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
546 attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120 Scanning IP Blocks T1595.001 reconnaissance Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
547 attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534 Template Injection T1221 defense_evasion Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)
548 attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211 RC Scripts T1037.004 persistence|privilege_escalation Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.
549 attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48 Access Token Manipulation T1134 defense_evasion|privilege_escalation Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
550 attack-pattern--dd43c543-bb85-4a6f-aa6e-160d90d06a49 Multi-Factor Authentication Interception T1111 credential_access Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms.
551 attack-pattern--deb98323-e13f-4b0c-8d94-175379069062 Software Packing T1027.002 defense_evasion Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)
552 attack-pattern--df1bc34d-1634-4c93-b89e-8120994fce77 Serverless T1584.007 resource_development Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
553 attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161 Web Protocols T1071.001 command_and_control Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
554 attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67 Visual Basic T1059.005 execution Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
555 attack-pattern--dfebc3b7-d19d-450b-81c7-6dafe4184c04 Hidden File System T1564.005 defense_evasion Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)
556 attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b Systemd Service T1543.002 persistence|privilege_escalation Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
557 attack-pattern--e0033c16-a07e-48aa-8204-7c3ca669998c RDP Hijacking T1563.002 lateral_movement Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)
558 attack-pattern--e01be9c5-e763-4caf-aeb7-000b416aef67 Create Account T1136 persistence Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
559 attack-pattern--e0232cb0-ded5-4c2e-9dc7-2893142a5c11 XDG Autostart Entries T1547.013 persistence|privilege_escalation Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.(Citation: Free Desktop Application Autostart Feb 2006)(Citation: Free Desktop Entry Keys)
560 attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5 Server T1584.004 resource_development Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control.(Citation: TrendMicro EarthLusca 2022) Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.
561 attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db Cloud Service Discovery T1526 discovery An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
562 attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735 Remote System Discovery T1018 discovery Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or <code>net view</code> using [Net](https://attack.mitre.org/software/S0039).
563 attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88 Network Service Discovery T1046 discovery Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)
564 attack-pattern--e3b168bd-fcd7-439e-9382-2e6c2f63514d Domain Properties T1590.001 reconnaissance Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.
565 attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58 Software Discovery T1518 discovery Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
566 attack-pattern--e49920b0-6c54-40c1-9571-73723653205f Cloud Service Dashboard T1538 discovery An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)
567 attack-pattern--e49ee9d2-0d98-44ef-85e5-5d3100065744 Thread Local Storage T1055.005 defense_evasion|privilege_escalation Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.
568 attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391 Debugger Evasion T1622 defense_evasion|discovery Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)
569 attack-pattern--e51137a5-1cdc-499e-911a-abaedaa5ac86 Space after Filename T1036.006 defense_evasion Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.
570 attack-pattern--e5cc9e7a-e61a-46a1-b869-55fb6eab058e Re-opened Applications T1547.007 persistence|privilege_escalation Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
571 attack-pattern--e5d550f3-2202-4634-85f2-4a200a1d49b3 SEO Poisoning T1608.006 resource_development Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)
572 attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e Pass the Hash T1550.002 defense_evasion|lateral_movement Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.
573 attack-pattern--e6415f09-df0e-48de-9aba-928c902b7549 Exfiltration Over Physical Medium T1052 exfiltration Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
574 attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b DLL Side-Loading T1574.002 persistence|privilege_escalation|defense_evasion Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
575 attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add Ingress Tool Transfer T1105 command_and_control Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)).
576 attack-pattern--e6f19759-dde3-47fc-99cc-d9f5fa4ade60 SyncAppvPublishingServer T1216.002 defense_evasion Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands. SyncAppvPublishingServer.vbs is a Visual Basic script associated with how Windows virtualizes applications (Microsoft Application Virtualization, or App-V).(Citation: 1 - appv) For example, Windows may render Win32 applications to users as virtual applications, allowing users to launch and interact with them as if they were installed locally.(Citation: 2 - appv)(Citation: 3 - appv)
577 attack-pattern--e74de37c-a829-446c-937d-56a44f0e9306 Additional Email Delegate Permissions T1098.002 persistence|privilege_escalation Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.
