Skip to main content

🚀 Обновление модуля MITRE ATT&CK

31 октября 2023 года была выпущена новая 14-я версия MITRE ATT&CK. Мы уже внедрили изменения в нашу универсальную платформу Smart Monitor. В частности, обновления затронули модуль MITRE ATT&CK. В этой статье хотим поделиться подробностями релиза.

✅ В 14-й версии Enterprise MITRE ATT&CK добавлено 18 новых техник и обновлено более 100 существующих техник


Новые техники
  • Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (v1.0)
  • Account Manipulation: Additional Container Cluster Roles (v1.0)
  • Content Injection (v1.0)
  • Credentials from Password Stores: Cloud Secrets Management Stores (v1.0)
  • Exfiltration Over Web Service: Exfiltration Over Webhook (v1.0)
  • Financial Theft (v1.0)
  • Hide Artifacts: Ignore Process Interrupts (v1.0)
  • Impair Defenses: Disable or Modify Linux Audit System (v1.0)
  • Impersonation (v1.0)
  • Log Enumeration (v1.0)
  • Masquerading: Break Process Trees (v1.0)
  • Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations (v1.0)
  • Obfuscated Files or Information: LNK Icon Smuggling (v1.0)
  • Phishing: Spearphishing Voice (v1.0)
  • Phishing for Information: Spearphishing Voice (v1.0)
  • Power Settings (v1.0)
  • Remote Services: Direct Cloud VM Connections (v1.0)
  • System Network Configuration Discovery: Wi-Fi Discovery (v1.0)
Крупные изменения в версии
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (v1.2→v2.0)
  • Impair Defenses: Disable or Modify Cloud Logs (v1.3→v2.0)
Незначительные изменения в версии
  • Abuse Elevation Control Mechanism (v1.1→v1.2)
  • Access Token Manipulation: Token Impersonation/Theft (v1.1→v1.2)
  • Account Manipulation (v2.5→v2.6)
  • Additional Cloud Credentials (v2.5→v2.6)
  • Additional Cloud Roles (v2.2→v2.3)
  • Additional Email Delegate Permissions (v2.0→v2.1)
  • Device Registration (v1.1→v1.2)
  • SSH Authorized Keys (v1.2→v1.3)
  • Acquire Infrastructure (v1.2→v1.3)
  • Adversary-in-the-Middle (v2.2→v2.3)
  • Application Layer Protocol: File Transfer Protocols (v1.0→v1.1)
  • Application Layer Protocol: Web Protocols (v1.1→v1.2)
  • Archive Collected Data: Archive via Utility (v1.2→v1.3)
  • Boot or Logon Autostart Execution: Print Processors (v1.0→v1.1)
  • Boot or Logon Autostart Execution: Winlogon Helper DLL (v1.0→v1.1)
  • Boot or Logon Autostart Execution: XDG Autostart Entries (v1.0→v1.1)
  • Boot or Logon Initialization Scripts (v2.1→v2.2)
  • Brute Force: Credential Stuffing (v1.3→v1.4)
  • Brute Force: Password Guessing (v1.4→v1.5)
  • Brute Force: Password Spraying (v1.3→v1.4)
  • Cloud Service Dashboard (v1.1→v1.2)
  • Command and Scripting Interpreter: Windows Command Shell (v1.2→v1.3)
  • Compromise Client Software Binary (v1.0→v1.1)
  • Compromise Infrastructure (v1.3→v1.4)
  • Create Account (v2.3→v2.4)
  • Cloud Account (v1.3→v1.4)
  • Domain Account (v1.0→v1.1)
  • Local Account (v1.2→v1.3)
  • Create or Modify System Process: Systemd Service (v1.3→v1.4)
  • Create or Modify System Process: Windows Service (v1.3→v1.4)
  • Credentials from Password Stores (v1.0→v1.1)
  • Data Destruction (v1.1→v1.2)
  • Data from Cloud Storage (v2.0→v2.1)
  • Data from Network Shared Drive (v1.3→v1.4)
  • Deobfuscate/Decode Files or Information (v1.2→v1.3)
  • Direct Volume Access (v2.0→v2.1)
  • Email Collection (v2.4→v2.5)
  • Remote Email Collection (v1.1→v1.2)
  • Event Triggered Execution: Screensaver (v1.1→v1.2)
  • Exfiltration Over Other Network Medium (v1.1→v1.2)
  • Exfiltration Over Web Service (v1.2→v1.3)
  • Exfiltration to Cloud Storage (v1.1→v1.2)
  • Exfiltration to Code Repository (v1.0→v1.1)
  • Exploitation for Credential Access (v1.4→v1.5)
  • Exploitation for Defense Evasion (v1.3→v1.4)
  • File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification (v1.1→v1.2)
  • Forced Authentication (v1.2→v1.3)
