forked from MISP/misp-galaxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
mitre_tool.json
433 lines (433 loc) · 17.7 KB
/
mitre_tool.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
{
"name": "Tool",
"authors": [
"MITRE"
],
"type": "mitre-tool",
"description": "Name of ATT&CK software",
"source": "https://github.com/mitre/cti",
"version": 4,
"values": [
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0110",
"https://technet.microsoft.com/en-us/library/bb490866.aspx"
],
"synonyms": [
"at",
"at.exe"
],
"uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952"
},
"value": "at",
"description": "at is used to schedule tasks on a system to run at a specified date or time.[[Citation: TechNet At]]\n\nAliases: at, at.exe"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0103",
"https://technet.microsoft.com/en-us/library/bb490991.aspx"
],
"synonyms": [
"route",
"route.exe"
],
"uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de"
},
"value": "route",
"description": "route can be used to find or change information within the local system IP routing table.[[Citation: TechNet Route]]\n\nAliases: route, route.exe"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0057",
"https://technet.microsoft.com/en-us/library/bb491010.aspx"
],
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f"
},
"value": "Tasklist",
"description": "The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface.[[Citation: Microsoft Tasklist]]"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0005",
"http://www.ampliasecurity.com/research/wcefaq.html"
],
"synonyms": [
"Windows Credential Editor",
"WCE"
],
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966"
},
"value": "Windows Credential Editor",
"description": "Windows Credential Editor is a password dumping tool.[[Citation: Amplia WCE]]\n\nAliases: Windows Credential Editor, WCE"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0111",
"https://technet.microsoft.com/en-us/library/bb490996.aspx"
],
"synonyms": [
"schtasks",
"schtasks.exe"
],
"uuid": "c9703cd3-141c-43a0-a926-380082be5d04"
},
"value": "schtasks",
"description": "schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time.[[Citation: TechNet Schtasks]]\n\nAliases: schtasks, schtasks.exe"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0116",
"https://github.com/hfiref0x/UACME"
],
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507"
},
"value": "UACMe",
"description": "UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.[[Citation: Github UACMe]]"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0101",
"https://en.wikipedia.org/wiki/Ifconfig"
],
"uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5"
},
"value": "ifconfig",
"description": "ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system.[[Citation: Wikipedia Ifconfig]]"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0002",
"https://adsecurity.org/?page%20id=1821",
"https://github.com/gentilkiwi/mimikatz"
],
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
},
"value": "Mimikatz",
"description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.[[Citation: Deply Mimikatz]][[Citation: Adsecurity Mimikatz Guide]]"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0123",
"https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/"
],
"uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b"
},
"value": "xCmd",
"description": "xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems.[[Citation: xCmd]]"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0096",
"https://technet.microsoft.com/en-us/library/bb491007.aspx"
],
"synonyms": [
"systeminfo.exe",
"Systeminfo"
],
"uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1"
},
"value": "Systeminfo",
"description": "Systeminfo is a Windows utility that can be used to gather detailed information about a computer.[[Citation: TechNet Systeminfo]]\n\nAliases: systeminfo.exe, Systeminfo"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0108",
"https://technet.microsoft.com/library/bb490939.aspx"
],
"synonyms": [
"netsh",
"netsh.exe"
],
"uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71"
},
"value": "netsh",
"description": "netsh is a scripting utility used to interact with networking components on local or remote systems.[[Citation: TechNet Netsh]]\n\nAliases: netsh, netsh.exe"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0105",
"https://technet.microsoft.com/en-us/library/cc732952.aspx"
],
"synonyms": [
"dsquery",
"dsquery.exe"
],
"uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe"
},
"value": "dsquery",
"description": "dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain.[[Citation: TechNet Dsquery]] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.\n\nAliases: dsquery, dsquery.exe"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0008",
"http://www.truesec.com/Tools/Tool/gsecdump%20v2.0b5"
],
"uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54"
},
"value": "gsecdump",
"description": "gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems.[[Citation: TrueSec Gsecdump]]"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0097",
"https://technet.microsoft.com/en-us/library/bb490968.aspx"
],
"synonyms": [
"ping.exe",
"Ping"
],
"uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47"
},
"value": "Ping",
"description": "Ping is an operating system utility commonly used to troubleshoot and verify network connections.[[Citation: TechNet Ping]]\n\nAliases: ping.exe, Ping"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0120",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe"
},
"value": "Fgdump",
"description": "Fgdump is a Windows password hash dumper.[[Citation: Mandiant APT1]]"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0121",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"uuid": "2fab555f-7664-4623-b4e0-1675ae38190b"
},
"value": "Lslsass",
"description": "Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process.[[Citation: Mandiant APT1]]"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0122",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69"