578 attack-pattern--e7cbc1de-1f79-48ee-abfd-da1241c65a15 Code Signing Certificates T1588.003 resource_development Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
579 attack-pattern--e848506b-8484-4410-8017-3d235a52f5b3 Serverless Execution T1648 execution Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers.
580 attack-pattern--e8a0a025-3601-4755-abfb-8d08283329fb TCC Manipulation T1548.006 defense_evasion|privilege_escalation Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to execute malicious applications with elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
581 attack-pattern--ea016b56-ae0e-47fe-967a-cc0ad51af67f Ptrace System Calls T1055.008 defense_evasion|privilege_escalation Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process.
582 attack-pattern--ea071aa0-8f17-416f-ab0d-2bab7e79003d Power Settings T1653 persistence Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)
583 attack-pattern--ea4c2f9c-9df1-477c-8c42-6da1118f2ac4 Dynamic API Resolution T1027.007 defense_evasion Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.
584 attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf Remote Desktop Protocol T1021.001 lateral_movement Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
585 attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3 Logon Script (Windows) T1037.001 persistence|privilege_escalation Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key.(Citation: Hexacorn Logon Scripts)
586 attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99 ListPlanting T1055.015 defense_evasion|privilege_escalation Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.
587 attack-pattern--eb897572-8979-4242-a089-56f294f4c91d Hide Infrastructure T1665 command_and_control Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished in various ways including by identifying and filtering traffic from defensive tools,(Citation: TA571) masking malicious domains to obfuscate the true destination from both automated scanning tools and security researchers,(Citation: Schema-abuse)(Citation: Facad1ng)(Citation: Browser-updates) and otherwise hiding malicious artifacts to delay discovery and prolong the effectiveness of adversary infrastructure that could otherwise be identified, blocked, or taken down entirely.
588 attack-pattern--ebb42bbe-62d7-47d7-a55f-3b08b61d792d Domain or Tenant Policy Modification T1484 defense_evasion|privilege_escalation Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.
589 attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3 XSL Script Processing T1220 defense_evasion Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
590 attack-pattern--ec4be82f-940c-4dcb-87fe-2bbdd17c692f Scan Databases T1596.005 reconnaissance Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)
591 attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d Hidden Files and Directories T1564.001 defense_evasion Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).
592 attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1 Create Snapshot T1578.001 defense_evasion An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
593 attack-pattern--ed730f20-0e44-48b9-85f8-0e2adeb76867 Determine Physical Locations T1591.001 reconnaissance Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.
594 attack-pattern--ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a Office Test T1137.002 persistence Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
595 attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf Develop Capabilities T1587 resource_development Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)
596 attack-pattern--edf91964-b26e-4b4a-9600-ccacd7d7df24 NTDS T1003.003 credential_access Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)
597 attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5 SNMP (MIB Dump) T1602.001 collection Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).
598 attack-pattern--eec23884-3fa1-4d8a-ac50-6f104d51e235 Steganography T1001.002 command_and_control Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.
599 attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9 Malicious Link T1204.001 execution An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).
600 attack-pattern--f005e783-57d4-4837-88ad-dbe7faee1c51 Application Access Token T1550.001 defense_evasion|lateral_movement Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.
601 attack-pattern--f0589bc3-a6ae-425a-a3d5-5659bfee07f4 LSASS Driver T1547.008 persistence|privilege_escalation Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
602 attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4 Service Execution T1569.002 execution Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).
603 attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65 Cloud Accounts T1078.004 defense_evasion|persistence|privilege_escalation|initial_access Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)
604 attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995 Environmental Keying T1480.001 defense_evasion Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)
605 attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433 Fallback Channels T1008 command_and_control Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.