  • Forge Web Credentials (v1.3→v1.4)
  • Hide Artifacts: Email Hiding Rules (v1.2→v1.3)
  • Hijack Execution Flow: Path Interception by PATH Environment Variable (v1.0→v1.1)
  • Impair Defenses (v1.4→v1.5)
  • Disable Windows Event Logging (v1.2→v1.3)
  • Disable or Modify Tools (v1.4→v1.5)
  • Downgrade Attack (v1.1→v1.2)
  • Indicator Blocking (v1.2→v1.3)
  • Indicator Removal: Clear Network Connection History and Configurations (v1.0→v1.1)
  • Indicator Removal: Clear Windows Event Logs (v1.2→v1.3)
  • Ingress Tool Transfer (v2.2→v2.3)
  • Inhibit System Recovery (v1.2→v1.3)
  • Input Capture: Keylogging (v1.1→v1.2)
  • Inter-Process Communication: Dynamic Data Exchange (v1.2→v1.3)
  • Lateral Tool Transfer (v1.2→v1.3)
  • Masquerading (v1.5→v1.6)
  • Masquerade Task or Service (v1.1→v1.2)
  • Match Legitimate Name or Location (v1.1→v1.2)
  • Modify Authentication Process: Multi-Factor Authentication (v1.0→v1.1)
  • Modify Cloud Compute Infrastructure (v1.1→v1.2)
  • Modify Registry (v1.3→v1.4)
  • Native API (v2.1→v2.2)
  • Network Service Discovery (v3.0→v3.1)
  • Network Share Discovery (v3.1→v3.2)
  • Network Sniffing (v1.4→v1.5)
  • Non-Application Layer Protocol (v2.2→v2.3)
  • OS Credential Dumping: LSASS Memory (v1.2→v1.3)
  • OS Credential Dumping: NTDS (v1.1→v1.2)
  • OS Credential Dumping: Security Account Manager (v1.0→v1.1)
  • Obfuscated Files or Information (v1.4→v1.5)
  • Embedded Payloads (v1.0→v1.1)
  • HTML Smuggling (v1.0→v1.1)
  • Phishing (v2.3→v2.4)
  • Spearphishing Link (v2.4→v2.5)
  • Phishing for Information (v1.2→v1.3)
  • Spearphishing Link (v1.4→v1.5)
  • Process Discovery (v1.3→v1.4)
  • Process Injection: Dynamic-link Library Injection (v1.2→v1.3)
  • Process Injection: Process Hollowing (v1.2→v1.3)
  • Reflective Code Loading (v1.0→v1.1)
  • Remote Access Software (v2.1→v2.2)
  • Remote Service Session Hijacking: RDP Hijacking (v1.0→v1.1)
  • Remote Services (v1.3→v1.4)
  • Distributed Component Object Model (v1.2→v1.3)
  • Remote Desktop Protocol (v1.1→v1.2)
  • SMB/Windows Admin Shares (v1.1→v1.2)
  • SSH (v1.1→v1.2)
  • Windows Remote Management (v1.1→v1.2)
  • Remote System Discovery (v3.4→v3.5)
  • Resource Hijacking (v1.3→v1.4)
  • Scheduled Task/Job: At (v2.0→v2.1)
  • Scheduled Task/Job: Scheduled Task (v1.3→v1.4)
  • Scheduled Task/Job: Systemd Timers (v1.1→v1.2)
  • Shared Modules (v2.1→v2.2)
  • Software Deployment Tools (v2.1→v2.2)
  • Subvert Trust Controls: Install Root Certificate (v1.1→v1.2)
  • System Binary Proxy Execution: Rundll32 (v2.1→v2.2)
  • System Network Configuration Discovery (v1.5→v1.6)
  • System Owner/User Discovery (v1.4→v1.5)
  • System Services: Service Execution (v1.1→v1.2)
  • Taint Shared Content (v1.3→v1.4)
  • Trusted Developer Utilities Proxy Execution: MSBuild (v1.2→v1.3)
  • Unsecured Credentials: Credentials In Files (v1.1→v1.2)
  • Unsecured Credentials: Credentials in Registry (v1.0→v1.1)
  • Use Alternate Authentication Material: Pass the Hash (v1.1→v1.2)
  • Valid Accounts: Cloud Accounts (v1.5→v1.6)
  • Valid Accounts: Domain Accounts (v1.3→v1.4)
  • Valid Accounts: Local Accounts (v1.3→v1.4)
  • Windows Management Instrumentation (v1.3→v1.4)
Патчи
  • Cloud Service Discovery (v1.3) — Event Triggered Execution: PowerShell Profile (v1.1)
  • Forge Web Credentials: SAML Tokens (v1.2)
  • Forge Web Credentials: Web Cookies (v1.1)
  • Masquerading: Masquerade File Type (v1.0)
  • Masquerading: Rename System Utilities (v1.1)
  • OS Credential Dumping: Cached Domain Credentials (v1.0)
  • Replication Through Removable Media (v1.2)
  • Steal Application Access Token (v1.2)
  • Steal Web Session Cookie (v1.2)
  • System Binary Proxy Execution: Compiled HTML File (v2.1)
  • Use Alternate Authentication Material: Application Access Token (v1.5)
  • Use Alternate Authentication Material: Web Session Cookie (v1.3)

