🚀 Обновление модуля MITRE ATT&CK

31 октября 2023 года была выпущена новая 14-я версия MITRE ATT&CK. Мы уже внедрили изменения в нашу универсальную платформу Smart Monitor. В частности, обновления затронули модуль MITRE ATT&CK. В этой статье хотим поделиться подробностями релиза.

Содержание

Техники
ПО
Группировки
Хакерские кампании

✅ В 14-й версии Enterprise MITRE ATT&CK добавлено 18 новых техник и обновлено более 100 существующих техник

Новые техники

Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (v1.0)
Account Manipulation: Additional Container Cluster Roles (v1.0)
Content Injection (v1.0)
Credentials from Password Stores: Cloud Secrets Management Stores (v1.0)
Exfiltration Over Web Service: Exfiltration Over Webhook (v1.0)
Financial Theft (v1.0)
Hide Artifacts: Ignore Process Interrupts (v1.0)
Impair Defenses: Disable or Modify Linux Audit System (v1.0)
Impersonation (v1.0)
Log Enumeration (v1.0)
Masquerading: Break Process Trees (v1.0)
Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations (v1.0)
Obfuscated Files or Information: LNK Icon Smuggling (v1.0)
Phishing: Spearphishing Voice (v1.0)
Phishing for Information: Spearphishing Voice (v1.0)
Power Settings (v1.0)
Remote Services: Direct Cloud VM Connections (v1.0)
System Network Configuration Discovery: Wi-Fi Discovery (v1.0)

Крупные изменения в версии

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (v1.2→v2.0)
Impair Defenses: Disable or Modify Cloud Logs (v1.3→v2.0)