606 attack-pattern--f2857333-11d4-45bf-b064-2c28d8525be5 NTFS File Attributes T1564.004 defense_evasion Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
607 attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee Kerberoasting T1558.003 credential_access Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015)
608 attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163 DCSync T1003.006 credential_access Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
609 attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077 System Time Discovery T1124 discovery An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or <code>systemsetup</code> on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time)
610 attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0 At T1053.002 execution|persistence|privilege_escalation Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
611 attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945 Dynamic-link Library Injection T1055.001 defense_evasion|privilege_escalation Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.
612 attack-pattern--f4b843c1-7e92-4701-8fed-ce82f8be2636 Exploits T1588.005 resource_development Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)
613 attack-pattern--f4c1826f-a322-41cd-9557-562100848c84 Modify Authentication Process T1556 credential_access|defense_evasion|persistence Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
614 attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6 Credential API Hooking T1056.004 collection|credential_access Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001), this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
615 attack-pattern--f5bb433e-bdf6-4781-84bc-35e97e43be89 Firmware Corruption T1495 impact Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.
616 attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a Inhibit System Recovery T1490 impact Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
617 attack-pattern--f63fe421-b1d1-45c0-b8a7-02cd16ff2bed Netsh Helper DLL T1546.007 privilege_escalation|persistence Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
618 attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317 Spearphishing via Service T1566.003 initial_access Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.
619 attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755 Internal Proxy T1090.001 command_and_control Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.
620 attack-pattern--f6fe9070-7a65-49ea-ae72-76292f42cebe System Script Proxy Execution T1216 defense_evasion Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files.(Citation: LOLBAS Project) This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)
621 attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7 Dead Drop Resolver T1102.001 command_and_control Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
622 attack-pattern--f7c0689c-4dbd-489b-81be-7cb7c7079ade Junk Data T1001.001 command_and_control Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: FireEye SUNBURST Backdoor December 2020) By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.
623 attack-pattern--f870408c-b1cd-49c7-a5c7-0ef0fc496cc6 Spearphishing Service T1598.001 reconnaissance Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
624 attack-pattern--f8ef3a62-3f44-40a4-abca-761ab235c436 Container API T1552.007 credential_access Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)
625 attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba Domains T1584.001 resource_development Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)
626 attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a SQL Stored Procedures T1505.001 persistence Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).
627 attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd Network Device Authentication T1556.004 credential_access|defense_evasion|persistence Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
628 attack-pattern--fb640c43-aa6b-431e-a961-a279010424ac Disk Content Wipe T1561.001 impact Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.
629 attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b Exfiltration Over Unencrypted Non-C2 Protocol T1048.003 exfiltration Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)
630 attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490 Dylib Hijacking T1574.004 persistence|privilege_escalation|defense_evasion Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
631 attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d Downgrade System Image T1601.002 defense_evasion Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)
632 attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2 Local Accounts T1078.003 defense_evasion|persistence|privilege_escalation|initial_access Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
633 attack-pattern--fe926152-f431-4baf-956c-4ad3cb0bf23b Exploitation for Defense Evasion T1211 defense_evasion Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.
634 attack-pattern--ff25900d-76d5-449b-a351-8824e62fc81b Trusted Developer Utilities Proxy Execution T1127 defense_evasion Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.