},
"value": "Pass-The-Hash Toolkit",
"description": "Pass-The-Hash Toolkit is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems.[[Citation: Mandiant APT1]]"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0095",
"https://en.wikipedia.org/wiki/File%20Transfer%20Protocol"
],
"synonyms": [
"FTP",
"ftp.exe"
],
"uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565"
},
"value": "FTP",
"description": "FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.[[Citation: Wikipedia FTP]]\n\nAliases: FTP, ftp.exe"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0100",
"https://technet.microsoft.com/en-us/library/bb490921.aspx"
],
"synonyms": [
"ipconfig",
"ipconfig.exe"
],
"uuid": "294e2560-bd48-44b2-9da2-833b5588ad11"
},
"value": "ipconfig",
"description": "ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration.[[Citation: TechNet Ipconfig]]\n\nAliases: ipconfig, ipconfig.exe"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0160",
"https://technet.microsoft.com/library/cc732443.aspx"
],
"synonyms": [
"certutil",
"certutil.exe"
],
"uuid": "3e205e84-9f90-4b4b-8896-c82189936a15"
},
"value": "certutil",
"description": "Certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services.[[Citation: TechNet Certutil]]\n\nAliases: certutil, certutil.exe"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0102",
"https://technet.microsoft.com/en-us/library/cc940106.aspx"
],
"synonyms": [
"nbtstat",
"nbtstat.exe"
],
"uuid": "b35068ec-107a-4266-bda8-eb7036267aea"
},
"value": "nbtstat",
"description": "nbtstat is a utility used to troubleshoot NetBIOS name resolution.[[Citation: TechNet Nbtstat]]\n\nAliases: nbtstat, nbtstat.exe"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0040",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf"
],
"synonyms": [
"HTRAN",
"HUC Packet Transmit Tool"
],
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e"
},
"value": "HTRAN",
"description": "HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. [[Citation: Operation Quantum Entanglement]]\n\nAliases: HTRAN, HUC Packet Transmit Tool"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0104",
"https://technet.microsoft.com/en-us/library/bb490947.aspx"
],
"synonyms": [
"netstat",
"netstat.exe"
],
"uuid": "4664b683-f578-434f-919b-1c1aad2a1111"
},
"value": "netstat",
"description": "netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics.[[Citation: TechNet Netstat]]\n\nAliases: netstat, netstat.exe"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0006",
"https://en.wikipedia.org/wiki/Pwdump"
],
"uuid": "9de2308e-7bed-43a3-8e58-f194b3586700"
},
"value": "pwdump",
"description": "pwdump is a credential dumper.[[Citation: Wikipedia pwdump]]"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0119",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52"
},
"value": "Cachedump",
"description": "Cachedump is a publicly-available tool that program extracts cached password hashes from a system’s registry.[[Citation: Mandiant APT1]]"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0039",
"https://msdn.microsoft.com/en-us/library/aa939914",
"http://windowsitpro.com/windows/netexe-reference"
],
"synonyms": [
"Net",
"net.exe"
],
"uuid": "03342581-f790-4f03-ba41-e82e67392e23"
},
"value": "Net",
"description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.Net has a great deal of functionality,[[Citation: Savill 1999]] much of which is useful for an adversary, such as gathering system and network information for [[Discovery]], moving laterally through [[Windows admin shares]] using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0029",
"https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx",
"https://digital-forensics.sans.org/blog/2012/12/17/protecting-privileged-domain-accounts-psexec-deep-dive"
],
"uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
},
"value": "PsExec",
"description": "PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[[Citation: Russinovich Sysinternals]][[Citation: SANS PsExec]]"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0099",
"https://technet.microsoft.com/en-us/library/bb490864.aspx"
],
"synonyms": [
"Arp",
"arp.exe"
],
"uuid": "30489451-5886-4c46-90c9-0dff9adc5252"
},
"value": "Arp",
"description": "Arp displays information about a system's Address Resolution Protocol (ARP) cache.[[Citation: TechNet Arp]]\n\nAliases: Arp, arp.exe"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0106",
"https://technet.microsoft.com/en-us/library/cc771049.aspx",
"https://technet.microsoft.com/en-us/library/cc755121.aspx",
"https://technet.microsoft.com/en-us/library/bb490886.aspx",
"https://technet.microsoft.com/en-us/library/bb490880.aspx"
],
"synonyms": [
"cmd",
"cmd.exe"
],
"uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e"
},
"value": "cmd",
"description": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities.[[Citation: TechNet Cmd]]\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code>[[Citation: TechNet Dir]]), deleting files (e.g., <code>del</code>[[Citation: TechNet Del]]), and copying files (e.g., <code>copy</code>[[Citation: TechNet Copy]]).\n\nAliases: cmd, cmd.exe"
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0154",
"https://cobaltstrike.com/downloads/csmanual38.pdf"
],
"uuid": "3da22160-12d9-4d27-a99f-338e8de3844a"
},
"value": "Cobalt Strike",
"description": "Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[[Citation: cobaltstrike manual]]\n\nThe list of techniques below focuses on Cobalt Strike’s ATT&CK-relevant tactics."
},
{
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0075",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://technet.microsoft.com/en-us/library/cc732643.aspx"
],
"synonyms": [
"Reg",
"reg.exe"
],
"uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f"
},
"value": "Reg",
"description": "Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information.Reg are known to be used by persistent threats.[[Citation: Windows Commands JPCERT]]\n\nAliases: Reg, reg.exe"
}
],
"uuid": "d700dc5c-78f6-11e7-a476-5f748c8e4fe0"
}