🚀 Обновление модуля MITRE ATT&CK
31 октября 2023 года была выпущена новая 14-я версия MITRE ATT&CK. Мы уже внедрили изменения в нашу универсальную платформу Smart Monitor. В частности, обновления затронули модуль MITRE ATT&CK. В этой статье хотим поделиться подробностями релиза.
Содержание
✅ В 14-й версии Enterprise MITRE ATT&CK добавлено 18 новых техник и обновлено более 100 существующих техник
Новые техники
- Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (v1.0)
- Account Manipulation: Additional Container Cluster Roles (v1.0)
- Content Injection (v1.0)
- Credentials from Password Stores: Cloud Secrets Management Stores (v1.0)
- Exfiltration Over Web Service: Exfiltration Over Webhook (v1.0)
- Financial Theft (v1.0)
- Hide Artifacts: Ignore Process Interrupts (v1.0)
- Impair Defenses: Disable or Modify Linux Audit System (v1.0)
- Impersonation (v1.0)
- Log Enumeration (v1.0)
- Masquerading: Break Process Trees (v1.0)
- Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations (v1.0)
- Obfuscated Files or Information: LNK Icon Smuggling (v1.0)
- Phishing: Spearphishing Voice (v1.0)
- Phishing for Information: Spearphishing Voice (v1.0)
- Power Settings (v1.0)
- Remote Services: Direct Cloud VM Connections (v1.0)
- System Network Configuration Discovery: Wi-Fi Discovery (v1.0)
Крупные изменения в версии
- Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (v1.2→v2.0)
- Impair Defenses: Disable or Modify Cloud Logs (v1.3→v2.0)
Незначительные изменения в версии
- Abuse Elevation Control Mechanism (v1.1→v1.2)
- Access Token Manipulation: Token Impersonation/Theft (v1.1→v1.2)
- Account Manipulation (v2.5→v2.6)
- Additional Cloud Credentials (v2.5→v2.6)
- Additional Cloud Roles (v2.2→v2.3)
- Additional Email Delegate Permissions (v2.0→v2.1)
- Device Registration (v1.1→v1.2)
- SSH Authorized Keys (v1.2→v1.3)
- Acquire Infrastructure (v1.2→v1.3)
- Adversary-in-the-Middle (v2.2→v2.3)
- Application Layer Protocol: File Transfer Protocols (v1.0→v1.1)
- Application Layer Protocol: Web Protocols (v1.1→v1.2)
- Archive Collected Data: Archive via Utility (v1.2→v1.3)
- Boot or Logon Autostart Execution: Print Processors (v1.0→v1.1)
- Boot or Logon Autostart Execution: Winlogon Helper DLL (v1.0→v1.1)
- Boot or Logon Autostart Execution: XDG Autostart Entries (v1.0→v1.1)
- Boot or Logon Initialization Scripts (v2.1→v2.2)
- Brute Force: Credential Stuffing (v1.3→v1.4)
- Brute Force: Password Guessing (v1.4→v1.5)
- Brute Force: Password Spraying (v1.3→v1.4)
- Cloud Service Dashboard (v1.1→v1.2)
- Command and Scripting Interpreter: Windows Command Shell (v1.2→v1.3)
- Compromise Client Software Binary (v1.0→v1.1)
- Compromise Infrastructure (v1.3→v1.4)
- Create Account (v2.3→v2.4)
- Cloud Account (v1.3→v1.4)
- Domain Account (v1.0→v1.1)
- Local Account (v1.2→v1.3)
- Create or Modify System Process: Systemd Service (v1.3→v1.4)
- Create or Modify System Process: Windows Service (v1.3→v1.4)
- Credentials from Password Stores (v1.0→v1.1)
- Data Destruction (v1.1→v1.2)
- Data from Cloud Storage (v2.0→v2.1)
- Data from Network Shared Drive (v1.3→v1.4)
- Deobfuscate/Decode Files or Information (v1.2→v1.3)
- Direct Volume Access (v2.0→v2.1)
- Email Collection (v2.4→v2.5)
- Remote Email Collection (v1.1→v1.2)
- Event Triggered Execution: Screensaver (v1.1→v1.2)
- Exfiltration Over Other Network Medium (v1.1→v1.2)
- Exfiltration Over Web Service (v1.2→v1.3)
- Exfiltration to Cloud Storage (v1.1→v1.2)
- Exfiltration to Code Repository (v1.0→v1.1)