635 attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc System Shutdown/Reboot T1529 impact Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)
636 attack-pattern--ffbcfdb0-de22-4106-9ed3-fc23c8a01407 MMC T1218.014 defense_evasion Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)
637 attack-pattern--ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1 Process Argument Spoofing T1564.010 defense_evasion Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)
638 attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335 COR_PROFILER T1574.012 persistence|privilege_escalation|defense_evasion Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)

@ -0,0 +1,859 @@
# Application-level permissions
[]
access = read : [ * ], write : [ power ]
### EVENT TYPES
[eventtypes]
export = system
### PROPS
[props]
export = system
### TRANSFORMS
[transforms]
export = system
### LOOKUPS
[lookups]
export = system
### VIEWSTATES: even normal users should be able to create shared viewstates
[viewstates]
access = read : [ * ], write : [ * ]
export = system
### Merged from local.meta
[app/install/install_source_checksum]
version = 9.2.1
modtime = 1720713316.788815000
[macros/sandfly_search]
access = read : [ * ], write : [ power ]
export = system
owner = nobody
version = 8.2.4
modtime = 1663868543.893133000
[macros/sandfly_search_alarms]
access = read : [ * ], write : [ power ]
export = system
owner = nobody
version = 8.2.4
modtime = 1663868555.663400000
[macros/sandfly_search_all]
access = read : [ * ], write : [ power ]
export = system
owner = nobody
version = 9.2.1
modtime = 1720724740.158161000
[savedsearches/SSH%20Keys%20-%20Hosts%20with%20Immutable%20authorized_keys%20File]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 8.2.4
modtime = 1666411166.103541000
[savedsearches/SSH%20Keys%20-%20Number%20of%20Hosts%20with%20SSH%20Key]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 8.2.4
modtime = 1666411166.118178000
[savedsearches/SSH%20Keys%20-%20User%20Names%20Associated%20with%20SSH%20Key]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 8.2.4
modtime = 1666411166.117641000
[savedsearches/Host%20with%20Immutable%20authorized_keys%20File]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 8.2.4
modtime = 1666411278.473326000
[savedsearches/SSH%20Keys%20-%20authorized_keys%20File%20Last%20Accessed]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 8.2.4
modtime = 1666411166.158629000
[savedsearches/SSH%20Keys%20-%20authorized_keys%20File%20Accessed%20Today]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 8.2.4
modtime = 1666555833.747574000
[savedsearches/SSH%20Keys%20-%20authorized_keys%20File%20Modified%20Today]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 8.2.4
modtime = 1666411166.157267000
[savedsearches/SSH%20Keys%20-%20authorized_keys%20File%20Created%20Today]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 8.2.4
modtime = 1666411166.119154000
[savedsearches/SSH%20Keys%20-%20authorized_keys%20File%20Created%20Last%2024%20Hours]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 8.2.4
modtime = 1666556352.053036000
[savedsearches/SSH%20Keys%20-%20authorized_keys%20File%20Created%20Last%2048%20Hours]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 8.2.4
modtime = 1666556352.053602000
[savedsearches/SSH%20Keys%20-%20authorized_keys%20File%20Created%20Last%2072%20Hours]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 8.2.4
modtime = 1666556352.054306000
[savedsearches/SSH%20Keys%20-%20authorized_keys%20File%20Created%20Last%207%20Days]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 8.2.4
modtime = 1666556352.031136000
[macros/sandfly_search_sshkeys]
access = read : [ * ], write : [ power ]
export = system
owner = nobody
version = 8.2.4
modtime = 1667793463.018565000
[views/sandfly_security__ssh_authorized_keys_file_report]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1722377597.474483000
[views/sandfly_security__ssh_authorized_keys_file_created]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1722377020.526258000
[savedsearches/SSH%20Hunter%20-%20Keys%20Last%20Seen%20Report]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 8.2.4
modtime = 1668380524.918861000
[savedsearches/SSH%20Hunter%20-%20Keys%20First%20Seen%20This%20Week]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 8.2.4
modtime = 1668837847.074182000
[savedsearches/SSH%20Hunter%20-%20Keys%20First%20Seen%20Today]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 8.2.4