Незначительные изменения в версии

Abuse Elevation Control Mechanism (v1.1→v1.2)
Access Token Manipulation: Token Impersonation/Theft (v1.1→v1.2)
Account Manipulation (v2.5→v2.6)
Additional Cloud Credentials (v2.5→v2.6)
Additional Cloud Roles (v2.2→v2.3)
Additional Email Delegate Permissions (v2.0→v2.1)
Device Registration (v1.1→v1.2)
SSH Authorized Keys (v1.2→v1.3)
Acquire Infrastructure (v1.2→v1.3)
Adversary-in-the-Middle (v2.2→v2.3)
Application Layer Protocol: File Transfer Protocols (v1.0→v1.1)
Application Layer Protocol: Web Protocols (v1.1→v1.2)
Archive Collected Data: Archive via Utility (v1.2→v1.3)
Boot or Logon Autostart Execution: Print Processors (v1.0→v1.1)
Boot or Logon Autostart Execution: Winlogon Helper DLL (v1.0→v1.1)
Boot or Logon Autostart Execution: XDG Autostart Entries (v1.0→v1.1)
Boot or Logon Initialization Scripts (v2.1→v2.2)
Brute Force: Credential Stuffing (v1.3→v1.4)
Brute Force: Password Guessing (v1.4→v1.5)
Brute Force: Password Spraying (v1.3→v1.4)
Cloud Service Dashboard (v1.1→v1.2)
Command and Scripting Interpreter: Windows Command Shell (v1.2→v1.3)
Compromise Client Software Binary (v1.0→v1.1)
Compromise Infrastructure (v1.3→v1.4)
Create Account (v2.3→v2.4)
Cloud Account (v1.3→v1.4)
Domain Account (v1.0→v1.1)
Local Account (v1.2→v1.3)
Create or Modify System Process: Systemd Service (v1.3→v1.4)
Create or Modify System Process: Windows Service (v1.3→v1.4)
Credentials from Password Stores (v1.0→v1.1)
Data Destruction (v1.1→v1.2)
Data from Cloud Storage (v2.0→v2.1)
Data from Network Shared Drive (v1.3→v1.4)
Deobfuscate/Decode Files or Information (v1.2→v1.3)
Direct Volume Access (v2.0→v2.1)
Email Collection (v2.4→v2.5)
Remote Email Collection (v1.1→v1.2)
Event Triggered Execution: Screensaver (v1.1→v1.2)
Exfiltration Over Other Network Medium (v1.1→v1.2)
Exfiltration Over Web Service (v1.2→v1.3)
Exfiltration to Cloud Storage (v1.1→v1.2)
Exfiltration to Code Repository (v1.0→v1.1)
Exploitation for Credential Access (v1.4→v1.5)
Exploitation for Defense Evasion (v1.3→v1.4)
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification (v1.1→v1.2)
Forced Authentication (v1.2→v1.3)
Forge Web Credentials (v1.3→v1.4)
Hide Artifacts: Email Hiding Rules (v1.2→v1.3)
Hijack Execution Flow: Path Interception by PATH Environment Variable (v1.0→v1.1)
Impair Defenses (v1.4→v1.5)
Disable Windows Event Logging (v1.2→v1.3)
Disable or Modify Tools (v1.4→v1.5)
Downgrade Attack (v1.1→v1.2)
Indicator Blocking (v1.2→v1.3)
Indicator Removal: Clear Network Connection History and Configurations (v1.0→v1.1)
Indicator Removal: Clear Windows Event Logs (v1.2→v1.3)
Ingress Tool Transfer (v2.2→v2.3)
Inhibit System Recovery (v1.2→v1.3)
Input Capture: Keylogging (v1.1→v1.2)
Inter-Process Communication: Dynamic Data Exchange (v1.2→v1.3)
Lateral Tool Transfer (v1.2→v1.3)
Masquerading (v1.5→v1.6)
Masquerade Task or Service (v1.1→v1.2)
Match Legitimate Name or Location (v1.1→v1.2)
Modify Authentication Process: Multi-Factor Authentication (v1.0→v1.1)
Modify Cloud Compute Infrastructure (v1.1→v1.2)
Modify Registry (v1.3→v1.4)
Native API (v2.1→v2.2)
Network Service Discovery (v3.0→v3.1)
Network Share Discovery (v3.1→v3.2)
Network Sniffing (v1.4→v1.5)
Non-Application Layer Protocol (v2.2→v2.3)
OS Credential Dumping: LSASS Memory (v1.2→v1.3)
OS Credential Dumping: NTDS (v1.1→v1.2)
OS Credential Dumping: Security Account Manager (v1.0→v1.1)
Obfuscated Files or Information (v1.4→v1.5)
Embedded Payloads (v1.0→v1.1)
HTML Smuggling (v1.0→v1.1)
Phishing (v2.3→v2.4)
Spearphishing Link (v2.4→v2.5)
Phishing for Information (v1.2→v1.3)
Spearphishing Link (v1.4→v1.5)
Process Discovery (v1.3→v1.4)
Process Injection: Dynamic-link Library Injection (v1.2→v1.3)
Process Injection: Process Hollowing (v1.2→v1.3)
Reflective Code Loading (v1.0→v1.1)
Remote Access Software (v2.1→v2.2)
Remote Service Session Hijacking: RDP Hijacking (v1.0→v1.1)
Remote Services (v1.3→v1.4)
Distributed Component Object Model (v1.2→v1.3)
Remote Desktop Protocol (v1.1→v1.2)
SMB/Windows Admin Shares (v1.1→v1.2)
SSH (v1.1→v1.2)
Windows Remote Management (v1.1→v1.2)
Remote System Discovery (v3.4→v3.5)
Resource Hijacking (v1.3→v1.4)
Scheduled Task/Job: At (v2.0→v2.1)
Scheduled Task/Job: Scheduled Task (v1.3→v1.4)
Scheduled Task/Job: Systemd Timers (v1.1→v1.2)
Shared Modules (v2.1→v2.2)
Software Deployment Tools (v2.1→v2.2)
Subvert Trust Controls: Install Root Certificate (v1.1→v1.2)
System Binary Proxy Execution: Rundll32 (v2.1→v2.2)
System Network Configuration Discovery (v1.5→v1.6)
System Owner/User Discovery (v1.4→v1.5)
System Services: Service Execution (v1.1→v1.2)
Taint Shared Content (v1.3→v1.4)
Trusted Developer Utilities Proxy Execution: MSBuild (v1.2→v1.3)
Unsecured Credentials: Credentials In Files (v1.1→v1.2)
Unsecured Credentials: Credentials in Registry (v1.0→v1.1)
Use Alternate Authentication Material: Pass the Hash (v1.1→v1.2)
Valid Accounts: Cloud Accounts (v1.5→v1.6)
Valid Accounts: Domain Accounts (v1.3→v1.4)
Valid Accounts: Local Accounts (v1.3→v1.4)
Windows Management Instrumentation (v1.3→v1.4)

Патчи

Cloud Service Discovery (v1.3) — Event Triggered Execution: PowerShell Profile (v1.1)
Forge Web Credentials: SAML Tokens (v1.2)
Forge Web Credentials: Web Cookies (v1.1)
Masquerading: Masquerade File Type (v1.0)
Masquerading: Rename System Utilities (v1.1)
OS Credential Dumping: Cached Domain Credentials (v1.0)
Replication Through Removable Media (v1.2)
Steal Application Access Token (v1.2)
Steal Web Session Cookie (v1.2)
System Binary Proxy Execution: Compiled HTML File (v2.1)
Use Alternate Authentication Material: Application Access Token (v1.5)
Use Alternate Authentication Material: Web Session Cookie (v1.3)