✅ Добавлено 14 новых ПО и обновлено более 40 существующих ПО


Новое ПО
  • ANDROMEDA (v1.0)
  • AsyncRAT (v1.0)
  • BADHATCH (v1.0)
  • Disco (v1.0)
  • KOPILUWAK (v1.0)
  • NightClub (v1.0)
  • Pacu (v1.0)
  • QUIETCANARY (v1.0)
  • QUIETEXIT (v1.0)
  • RotaJakiro (v1.0)
  • Sardonic (v1.0)
  • SharpDisco (v1.0)
  • Snip3 (v1.0)
  • ngrok (v1.2)
Крупные изменения в версии
  • OSX_OCEANLOTUS.D (v2.2→v3.0)
  • Uroburos (v1.0→v2.0)
Незначительные изменения в версии
  • AdFind (v1.2→v1.3)
  • Agent Tesla (v1.2→v1.3)
  • Arp (v1.1→v1.2)
  • BITSAdmin (v1.3→v1.4)
  • BlackEnergy (v1.3→v1.4)
  • BloodHound (v1.4→v1.5)
  • Cobalt Strike (v1.10→v1.11)
  • Conti (v2.1→v2.2)
  • CrossRAT (v1.1→v1.2)
  • Dridex (v2.0→v2.1)
  • Emotet (v1.4→v1.5)
  • Empire (v1.6→v1.7)
  • Fysbis (v1.2→v1.3)
  • GoldMax (v2.1→v2.2)
  • Imminent Monitor (v1.0→v1.1)
  • Impacket (v1.4→v1.5)
  • KillDisk (v1.1→v1.2)
  • LaZagne (v1.4→v1.5)
  • Mimikatz (v1.7→v1.8)
  • NETWIRE (v1.5→v1.6)
  • Net (v2.4→v2.5)
  • Nltest (v1.1→v1.2)
  • OSX/Shlayer (v1.3→v1.4)
  • Ping (v1.3→v1.4)
  • PsExec (v1.4→v1.5)
  • Pupy (v1.2→v1.3)
  • Ragnar Locker (v1.1→v1.2)
  • Regin (v1.1→v1.2)
  • Revenge RAT (v1.1→v1.2)
  • Rubeus (v1.0→v1.1)
  • Ryuk (v1.3→v1.4)
  • TrickBot (v2.0→v2.1)
  • WarzoneRAT (v1.0→v1.1)
  • certutil (v1.3→v1.4)
  • esentutl (v1.2→v1.3)
  • jRAT (v2.1→v2.2)
  • netstat (v1.1→v1.2)
  • njRAT (v1.4→v1.5)
Патчи
  • BlackCat (v1.0)
  • Calisto (v1.1)
  • Carbanak (v1.1)
  • Doki (v1.0)
  • Industroyer (v1.1)
  • LockerGoga (v2.0)
  • PUNCHBUGGY (v2.1)
  • PUNCHTRACK (v1.1)
  • PowerSploit (v1.6)

✅ Добавлено 5 новых группировок и обновлено 17 существующих группировок


Новые группировки
  • FIN13 (v1.0)
  • MoustachedBouncer (v1.0)
  • Scattered Spider (v1.0)
  • TA2541 (v1.0)
  • Volt Typhoon (v1.0)
Крупные изменения в версии
  • APT29 (v4.0→v5.0)
  • FIN7 (v2.2→v3.0)
  • FIN8 (v1.3→v2.0)
  • Indrik Spider (v2.1→v3.0)
  • Turla (v3.1→v4.0)
  • Wizard Spider (v2.1→v3.0)
Незначительные изменения в версии
  • APT32 (v2.6→v2.7)
  • Confucius (v1.0→v1.1)
  • Dragonfly (v3.1→v3.2)
  • LAPSUS$ (v1.1→v1.2)
  • Magic Hound (v5.1→v5.2)
  • Sandworm Team (v3.0→v3.1)
  • SilverTerrier (v1.1→v1.2)
Патчи
  • APT37 (v2.0)
  • Ajax Security Team (v1.0)
  • Darkhotel (v2.1)
  • Kimsuky (v3.1)

✅ Добавлено 3 новых хакерских кампаний и обновлена 1 существующая


Новые кампании
  • 2015 Ukraine Electric Power Attack (v1.0)
  • C0026 (v1.0)
  • C0027 (v1.0)

Эти обновления позволили нам улучшить работу модуля и обеспечить более высокий уровень безопасности против постоянно меняющихся методов и тактик злоумышленников. Также хотим заметить, что не ориентируемся только на MITRE ATT&CK. Мы постоянно следим за современными тенденциями кибербезопасности и развиваем контент в наших модулях для контроля актуальных угроз, независимо от выхода обновлений MITRE. Наша цель — обеспечить максимальную защиту данных и информационных ресурсов наших клиентов, поэтому мы всегда готовы к быстрым изменениям и адаптации к новым угрозам.
Если вас заинтересовал модуль, вы можете рассчитать персонализированную стоимость с помощью нашего открытого калькулятора.