modtime = 1668837814.726082000
[views/ssh_hunter__key_investigation]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1722526547.156539000
[views/ssh_hunter__key_summary]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1722526584.308831000
[views/ssh_hunter__key_details]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1722022787.722940000
[views/ssh_hunter__user_investigation]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 8.2.4
modtime = 1668380547.435677000
[views/ssh_hunter__user_summary]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 8.2.4
modtime = 1669955805.814088000
[views/ssh_hunter__host_investigation]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1724167087.901061000
[views/ssh_hunter__host_summary]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1722451034.473814000
[macros/sandfly_search_sandflies]
access = read : [ * ], write : [ power ]
export = system
owner = nobody
version = 9.2.1
modtime = 1720724669.517221000
[savedsearches/Sandflies%20to%20Lookup%20File]
export = none
owner = nobody
version = 9.2.1
modtime = 1692149513.664108000
[savedsearches/Sandfly%20Hosts%20to%20Asset%20Lookup]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 8.2.4
modtime = 1669078115.878208000
[savedsearches/Sandfly%20Hosts%20to%20Hosts%20Lookup]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 8.2.4
modtime = 1669078115.865452000
[macros/sandfly_search_ssh_hunter]
access = read : [ * ], write : [ power ]
export = system
owner = nobody
version = 9.2.1
modtime = 1720724800.727439000
[macros/sandfly_search_hosts]
access = read : [ * ], write : [ power ]
export = system
owner = nobody
version = 9.2.1
modtime = 1720724822.363216000
[macros/sandfly_search_hosts_details]
access = read : [ * ], write : [ power ]
export = system
owner = nobody
version = 9.2.1
modtime = 1720724835.200972000
[macros/sandfly_search_hosts_summary]
access = read : [ * ], write : [ power ]
export = system
owner = nobody
version = 9.2.1
modtime = 1720724856.168139000
[views/sandfly_security__hosts]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1723748587.026413000
[views/sandfly_security_daily_snapshot]
version = 9.2.1
modtime = 1723760263.954430000
[views/sandfly_security__host_details]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1724358696.090953000
[views/sandfly_security_sandfly_investigation]
version = 9.2.1
modtime = 1722376492.055276000
[savedsearches/Count%20of%20Sandflies]
version = 9.2.1
modtime = 1692149025.799528000
[savedsearches/Events%20by%20Host%20with%20Description]
version = 9.2.1
modtime = 1692149080.269226000
[savedsearches/Top%2010%20Sandflies%20over%20Time%20Range]
version = 9.2.1
modtime = 1692149130.629711000
[macros/sandfly_search_audit]
access = read : [ * ], write : [ power ]
export = system
owner = nobody
version = 9.2.1
modtime = 1720724515.837008000
[macros/sandfly_search_errors]
access = read : [ * ], write : [ power ]
export = system
owner = nobody
version = 9.2.1
modtime = 1720724545.315803000
[macros/sandfly_search_errors_detailed]
access = read : [ * ], write : [ power ]
export = system
owner = nobody
version = 9.2.1
modtime = 1720724620.073445000
[macros/sandfly_search_errors_summary]
access = read : [ * ], write : [ power ]
export = system
owner = nobody
version = 9.2.1
modtime = 1720724660.723474000
[savedsearches/Sandfly%20TA%20Internal%20Errors]
version = 9.2.1
modtime = 1720725613.350340000
[savedsearches/Sandfly%20TA%20Internal%20Logs]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1720725744.336042000
[savedsearches/Inactive%20Hosts%20Report]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1723752786.976985000
[views/audit_logs_overview]
owner = nobody
version = 9.2.1
modtime = 1722441028.614437000
[views/audit_logs_authentication]
owner = nobody
version = 9.2.1
modtime = 1720736710.674339000
[savedsearches/Audit%20Log%20Authentication%20Events]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1720736816.447209000
[views/audit_logs_user_accounts]
owner = nobody
version = 9.2.1
modtime = 1720800779.343723000
[views/audit_logs_license_errors]
owner = nobody
version = 9.2.1
modtime = 1720815873.896914000
[views/audit_logs_system_changes]
owner = nobody
version = 9.2.1
modtime = 1720808660.726981000
[views/error_logs_overview]
owner = nobody
version = 9.2.1
modtime = 1722528326.063782000
[savedsearches/Scanning%20Error%20Log%20Alert]
owner = nobody
version = 9.2.1
modtime = 1721054313.619636000