- Exploitation for Credential Access (v1.4→v1.5)
- Exploitation for Defense Evasion (v1.3→v1.4)
- File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification (v1.1→v1.2)
- Forced Authentication (v1.2→v1.3)
- Forge Web Credentials (v1.3→v1.4)
- Hide Artifacts: Email Hiding Rules (v1.2→v1.3)
- Hijack Execution Flow: Path Interception by PATH Environment Variable (v1.0→v1.1)
- Impair Defenses (v1.4→v1.5)
- Disable Windows Event Logging (v1.2→v1.3)
- Disable or Modify Tools (v1.4→v1.5)
- Downgrade Attack (v1.1→v1.2)
- Indicator Blocking (v1.2→v1.3)
- Indicator Removal: Clear Network Connection History and Configurations (v1.0→v1.1)
- Indicator Removal: Clear Windows Event Logs (v1.2→v1.3)
- Ingress Tool Transfer (v2.2→v2.3)
- Inhibit System Recovery (v1.2→v1.3)
- Input Capture: Keylogging (v1.1→v1.2)
- Inter-Process Communication: Dynamic Data Exchange (v1.2→v1.3)
- Lateral Tool Transfer (v1.2→v1.3)
- Masquerading (v1.5→v1.6)
- Masquerade Task or Service (v1.1→v1.2)
- Match Legitimate Name or Location (v1.1→v1.2)
- Modify Authentication Process: Multi-Factor Authentication (v1.0→v1.1)
- Modify Cloud Compute Infrastructure (v1.1→v1.2)
- Modify Registry (v1.3→v1.4)
- Native API (v2.1→v2.2)
- Network Service Discovery (v3.0→v3.1)
- Network Share Discovery (v3.1→v3.2)
- Network Sniffing (v1.4→v1.5)
- Non-Application Layer Protocol (v2.2→v2.3)
- OS Credential Dumping: LSASS Memory (v1.2→v1.3)
- OS Credential Dumping: NTDS (v1.1→v1.2)
- OS Credential Dumping: Security Account Manager (v1.0→v1.1)
- Obfuscated Files or Information (v1.4→v1.5)
- Embedded Payloads (v1.0→v1.1)
- HTML Smuggling (v1.0→v1.1)
- Phishing (v2.3→v2.4)
- Spearphishing Link (v2.4→v2.5)
- Phishing for Information (v1.2→v1.3)
- Spearphishing Link (v1.4→v1.5)
- Process Discovery (v1.3→v1.4)
- Process Injection: Dynamic-link Library Injection (v1.2→v1.3)
- Process Injection: Process Hollowing (v1.2→v1.3)
- Reflective Code Loading (v1.0→v1.1)
- Remote Access Software (v2.1→v2.2)
- Remote Service Session Hijacking: RDP Hijacking (v1.0→v1.1)
- Remote Services (v1.3→v1.4)
- Distributed Component Object Model (v1.2→v1.3)
- Remote Desktop Protocol (v1.1→v1.2)
- SMB/Windows Admin Shares (v1.1→v1.2)
- SSH (v1.1→v1.2)
- Windows Remote Management (v1.1→v1.2)
- Remote System Discovery (v3.4→v3.5)
- Resource Hijacking (v1.3→v1.4)
- Scheduled Task/Job: At (v2.0→v2.1)
- Scheduled Task/Job: Scheduled Task (v1.3→v1.4)
- Scheduled Task/Job: Systemd Timers (v1.1→v1.2)
- Shared Modules (v2.1→v2.2)
- Software Deployment Tools (v2.1→v2.2)
- Subvert Trust Controls: Install Root Certificate (v1.1→v1.2)
- System Binary Proxy Execution: Rundll32 (v2.1→v2.2)
- System Network Configuration Discovery (v1.5→v1.6)
- System Owner/User Discovery (v1.4→v1.5)
- System Services: Service Execution (v1.1→v1.2)
- Taint Shared Content (v1.3→v1.4)
- Trusted Developer Utilities Proxy Execution: MSBuild (v1.2→v1.3)
- Unsecured Credentials: Credentials In Files (v1.1→v1.2)
- Unsecured Credentials: Credentials in Registry (v1.0→v1.1)
- Use Alternate Authentication Material: Pass the Hash (v1.1→v1.2)
- Valid Accounts: Cloud Accounts (v1.5→v1.6)
- Valid Accounts: Domain Accounts (v1.3→v1.4)
- Valid Accounts: Local Accounts (v1.3→v1.4)
- Windows Management Instrumentation (v1.3→v1.4)
Патчи
- Cloud Service Discovery (v1.3) — Event Triggered Execution: PowerShell Profile (v1.1)
- Forge Web Credentials: SAML Tokens (v1.2)
- Forge Web Credentials: Web Cookies (v1.1)