✅ Добавлено 14 новых ПО и обновлено более 40 существующих ПО

Новое ПО

ANDROMEDA (v1.0)
AsyncRAT (v1.0)
BADHATCH (v1.0)
Disco (v1.0)
KOPILUWAK (v1.0)
NightClub (v1.0)
Pacu (v1.0)
QUIETCANARY (v1.0)
QUIETEXIT (v1.0)
RotaJakiro (v1.0)
Sardonic (v1.0)
SharpDisco (v1.0)
Snip3 (v1.0)
ngrok (v1.2)

Крупные изменения в версии

OSX_OCEANLOTUS.D (v2.2→v3.0)
Uroburos (v1.0→v2.0)

Незначительные изменения в версии

AdFind (v1.2→v1.3)
Agent Tesla (v1.2→v1.3)
Arp (v1.1→v1.2)
BITSAdmin (v1.3→v1.4)
BlackEnergy (v1.3→v1.4)
BloodHound (v1.4→v1.5)
Cobalt Strike (v1.10→v1.11)
Conti (v2.1→v2.2)
CrossRAT (v1.1→v1.2)
Dridex (v2.0→v2.1)
Emotet (v1.4→v1.5)
Empire (v1.6→v1.7)
Fysbis (v1.2→v1.3)
GoldMax (v2.1→v2.2)
Imminent Monitor (v1.0→v1.1)
Impacket (v1.4→v1.5)
KillDisk (v1.1→v1.2)
LaZagne (v1.4→v1.5)
Mimikatz (v1.7→v1.8)
NETWIRE (v1.5→v1.6)
Net (v2.4→v2.5)
Nltest (v1.1→v1.2)
OSX/Shlayer (v1.3→v1.4)
Ping (v1.3→v1.4)
PsExec (v1.4→v1.5)
Pupy (v1.2→v1.3)
Ragnar Locker (v1.1→v1.2)
Regin (v1.1→v1.2)
Revenge RAT (v1.1→v1.2)
Rubeus (v1.0→v1.1)
Ryuk (v1.3→v1.4)
TrickBot (v2.0→v2.1)
WarzoneRAT (v1.0→v1.1)
certutil (v1.3→v1.4)
esentutl (v1.2→v1.3)
jRAT (v2.1→v2.2)
netstat (v1.1→v1.2)
njRAT (v1.4→v1.5)

Патчи

BlackCat (v1.0)
Calisto (v1.1)
Carbanak (v1.1)
Doki (v1.0)
Industroyer (v1.1)
LockerGoga (v2.0)
PUNCHBUGGY (v2.1)
PUNCHTRACK (v1.1)
PowerSploit (v1.6)

✅ Добавлено 5 новых группировок и обновлено 17 существующих группировок

Новые группировки

FIN13 (v1.0)
MoustachedBouncer (v1.0)
Scattered Spider (v1.0)
TA2541 (v1.0)
Volt Typhoon (v1.0)

Крупные изменения в версии

APT29 (v4.0→v5.0)
FIN7 (v2.2→v3.0)
FIN8 (v1.3→v2.0)
Indrik Spider (v2.1→v3.0)
Turla (v3.1→v4.0)
Wizard Spider (v2.1→v3.0)

Незначительные изменения в версии

APT32 (v2.6→v2.7)
Confucius (v1.0→v1.1)
Dragonfly (v3.1→v3.2)
LAPSUS$ (v1.1→v1.2)
Magic Hound (v5.1→v5.2)
Sandworm Team (v3.0→v3.1)
SilverTerrier (v1.1→v1.2)

Патчи

APT37 (v2.0)
Ajax Security Team (v1.0)
Darkhotel (v2.1)
Kimsuky (v3.1)

✅ Добавлено 3 новых хакерских кампаний и обновлена 1 существующая

Новые кампании

2015 Ukraine Electric Power Attack (v1.0)
C0026 (v1.0)
C0027 (v1.0)

Незначительные изменения в версии

Operation Dream Job (v1.0→v1.1)

Эти обновления позволили нам улучшить работу модуля и обеспечить более высокий уровень безопасности против постоянно меняющихся методов и тактик злоумышленников. Также хотим заметить, что не ориентируемся только на MITRE ATT&CK. Мы постоянно следим за современными тенденциями кибербезопасности и развиваем контент в наших модулях для контроля актуальных угроз, независимо от выхода обновлений MITRE. Наша цель — обеспечить максимальную защиту данных и информационных ресурсов наших клиентов, поэтому мы всегда готовы к быстрым изменениям и адаптации к новым угрозам.

Если вас заинтересовал модуль, вы можете рассчитать персонализированную стоимость с помощью нашего открытого калькулятора.

Рассчитать стоимость