[savedsearches/Username%20root%20UID%20But%20Not%20Root]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721074537.237468000
[savedsearches/Logins%20by%20Username]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721077085.325903000
[savedsearches/Usernames%20with%20SSH%20Authorized%20Keys%20Present]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721081594.147755000
[savedsearches/Usernames%20with%20Password%20Hash%20Present]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721082097.951888000
[savedsearches/Usernames%20with%20Blank%20Password%20Fields]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721082418.335550000
[savedsearches/Usernames%20Valid%20Logins%20From%20Hostname]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721142115.862382000
[savedsearches/Usernames%20Valid%20Logins%20by%20Username]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721142263.438629000
[savedsearches/Usernames%20Valid%20Logins%20Against%20Hostname]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721142530.589625000
[savedsearches/Usernames%20Present%20on%20Host]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721142941.358842000
[savedsearches/Usernames%20Bad%20Logins%20From%20Hostname]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721143384.103557000
[savedsearches/Usernames%20Bad%20Logins%20By%20Username]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721143582.953626000
[savedsearches/Usernames%20Bad%20Logins%20Against%20Hostname]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721143842.124444000
[savedsearches/Username%20Password%20Hash%20Types]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721144231.447325000
[savedsearches/Username%20Login%20Shells%20In%20Use]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721144546.563169000
[savedsearches/Username%20Logged%20In]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721144868.477988000
[savedsearches/User%20Successful%20Logins%20Over%20Time]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721145781.308448000
[savedsearches/User%20Failed%20Logins%20Over%20Time]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721146000.052938000
[savedsearches/Processes%20With%20Network%20Ports%20Operating]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721149934.812594000
[savedsearches/Processes%20With%20Network%20Ports%20Listening]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721150114.077526000
[savedsearches/Operating%20System%20Uptime%20in%20Days]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721151096.984856000
[savedsearches/Operating%20System%20Product%20Name]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721151388.742200000
[savedsearches/Operating%20System%20Machine%20Type]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721151533.367079000
[savedsearches/Operating%20System%20Linux%20Version]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721151763.234463000
[savedsearches/Operating%20System%20Linux%20Kernel%20Release%20Version]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721151867.053366000
[savedsearches/Operating%20System%20CPU%20Model%20Name]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721152608.509242000
[savedsearches/Operating%20System%20CPU%20Architecture]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721152753.521619000
[savedsearches/Operating%20System%20Bogo%20MIPS%20Rating]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721152845.355625000
[savedsearches/Operating%20System%20BIOS%20Version]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721152947.820249000
[savedsearches/Operating%20System%20BIOS%20Vendor]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721153051.788915000
[savedsearches/At%20Jobs%20by%20Username]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721153315.704571000
[savedsearches/Crontabs%20by%20Username]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721153492.809842000
[savedsearches/Intrusion%20Detection%20High%20Entropy%20Process]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721154503.410490000
[savedsearches/Intrusion%20Detection%20Immutable%20Process%20Binary%20Running]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721154424.289641000
[savedsearches/Intrusion%20Detection%20Process%20Running%20As%20Sniffer]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721155143.795218000
[savedsearches/Intrusion%20Detection%20Process%20Running%20From%20%2Fdev%2Fshm]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721155389.722476000