- Masquerading: Masquerade File Type (v1.0)
- Masquerading: Rename System Utilities (v1.1)
- OS Credential Dumping: Cached Domain Credentials (v1.0)
- Replication Through Removable Media (v1.2)
- Steal Application Access Token (v1.2)
- Steal Web Session Cookie (v1.2)
- System Binary Proxy Execution: Compiled HTML File (v2.1)
- Use Alternate Authentication Material: Application Access Token (v1.5)
- Use Alternate Authentication Material: Web Session Cookie (v1.3)
✅ Добавлено 14 новых ПО и обновлено более 40 существующих ПО
Новое ПО
- ANDROMEDA (v1.0)
- AsyncRAT (v1.0)
- BADHATCH (v1.0)
- Disco (v1.0)
- KOPILUWAK (v1.0)
- NightClub (v1.0)
- Pacu (v1.0)
- QUIETCANARY (v1.0)
- QUIETEXIT (v1.0)
- RotaJakiro (v1.0)
- Sardonic (v1.0)
- SharpDisco (v1.0)
- Snip3 (v1.0)
- ngrok (v1.2)
Крупные изменения в версии
- OSX_OCEANLOTUS.D (v2.2→v3.0)
- Uroburos (v1.0→v2.0)
Незначительные изменения в версии
- AdFind (v1.2→v1.3)
- Agent Tesla (v1.2→v1.3)
- Arp (v1.1→v1.2)
- BITSAdmin (v1.3→v1.4)
- BlackEnergy (v1.3→v1.4)
- BloodHound (v1.4→v1.5)
- Cobalt Strike (v1.10→v1.11)
- Conti (v2.1→v2.2)
- CrossRAT (v1.1→v1.2)
- Dridex (v2.0→v2.1)
- Emotet (v1.4→v1.5)
- Empire (v1.6→v1.7)
- Fysbis (v1.2→v1.3)
- GoldMax (v2.1→v2.2)
- Imminent Monitor (v1.0→v1.1)
- Impacket (v1.4→v1.5)
- KillDisk (v1.1→v1.2)
- LaZagne (v1.4→v1.5)
- Mimikatz (v1.7→v1.8)
- NETWIRE (v1.5→v1.6)
- Net (v2.4→v2.5)
- Nltest (v1.1→v1.2)
- OSX/Shlayer (v1.3→v1.4)
- Ping (v1.3→v1.4)
- PsExec (v1.4→v1.5)
- Pupy (v1.2→v1.3)
- Ragnar Locker (v1.1→v1.2)
- Regin (v1.1→v1.2)
- Revenge RAT (v1.1→v1.2)
- Rubeus (v1.0→v1.1)
- Ryuk (v1.3→v1.4)
- TrickBot (v2.0→v2.1)
- WarzoneRAT (v1.0→v1.1)
- certutil (v1.3→v1.4)
- esentutl (v1.2→v1.3)
- jRAT (v2.1→v2.2)
- netstat (v1.1→v1.2)
- njRAT (v1.4→v1.5)
Патчи
- BlackCat (v1.0)
- Calisto (v1.1)
- Carbanak (v1.1)
- Doki (v1.0)
- Industroyer (v1.1)
- LockerGoga (v2.0)
- PUNCHBUGGY (v2.1)
- PUNCHTRACK (v1.1)
- PowerSploit (v1.6)
✅ Добавлено 5 новых группировок и обновлено 17 существующих группировок
Новые группировки
- FIN13 (v1.0)
- MoustachedBouncer (v1.0)
- Scattered Spider (v1.0)
- TA2541 (v1.0)
- Volt Typhoon (v1.0)
Крупные изменения в версии
- APT29 (v4.0→v5.0)
- FIN7 (v2.2→v3.0)
- FIN8 (v1.3→v2.0)
- Indrik Spider (v2.1→v3.0)
- Turla (v3.1→v4.0)
- Wizard Spider (v2.1→v3.0)
Незначительные изменения в версии
- APT32 (v2.6→v2.7)
- Confucius (v1.0→v1.1)
- Dragonfly (v3.1→v3.2)
- LAPSUS$ (v1.1→v1.2)
- Magic Hound (v5.1→v5.2)
- Sandworm Team (v3.0→v3.1)
- SilverTerrier (v1.1→v1.2)
Патчи
- APT37 (v2.0)
- Ajax Security Team (v1.0)
- Darkhotel (v2.1)
- Kimsuky (v3.1)
✅ Добавлено 3 новых хакерских кампаний и обновлена 1 существующая
Новые кампании
- 2015 Ukraine Electric Power Attack (v1.0)
- C0026 (v1.0)
- C0027 (v1.0)
Незначительные изменения в версии
- Operation Dream Job (v1.0→v1.1)
Эти обновления позволили нам улучшить работу модуля и обеспечить более высокий уровень безопасности против постоянно меняющихся методов и тактик злоумышленников. Также хотим заметить, что не ориентируемся только на MITRE ATT&CK. Мы постоянно следим за современными тенденциями кибербезопасности и развиваем контент в наших модулях для контроля актуальных угроз, независимо от выхода обновлений MITRE. Наша цель — обеспечить максимальную защиту данных и информационных ресурсов наших клиентов, поэтому мы всегда готовы к быстрым изменениям и адаптации к новым угрозам.
Если вас заинтересовал модуль, вы можете рассчитать персонализированную стоимость с помощью нашего открытого калькулятора.