[savedsearches/Intrusion%20Detection%20Process%20Running%20from%20Public%20HTML%20Directory]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721155552.766450000
[savedsearches/Intrusion%20Detection%20Process%20Running%20From%20Temp%20Directory]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721155771.683697000
[savedsearches/SSH%20Hunter%20-%20Banned%20Keys%20Report]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721945726.836922000
[savedsearches/SSH%20Hunter%20-%20Banned%20Keys%20Details]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721940986.778346000
[savedsearches/SSH%20Hunter%20-%20Banned%20Keys%20by%20Host%20Report]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721946360.769218000
[savedsearches/SSH%20Hunter%20-%20Banned%20Keys%20by%20User%20Report]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721946456.897810000
[savedsearches/SSH%20Hunter%20-%20Banned%20Keys%20by%20Zone%20Report]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1721947566.898704000
[savedsearches/SSH%20Hunter%20-%20Banned%20Keys%20Daily%20Report]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1722011045.291943000
[views/ssh_hunter_-_security_zones]
owner = nobody
version = 9.2.1
modtime = 1722031458.567988000
[views/ssh_hunter_-_security_zone_details]
owner = nobody
version = 9.2.1
modtime = 1722452068.254255000
[views/sandfly_security_sourcetype_review]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1724163918.664172000
[views/sandfly_security_host_alerts]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.3
modtime = 1727368161.614105000
[savedsearches/Active%20Hosts%20Report%20by%20Last%20Scan%20Date]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1723754281.390676000
[savedsearches/Hosts%20Last%20Scan%20Greater%20Than%2024%20Hours%20Ago]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1723759923.368009000
[savedsearches/Hosts%20Last%20Scan%20Older%20Than%20Last%20Seen]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1723759896.576359000
[savedsearches/Sandfly%20Server%20-%20Logins%20by%20Username]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1723821810.702111000
[views/sandfly_security_whitelist_rules]
owner = nobody
version = 9.2.1
modtime = 1724187331.114265000
[macros/sandfly_search_whitelist]
access = read : [ * ], write : [ power ]
export = system
owner = nobody
version = 9.2.1
modtime = 1723837205.931642000
[views/sandfly_security_whitelist_rule_details]
owner = nobody
version = 9.2.1
modtime = 1724351847.316159000
[views/sandfly_security__hosts_by_tags]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.1
modtime = 1724356422.833660000
[lookups/mitre_tactics.csv]
access = read : [ * ], write : [ power ]
export = system
owner = nobody
version = 9.2.3
modtime = 1727367845.229674000
[lookups/mitre_techniques.csv]
access = read : [ * ], write : [ power ]
export = system
owner = nobody
version = 9.2.3
modtime = 1727367838.720058000
[views/mitre_attack_tactics_and_techniques]
owner = nobody
version = 9.2.3
modtime = 1727377670.275815000
[views/mitre_attack_techniques_sandflies]
owner = nobody
version = 9.2.3
modtime = 1727388495.516773000
[views/mitre_attack_techniques_detection]
owner = nobody
version = 9.2.3
modtime = 1727388420.662988000
[views/mitre_attck_tactics_detection]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.3
modtime = 1727376998.774484000
[views/mitre_attck_tactics_sandflies]
access = read : [ * ], write : [ power ]
export = none
owner = nobody
version = 9.2.3
modtime = 1727377025.394058000
[macros/sandfly_search_drift]
access = read : [ * ], write : [ power ]
export = system
owner = nobody
version = 10.0.1
modtime = 1762895535.776022000
[views/sandfly_security_-_drift_detection]
owner = nobody
version = 10.0.1
modtime = 1770752614.930217000
[macros/sandfly_search_results_whitelisted]
access = read : [ * ], write : [ power ]
export = system
owner = nobody
version = 10.0.1
modtime = 1770750334.883648000
[views/sandfly_security_-_whitelisted_results]
owner = nobody
version = 10.0.1
modtime = 1770752563.562543000

@ -0,0 +1,3 @@
[app/install/install_source_checksum]
version = 10.0.2
modtime = 1770934926.495012000

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.5 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.5 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 4.3 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 4.3 KiB

Loading…
Cancel
Save